MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3c359459e4053699435535a4db8eed60a69ea9ebe8330626263fc6f9c1a8729. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3c359459e4053699435535a4db8eed60a69ea9ebe8330626263fc6f9c1a8729
SHA3-384 hash: 8311f924329b4cb97ef94bf9bb2dabdb2eada8d1869c7b31dce75caf983d80b037d7192e4f703ed194050dc601ae2970
SHA1 hash: 08e268a75dba081ba6452b8434ece0553d195c4c
MD5 hash: df7234080db7649371e96c68d1ab4364
humanhash: six-ink-leopard-robert
File name:Purchase Order.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:499'200 bytes
First seen:2020-06-03 16:34:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:yXcQnz4cem5z1jBFBeT320Pt5J6n1QH4wI6aPe4N1ti8ryDZKb4FYZIGK3WfvwzG:yXcQz4cem5ZNyKb4qDGCs8
Threatray 1'212 similar samples on MalwareBazaar
TLSH 3FB4F79C722072EFC85BD472DAA82D68EA5178BB931F4207942715EDDE4C897CF244F2
Reporter abuse_ch
Tags:exe nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: smtp3.vooju.com
Sending IP: 3.1.110.166
From: Sinay Santana <ismihan.kobaner@osmak.com.tr>
Subject: June PO 76434675443
Attachment: Purchase Order.lzh (contains "Purchase Order.exe")

RemcosRAT C2:
dolxxrem.hopto.org:3086 (79.134.225.11)

Pointing to nVpn:

% Information related to '79.134.225.0 - 79.134.225.63'

% Abuse contact for '79.134.225.0 - 79.134.225.63' is 'abuse@anmaxx.net'

inetnum: 79.134.225.0 - 79.134.225.63
netname: BASEL-HOSTING-225-0
country: CH
admin-c: AM38880-RIPE
tech-c: AM38880-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
created: 2016-04-17T00:42:52Z
last-modified: 2016-04-18T06:23:19Z
source: RIPE
remarks: abuse-c AIS166-RIPE
org: ORG-AGIS12-RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 16:35:34 UTC
AV detection:
22 of 48 (45.83%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6pbvsrm6ibjwtfbvknne3oho2yfgt2u6x2btaytcmp6g7ha2q4uq._file
Verdict:
malicious
Similar samples:
206ffd0bd61efa5d7555466690e7e20ee7bcf6f8e45323bb1bb01b85073bc77b
RemcosRAT
2634fb80e3aae92bb4b0fa252d7be8242629a9dbcd14301b0002e8d1bfc8b420
RemcosRAT
4c5881962cffc89a01446fe5cfaa1c5f5a42c29c2ec1b75f9dd10232434e9986
RemcosRAT
5ed34087532263b2a7797a258fadc6d243e1eaedc7bcd2860fbb7ee2e1e6306c
RemcosRAT
7248d0601627171f4663a14d2e7ca4d80dc8060cd8e126ff18b53d9139b5e423
RemcosRAT
898fb94bb9fb9894ad31a2c4eec424aa0de35cfe8fb97f9da0914105d397ea3f
RemcosRAT
924d2110a668acae185a205cc51772d088304b941e306ae369b7f62f788d3632
RemcosRAT
960bdf7b7b3bd263fcd5aa32f4b0ddb567349d46f6d5062a8000981675bffe6f
RemcosRAT
ae2820f20d20e5dc262e7e018e027646b4e5e4fcbc58cc6663dd077890b27e64
RemcosRAT
e245394d284c52b53c088927f7548cccff63b0bdc36427c1e4f6f66edc3153bd
RemcosRAT
+ 1'202 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat rezer0 spyware
Link:
https://tria.ge/reports/201109-a7ncf9skmj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Uses the VBS compiler for execution
rezer0
Remcos
Malware Config
C2 Extraction:
dolxxrem.hopto.org:3086
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 8fc701b577dc9eb774004428de83c845998f166f6b681e6aa73b92b0dbbc19d5

RemcosRAT

Executable exe f3c359459e4053699435535a4db8eed60a69ea9ebe8330626263fc6f9c1a8729

(this sample)

  
Dropped by
MD5 8685e5f9b6f7f072d315b549f2a85436
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8fc701b577dc9eb774004428de83c845998f166f6b681e6aa73b92b0dbbc19d5

Comments