MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca9407f16e0a0e23c67f2bdbb621e8bec571fc55871e5a03bf08b3caf05999a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca9407f16e0a0e23c67f2bdbb621e8bec571fc55871e5a03bf08b3caf05999a8
SHA3-384 hash: e4fd59574633aee3309d2fc49ba7e40e4afc4bb619442067fa007890465501eda05946501ae321d0931c259cb64638f7
SHA1 hash: d80de178a8dbe392cf6c6a8aedde1d05f24633cc
MD5 hash: d1e5d16ed3b75916007b34c702e951fc
humanhash: triple-mexico-texas-green
File name:BILLING INVOICE MAY 2020.LZH
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:852'941 bytes
First seen:2020-06-11 05:40:29 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:oXg3hzlVI1fHJQW5e1pA0r3bE86UpiWRnwx4mhwao1YyA4yVmizae1qAmf02Vktb:wkRopQ7y0r3hnpi9zwN5Xg53Hm82M
TLSH C405335AB433864383BF1841A8982075CABD4E96944EC0B2C77EC97977B3B141DD2B7D
Reporter abuse_ch
Tags:lzh nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: gmmgroupasia.wsiph2.com
Sending IP: 173.230.147.68
From: Account <account1@dimensionallgroup.com>
Subject: Fwd: BILLING INVOICE MAY 2020
Attachment: BILLING INVOICE MAY 2020.LZH (contains "BILLING INVOICE MAY 2020.PDF.exe")

RemcosRAT C2:
aashkanani22.casacam.net:2404 (79.134.225.73)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-06-11 05:42:08 UTC
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zkkap4lobihchrt7fpn3mipix3cxd7cvq4pfua57bcz4v4cztgua._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar ca9407f16e0a0e23c67f2bdbb621e8bec571fc55871e5a03bf08b3caf05999a8

(this sample)

RemcosRAT

Executable exe ad26de7b388b0d667f98b6fc939bf942f284752b6353b033b93d31556ad9b461

  
Dropping
MD5 330e039d37798f449d9a10128d4aff03
  
Dropping
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 ad26de7b388b0d667f98b6fc939bf942f284752b6353b033b93d31556ad9b461

Comments