MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd73ef0c278e50bc42f5afe096966fa841b9acbb6bfb553a67724b04cc85d097. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd73ef0c278e50bc42f5afe096966fa841b9acbb6bfb553a67724b04cc85d097
SHA3-384 hash: 2dc41f83b68ef0ba6e8574f0cf62e394c746a1afcba77dc8dc74d33db22b4fe3752cd2ee6821c0695603cb410a89879f
SHA1 hash: 0da4fda658928daba170b0441795f3b905cd0fb3
MD5 hash: 6d6888e2dcce9a0403144ffe717493c9
humanhash: arizona-enemy-bacon-glucose
File name:INVOICE_7678985BD.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:383'488 bytes
First seen:2020-06-03 11:29:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:qPZmmxNbWw0gX6q9FiX/7XmR/aT5Tx7VAy9u4ZnrMmCWF4vY:2mmrcgX60FeaaTfVAy84Zn4mCWl
Threatray 1'993 similar samples on MalwareBazaar
TLSH 3684AE1436917D0FC23E4E37882218109AB196637F5FF347ACC725DEAA1EBDA4A01797
Reporter abuse_ch
Tags:exe nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: gdi.com.qa
Sending IP: 108.62.141.90
From: Stephen Rice<stephen.rice@gdi.com.qa>
Subject: Urgent!! Product Survey From Reliance Commercial Dealers Ltd
Attachment: INVOICE_7678985BD.rar (contains "INVOICE_7678985BD.exe")

RemcosRAT C2:
79.134.225.78:6666

Hosted on nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 12:17:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
20 of 31 (64.52%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3vz66dbhrzilyqxvv7qjnftpvba3tlf3np5vkothojfqjtef2clq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
013272a7f6fd9926e268e175cfeb2bcb0aeab1573a68693c872a119bfdfa4402
RemcosRAT
1d62f58f38403389ce4079c1002d56ab2d64e440c1bbd358ed23d5d726143581
RemcosRAT
1e68055f95563948fbacfd1de0b04fd457c108ef8482d2a6642a0067835ce529
RemcosRAT
28e5fa8a71a61c9a963340efa4179b8e1e966eca430c77f86c5795a28b66162a
RemcosRAT
2b9d20dda8529c9c382c5f2adc8eb966ec46590a15f056ba436d1b07c5b61e4f
RemcosRAT
3adda6c23f01cecac1ce8a51c8dcdab4129088a4e4abcf8f66d8a09b7fe5c84a
RemcosRAT
46200359aaf042b4f42a8ee7b23b1b573013d80e7335ac8fb5c870dfdd9f02d7
RemcosRAT
4cf39f322acf41699c40c7580f1ba40018f44930b7be21319f1ba84622236818
RemcosRAT
de78d6ebc53d0a17441d132529eb2db65ec206e7f4223382337e190aec29b150
RemcosRAT
f036e2aa7615446d2cb3ab689b13aac4055bf2cb8b19b0999db08d7052a80bf1
RemcosRAT
+ 1'983 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat rezer0
Link:
https://tria.ge/reports/201109-5sv7d3ak6n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
rezer0
Remcos
Malware Config
C2 Extraction:
79.134.225.78:6666
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar dd1e172d73be86ba3cb1ef8591d09eb757089d3c6dbd17b1bbf77f445955a8d0

RemcosRAT

Executable exe dd73ef0c278e50bc42f5afe096966fa841b9acbb6bfb553a67724b04cc85d097

(this sample)

  
Dropped by
MD5 adbe2c0fe49a1c233174ba006dbdaa16
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 dd1e172d73be86ba3cb1ef8591d09eb757089d3c6dbd17b1bbf77f445955a8d0

Comments