MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c568167ff79c394d7e48f3f97da32d5540aa796257c4866d7fc06190a95b6c39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	c568167ff79c394d7e48f3f97da32d5540aa796257c4866d7fc06190a95b6c39
SHA3-384 hash:	039062f2663b29bb48809575f333adeea869ca4ae4502a052a652d5b9b69d823a7a764f9c15bff22a40db835fbac8d79
SHA1 hash:	655404519bc519125e77a0353e78b6baf263f759
MD5 hash:	a3a9e494f718f266a98cc556aaaa8f81
humanhash:	tennessee-nevada-michigan-utah
File name:	PO - TTCO_01874.rar
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	271'642 bytes
First seen:	2020-08-19 06:43:29 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	6144:gGnl/Hc0I7jXqV9kE8/YgxkJz8PXZ96jLf3tscLgGmmX+Ruwe:gGnlUP7mk3YgLKO/Y
TLSH	4344225F2A69A7EF79D3DEBC610C5B4D0C41A3DAA301C4DBAD20CC293351ED86585E8B
Reporter	abuse_ch
Tags:	Hostwinds rar RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: hwsrv-762625.hostwindsdns.com
Sending IP: 104.168.242.71
From: Tim Morello <info@oudshoorn-hydraulics.nl>
Subject: PURCHASE ORDER - TTCO_01874
Attachment: PO - TTCO_01874.rar (contains "PO - TTCO_01874.pdf.exe")

RemcosRAT C2:
saocris.ddns.net