MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6f0c8a174b516c26adcb179c3c902e2669a3843ad14e32cbd60958ad8604e7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6f0c8a174b516c26adcb179c3c902e2669a3843ad14e32cbd60958ad8604e7c
SHA3-384 hash: 703dd80b35f65b3aa6682631a5c935f9c922d06fe6906a3d2bd6374f844fbeaee0521ace412b640dd2044c37f6b82920
SHA1 hash: 309448caecae23254f3d5f498147c9713f2b13c3
MD5 hash: ab52fd0926bf20e004a99d9417604ee3
humanhash: colorado-mountain-washington-fix
File name:Order confirmation 556732115,rar.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:978'944 bytes
First seen:2020-05-20 08:45:27 UTC
Last seen:2020-05-20 09:48:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4607f28103cd21942f0cdd09b7a3d4f8 (3 x RemcosRAT)
ssdeep 24576:8KTBS07b0q/bC23zgs4tYj+RF4iXpONR08:8KY+e23MsIoq4fRX
Threatray 852 similar samples on MalwareBazaar
TLSH 18258E22F2D19433C223297CDD1B97A4AC2ABE513E546C467BE85D4C9F3E392343A197
Reporter abuse_ch
Tags:exe nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

From: "B.E.C. CO.,LTD." <ADMIN@BECGROUP.CO.TH>
Subject: Order confirmation
Attachment: Order confirmation 556732115,rar.rar (contains "Order confirmation 556732115,rar.exe")

RemcosRAT C2:
newlogs.ddns.net:1010 (185.165.153.17)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacy-matters.co'

inetnum: 185.165.153.0 - 185.165.153.255
netname: PRIVACY_MATTERS
remarks: This prefix belongs to a VPN service provider.
remarks: For us the privacy of our customers matters, which means we store no logs
remarks: related to any IP addresses.
remarks: Spamhaus, please note that blacklisting the clean prefixes of our hosting
remarks: partners and upstream providers is an act of coercion and will no longer
remarks: be tolerated.
remarks: Coercion is punishable by a custodial sentence or by a monetary penalty.
remarks: If you continue such practice we will not only take legal actions against
remarks: your organization, but also make such blackmailing attempts public in the
remarks: media.
country: AT
admin-c: PMVS3-RIPE
tech-c: PMVS3-RIPE
org: ORG-PMVS1-RIPE
status: ASSIGNED PA
mnt-by: PM-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2019-10-18T13:31:16Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 03:00:31 UTC
File Type:
PE (Exe)
Extracted files:
99
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u3ymriluwulme2w4wf44hsic4jtjuocdvukoglf5mckyvwdajz6a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0f307822855aabba644e0f79751eeb5f26e0575ae5ade7c6507c6d1ea7a64725
RemcosRAT
18aae95253ffa453609ef3e1150cf9c2b167a1b1c59ae1270e279f8d5e070c27
RemcosRAT
3b13ea61e91a0312f8c187096e435168cee2d2277c46373d01899497345bd0e9
RemcosRAT
5e499f9a72195ce2d1d2e0ca6dffbacc880ae5bc0847ea03e65060c993e35146
RemcosRAT
667d35d2cff2979ca84df0afe1eca6c164e1d919b989e16b97166c7a30c77a87
RemcosRAT
93c327b46d6354a91a9b20311a2f1e1873e132765816ec26443eb1971ccd2946
RemcosRAT
9dbdec587ca0c7713c3b5bb6e95803937226529b3b4515df219a8860cecfe76d
RemcosRAT
b8a03fd14b3a3695af8b6c781eb946214a98986279678c6b2a477f22ba1ac3cf
RemcosRAT
c0a656a2f73c254ed2f1e73630083849890b7c1e36161e89fe29d2fd014f9fff
RemcosRAT
f9441d3651d67748ec1a2fd325ea1aa9d914208c7fae0853e5b769e52e66ccb8
RemcosRAT
+ 842 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-asskvqylke/
Behaviour
Script User-Agent
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 98148803208151d300954f153ccc51943d931cde2dd44a15aa30cd03cbcf1ba6

RemcosRAT

Executable exe a6f0c8a174b516c26adcb179c3c902e2669a3843ad14e32cbd60958ad8604e7c

(this sample)

  
Dropped by
MD5 d50f5e446b158dec4b01fbb2974aa7cb
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 98148803208151d300954f153ccc51943d931cde2dd44a15aa30cd03cbcf1ba6

Comments