MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06b3a2567c8f30af04c48561f48263654175bcb4548fcbb1d1b9707a4969c595. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06b3a2567c8f30af04c48561f48263654175bcb4548fcbb1d1b9707a4969c595
SHA3-384 hash: 71697480cb8dec759c4fe070709d21c287ef79ef173df3b0d7d192fb223c84644956c115ebd59a46350b1826bc9282ec
SHA1 hash: 978361bab922d58a72c4906b3e56051ea665616f
MD5 hash: b18759785c283d4cd5dd2c54f5b177c7
humanhash: crazy-glucose-nitrogen-batman
File name:TT Payment Copy.doc.001
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:396'572 bytes
First seen:2023-09-10 06:49:22 UTC
Last seen:2023-09-11 11:30:00 UTC
File type: rar
MIME type:application/x-rar
ssdeep 12288:9sPKX/tG+zAEDCadZUa2+QTAPt4l64dhx8:lnznvUbTstkjdhx8
TLSH T1DE84234822B09CEE22FA4151D845441AE8E76C36224E69D95478530FA3D83C6FFDF6FB
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:001 payment rar RemcosRAT


Avatar
cocaman
Malicious email (T1566.001)
From: "Jahangir <jahangir@woodbridgebd.com>" (likely spoofed)
Received: "from woodbridgebd.com (unknown [185.216.71.115]) "
Date: "4 Sep 2023 10:53:43 -0700"
Subject: "TT PAYMENT_211+301 CTNS_SANTEX_OCEAN"
Attachment: "TT Payment Copy.doc.001"

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
CZ CZ
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:TT Payment Copy.doc.exe
File size:1'125'376 bytes
SHA256 hash: a94dc2ec5ba36249dcf25e76a013cad2ff628acc349e5478705c0cb92bc6050d
MD5 hash: 5a5e01532d13cc779f1ad7bbc89b843d
MIME type:application/x-dosexec
Signature RemcosRAT
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27215.RarHeur.nocdb.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/06b3a2567c8f30af04c48561f48263654175bcb4548fcbb1d1b9707a4969c595/results/dashboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control keylogger lolbin masquerade modiloader remcos replace
Link:
https://www.filescan.io/uploads/64fd671bb3be59ae4dd444ce/reports/e3a0aafb-810b-4556-82a3-1dc64d160910/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/06b3a2567c8f30af04c48561f48263654175bcb4548fcbb1d1b9707a4969c595
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06b3a2567c8f30af04c48561f48263654175bcb4548fcbb1d1b9707a4969c595/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-09-04 00:04:02 UTC
File Type:
Binary (Archive)
Extracted files:
43
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2z2evt4r4yk6bgeqvq7jatdmvaxlpfuksh4xmorxfyhusljywkq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:great persistence rat trojan
Link:
https://tria.ge/reports/230910-kpajpsfh85/
Behaviour
Enumerates system info in registry
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
Greatzillart.ydns.eu:1960
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06b3a2567c8f30af04c48561f48263654175bcb4548fcbb1d1b9707a4969c595

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 06b3a2567c8f30af04c48561f48263654175bcb4548fcbb1d1b9707a4969c595

(this sample)

RemcosRAT

Executable exe a94dc2ec5ba36249dcf25e76a013cad2ff628acc349e5478705c0cb92bc6050d

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 a94dc2ec5ba36249dcf25e76a013cad2ff628acc349e5478705c0cb92bc6050d
  
Dropping
RemcosRAT
  
Dropping
MD5 5a5e01532d13cc779f1ad7bbc89b843d

Comments