MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0af1d8f544c1daf3c85dfa4e86bd2c73e391a23beba64b51348e18970ca40bb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0af1d8f544c1daf3c85dfa4e86bd2c73e391a23beba64b51348e18970ca40bb4
SHA3-384 hash: 04216bee497f8a73110848ec13729acc0b20566d203dfbab2ff7ad95925f0ba1f1a1210e798b690f57c832945931d6b0
SHA1 hash: 85bb1becbd889d6ba4592959a386e2a8643b1b6a
MD5 hash: b4cc2275a0bf32a3dd256e0e5634070c
humanhash: lion-finch-romeo-carpet
File name:SWIFT.rar
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:158'028 bytes
First seen:2021-01-19 12:03:01 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 3072:rIkNibb8hFlIMlxw5EfbUxs5m973PLv2bR67Hvab5AASbkJJ3IJQPtA:rI0ifwZ/4EfbUG5qvB7PCAyJYb
TLSH 99F3133CB09A0D17DB58F6B7310E3A7B1724905559E1D7E8B205F6CC3A36A9A27C438C
Reporter abuse_ch
Tags:nVpn rar RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: [37.46.150.2]
Sending IP: 37.46.150.2
From: julesendkate@gmail.com
Subject: Re: Transfer Swift From Our Bank
Attachment: SWIFT.rar (contains "SWIFT.exe")

RemcosRAT C2:
whatgodcannotdodoestnotexist.duckdns.org:2889 (185.140.53.154)

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-11-06T23:02:44Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0af1d8f544c1daf3c85dfa4e86bd2c73e391a23beba64b51348e18970ca40bb4/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 12:03:08 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bly5r5keyhnphsc57jhinpjmoprzdir35otewujurymjodfebo2a._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0af1d8f544c1daf3c85dfa4e86bd2c73e391a23beba64b51348e18970ca40bb4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 0af1d8f544c1daf3c85dfa4e86bd2c73e391a23beba64b51348e18970ca40bb4

(this sample)

RemcosRAT

Executable exe bcacb340582be7a1764da1d56bd4e86d027987eb6a985ca973fa9d1509eb0863

  
Dropping
MD5 ea93512c5e7bba30c5a4dc3f4e51e6c8
  
Dropping
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 bcacb340582be7a1764da1d56bd4e86d027987eb6a985ca973fa9d1509eb0863

Comments