MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0432cb3a657e9bbc9d6ab246cba8191af7a85bae164488f1e680947c8c377e3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0432cb3a657e9bbc9d6ab246cba8191af7a85bae164488f1e680947c8c377e3a
SHA3-384 hash: 61116d8557c86c64fa1fda1ef3b3a2866c698e4835357af9da06b782c54d0e708d5a24442bffd16a8c555df090811dd1
SHA1 hash: 46e47e2dedcb6df20925c2b47b10c263d41420c1
MD5 hash: 08571874c5e7e72fac33591d8f0a0e18
humanhash: xray-india-maine-kilo
File name:INVB0987678000090000.PDF.XZ
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:886'385 bytes
First seen:2023-12-12 13:57:33 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 24576:ld9JNoCxEOX0NprYOsZJ3RCNo4RPb8joqs7BHo+c:lvDo4Ea0N+RAUjohHo9
TLSH T122152304212FE1ADED2B159DB0F9053EE4A45BEC2658076D12EC76D4C8DEFC939A21E3
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:INVOICE QUOTATION RemcosRAT xz zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Muhammet <comercial.rspharma@gmail.com>" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [45.137.22.114]) "
Date: "12 Dec 2023 02:09:16 +0100"
Subject: "Quotation invoice"
Attachment: "INVB0987678000090000.PDF.XZ"

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:INVB0987678000090000.BAT
File size:925'696 bytes
SHA256 hash: f05ac4628bc3cc7da752894e47479c2f8532ed5c485943b7abb680a79d4dba9c
MD5 hash: 4b08b3e2d346591d2f805256c63a8875
MIME type:application/x-dosexec
Signature RemcosRAT
Vendor Threat Intelligence
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.MulDrop24.32075.19887.27060.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed remcos
Link:
https://www.filescan.io/uploads/657866ef855eb2633d67dcb5/reports/93d6ff22-d85b-4d53-9a2e-cfec4c0d0646/overview
Verdict:
Malicious
Labled as:
Troj/Krypt
Link:
https://www.hybrid-analysis.com/sample/0432cb3a657e9bbc9d6ab246cba8191af7a85bae164488f1e680947c8c377e3a
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/0432cb3a657e9bbc9d6ab246cba8191af7a85bae164488f1e680947c8c377e3a
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
0%
Verdict:
Benign
File Type:
Archive
Link:
https://malprob.io/report/0432cb3a657e9bbc9d6ab246cba8191af7a85bae164488f1e680947c8c377e3a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0432cb3a657e9bbc9d6ab246cba8191af7a85bae164488f1e680947c8c377e3a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-11 23:15:31 UTC
File Type:
Binary (Archive)
Extracted files:
26
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aqzmwotfp2n3zhlkwjdmxkazdl32qw5oczcir4pgqckhzdbxpy5a._file
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:zgrat botnet:remotehost rat
Link:
https://tria.ge/reports/231212-r1bdpsefan/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Detect ZGRat V1
Remcos
ZGRat
Malware Config
C2 Extraction:
107.175.229.139:8087
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0432cb3a657e9bbc9d6ab246cba8191af7a85bae164488f1e680947c8c377e3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 0432cb3a657e9bbc9d6ab246cba8191af7a85bae164488f1e680947c8c377e3a

(this sample)

RemcosRAT

Executable exe f05ac4628bc3cc7da752894e47479c2f8532ed5c485943b7abb680a79d4dba9c

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 f05ac4628bc3cc7da752894e47479c2f8532ed5c485943b7abb680a79d4dba9c
  
Dropping
RemcosRAT
  
Dropping
MD5 4b08b3e2d346591d2f805256c63a8875

Comments