MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08dea6bb572a7af97d8814d5b65a205f87e4a7e989c90aff99045698053d1a8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08dea6bb572a7af97d8814d5b65a205f87e4a7e989c90aff99045698053d1a8c
SHA3-384 hash: 339cdff46f00bac7b3da8bedc93f9dcae2ff000ca3babbb13195b2f761c8aa06c23594ed7d90b0d1f424f3f66444363a
SHA1 hash: 673988accb192e692282ce99e7e96bb5f9431d6e
MD5 hash: 794bfcbbef15294c85c25eb815e88eaf
humanhash: double-oregon-neptune-yellow
File name:AW QUOTE 21505 HQ1-Scan-068703_PDF.rar
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:695'398 bytes
First seen:2021-09-22 07:44:41 UTC
Last seen:2021-09-23 06:48:39 UTC
File type: rar
MIME type:application/x-rar
ssdeep 12288:RCJAFkWXohl+uGYOAY6VNzWpWJ6Ddf0XqzvkkHwNi9Kq5pq:RCGkFIfYTVNb65Tzsk2i9N5M
TLSH T13DE4237B64CC4B1C3C3B55C53BAE3AFDAC419A33A0593FD390A2D2805A53AF6047B691
Reporter cocaman
Tags:rar RemcosRAT


Avatar
cocaman
Malicious email (T1566.001)
From: "lgpartner.ch <administrator@lgpartner.ch>" (likely spoofed)
Received: "from lgpartner.ch (unknown [103.125.190.56]) "
Date: "22 Sep 2021 16:43:57 -0700"
Subject: "CONFIRM QUOTATIONS"
Attachment: "AW QUOTE 21505 HQ1-Scan-068703_PDF.rar"

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08dea6bb572a7af97d8814d5b65a205f87e4a7e989c90aff99045698053d1a8c/
Threat name:
ByteCode-MSIL.Trojan.ZmutzyPong
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 07:45:06 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bdpkno2xfj5ps7mictk3mwral6d6jj7jrheqv74zarljqbj5dkga._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost brand:microsoft persistence phishing rat spyware stealer
Link:
https://tria.ge/reports/210922-jldxaaeehp/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
103.156.92.178:7006
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/08dea6bb572a7af97d8814d5b65a205f87e4a7e989c90aff99045698053d1a8c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 08dea6bb572a7af97d8814d5b65a205f87e4a7e989c90aff99045698053d1a8c

(this sample)

RemcosRAT

Executable exe e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732
  
Dropping
RemcosRAT

Comments