MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3e923ae13e15532b388ea9b527af6a75c7036a4f0621b03813fb2803faa2070. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3e923ae13e15532b388ea9b527af6a75c7036a4f0621b03813fb2803faa2070
SHA3-384 hash: e9eedf6fdbb71e29345a23544359938c5f56960c22c1ee5d58fe5e38055a037e5b311073e8a0573392585d85d32811a8
SHA1 hash: 459beed63afd47022f082bd80b2d21c21c063a83
MD5 hash: b07ad552f9e30f14b30b24095f564f81
humanhash: carpet-diet-don-floor
File name:C1350095.pdf.z
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:447'961 bytes
First seen:2020-08-19 11:18:00 UTC
Last seen:Never
File type: z
MIME type:application/x-rar
ssdeep 12288:nogx6CQrWL/aSZgIBVnzSGYi3m/iYsmmXYbnilIkd7u:ogxdL/aOg+I94e2YilIkd7u
TLSH B194237D16521C0BE44B4A80C047DFD596E3B892A87AD8F2CDDBC13A43DBE053A9D9D8
Reporter abuse_ch
Tags:nVpn RAT RemcosRAT z


Avatar
abuse_ch
Malspam distributing RemcosRAT:

From: arockiamvincent@englam.com.sg
Subject: Re: Attn
Attachment: C1350095.pdf.z (contains "C1350095.exe")

RemcosRAT C2:
salespaul.hopto.org:24005 (194.5.97.12)

Pointing to nVpn:

% Information related to '194.5.97.0 - 194.5.97.255'

% Abuse contact for '194.5.97.0 - 194.5.97.255' is 'abuse@kgb-vpn.org'

inetnum: 194.5.97.0 - 194.5.97.255
netname: NET-NINAZU
remarks: ------------------------------------------
remarks: * This network is used for a VPN service.
remarks: * No logs are stored in any shape or form.
remarks: ------------------------------------------
country: EU
admin-c: NVS100-RIPE
tech-c: NVS100-RIPE
org: ORG-NVS2-RIPE
mnt-by: NINAZU-MNT
status: SUB-ALLOCATED PA
created: 2018-07-23T09:31:45Z
last-modified: 2020-08-02T13:13:48Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3e923ae13e15532b388ea9b527af6a75c7036a4f0621b03813fb2803faa2070/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 00:31:29 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2pushlqt4fktfm4i5knve6xwu5ohanve6brbwa4bh6ziap5kebya._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3e923ae13e15532b388ea9b527af6a75c7036a4f0621b03813fb2803faa2070

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

z d3e923ae13e15532b388ea9b527af6a75c7036a4f0621b03813fb2803faa2070

(this sample)

RemcosRAT

Executable exe 2d29f962b325477d0a35364394c3ea6178f7b030e7a4e57c3811ea3696b7d661

  
Dropping
MD5 3fc3812c6cc799342bb4a6ed3179b872
  
Dropping
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 2d29f962b325477d0a35364394c3ea6178f7b030e7a4e57c3811ea3696b7d661

Comments