MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c34ed46c75b33e392091d8fb7b4449b2fd78b6a56ae7d89f5e6441c48f10692. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c34ed46c75b33e392091d8fb7b4449b2fd78b6a56ae7d89f5e6441c48f10692
SHA3-384 hash: d516b7f1d30cb472f1b24ad266a37aac424f11e3df81cd6e350042725e225b905c1f7b6ee8b330831e44b37f5a99629a
SHA1 hash: ac4640df6b4f8b8dcb46a726ebc3ec255dc71ce8
MD5 hash: eae7f1370e2b9bb381a599dccfe715e7
humanhash: three-stream-beryllium-iowa
File name:covid-19 New Order.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:126'976 bytes
First seen:2020-03-29 08:19:42 UTC
Last seen:2020-03-29 08:46:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f2da692d1272c68cb4c96a8b9269349b (1 x RemcosRAT)
ssdeep 768:wmwns+Nn+4t4dWDxVBrq0kd+zgvYk2Xal5cYc/VwHUBOEPYxcIajWwenlTtiN:Rwn1JYoi0kdkjkCa1cHOEgxdNHnR+
Threatray 789 similar samples on MalwareBazaar
TLSH 16C36C22770AE9C4C64156F44F56CBF941B86D305C182E877609BF9C3CB4E538EB8B65
Reporter abuse_ch
Tags:COVID-19 exe GuLoader RemcosRAT


Avatar
abuse_ch
COVID-19 themed malspam distributing GuLoader->RemcosRAT:

HELO: 66s.66hosting.net
Sending IP: 162.241.191.203
From: ldiaz <ldiaz@dizar.net>
Subject: URGENT NEW ORDER COVID-19 RAPID PRODUCTS
Attachment: covid-19 New Order.rar (contains: covid-19 New Order.exe)

GuLoader payload URL dropping RemcosRAT:
https://drive.google.com/uc?export=download&id=15LuIHBrj-wA53hulXGu_fVUZhKCw3_3o

RemcosRAT C2:
bunkman.duckdns.org:1556

bunkman.duckdns.org points to 185.165.153.149:

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacy-matters.co'

inetnum: 185.165.153.0 - 185.165.153.255
netname: PRIVACY_MATTERS
remarks: This prefix belongs to a VPN service provider.
remarks: For us the privacy of our customers matters, which means we store no logs
remarks: related to any IP addresses.
remarks: Spamhaus, please note that blacklisting the clean prefixes of our hosting
remarks: partners and upstream providers is an act of coercion and will no longer
remarks: be tolerated.
remarks: Coercion is punishable by a custodial sentence or by a monetary penalty.
remarks: If you continue such practice we will not only take legal actions against
remarks: your organization, but also make such blackmailing attempts public in the
remarks: media.
country: AT

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Vebzenpak-7648149-0
Create hunting rule

Win.Trojan.Ponystealer-7648155-0
Create hunting rule

Win.Dropper.Agent-7725907-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-03-29 08:35:29 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bq2o2rwhlmz6heqjdwh3pncetmx5pc3kk2xh3cpv4zcbyshra2ja._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
guloader
Create hunting rule
Similar samples:
487032be06deec0a6b50c6c0464edb67d50f9bb769ea1527969d4b67b83e8733
RemcosRAT
667d35d2cff2979ca84df0afe1eca6c164e1d919b989e16b97166c7a30c77a87
RemcosRAT
91adaeeb7ac7733741a68cc0283a10f64403f64d1378558bae2342bec847f8e5
RemcosRAT
93c327b46d6354a91a9b20311a2f1e1873e132765816ec26443eb1971ccd2946
RemcosRAT
a32c37dd601a6fcdd6e622b2c928c7ef7935a77a0df9a2dfb9c7774630dd266e
RemcosRAT
b8a03fd14b3a3695af8b6c781eb946214a98986279678c6b2a477f22ba1ac3cf
RemcosRAT
c689edeb2bea45f5a7e6402ba51dc23e40e6c8b509841f60cb3d7327340b9b60
RemcosRAT
ca1db184290b274c1f78b091bf019926fa258dd8b1f5bb316a55832aec970338
RemcosRAT
e138622ca793f4a546496b40dcf406a83aa667d16fa2a29879d8282a39d6e7ff
RemcosRAT
f9441d3651d67748ec1a2fd325ea1aa9d914208c7fae0853e5b769e52e66ccb8
RemcosRAT
+ 779 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 7f29294e310a4049e2239c5beccb99d4be17c16abca0a7837c89ac45ebbfd865

RemcosRAT

Executable exe 0c34ed46c75b33e392091d8fb7b4449b2fd78b6a56ae7d89f5e6441c48f10692

(this sample)

RemcosRAT

Executable exe cd124647e3d17ddb97840adeb42a87da5a5ef6cfd5b51babf3011037f0e3a1b7

  
URLhaus
https://urlhaus.abuse.ch/url/331587/
  
Dropping
RemcosRAT
  
Dropped by
MD5 40aa8d77929c5558cf5fafda013b320b
  
Dropped by
SHA256 7f29294e310a4049e2239c5beccb99d4be17c16abca0a7837c89ac45ebbfd865
  
Dropping
MD5 1268072b4b6c1d42db8e85dd53e78150
  
Dropping
SHA256 cd124647e3d17ddb97840adeb42a87da5a5ef6cfd5b51babf3011037f0e3a1b7
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 cd124647e3d17ddb97840adeb42a87da5a5ef6cfd5b51babf3011037f0e3a1b7

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef

Comments