MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16cb5d2d856a5875d922500357914292e21825a52bfae5809f449bd88650d84b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16cb5d2d856a5875d922500357914292e21825a52bfae5809f449bd88650d84b
SHA3-384 hash: 49f2d84dd3ef87853de03a1ec6550f230e4940377b3c7b7c6a9f789c784a7a6f796d789931ebacb403fbc70311784ae5
SHA1 hash: d50b098860c85a3e8d002171f321765052fc88b5
MD5 hash: 1761579969045b01e3a4cf67c1691db0
humanhash: kansas-sad-solar-texas
File name:6278216733 BILL OF LADING COMMERCIAL INVOICE.IMG
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'245'184 bytes
First seen:2020-12-03 17:32:36 UTC
Last seen:Never
File type: img
MIME type:application/x-iso9660-image
ssdeep 6144:qXyhZrLkIZK6EdWCf2wXvyhOrhsy+KUQF2ieTW7Z:qXIrQIZbEgCf2fhOrh7+pieg
TLSH AC45D0217681C072F29615798265CB79586FBC312B6868CB3BDC3ABD4F722D2963134F
Reporter abuse_ch
Tags:DHL img nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: slot0.deinflae.com
Sending IP: 45.85.90.138
From: billing.help@dhl.com
Subject: Bill of Landing Commercial Invoice DHL 63636653 Dispatch
Attachment: 6278216733 BILL OF LADING COMMERCIAL INVOICE.IMG (contains "6278216733 (BILL OF LADING COMMERCIAL INVOICE).exe")

RemcosRAT C2:
79.134.225.75:1199

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Iso_fs1835.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Firseria-6804617-0
Create hunting rule

Result
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16cb5d2d856a5875d922500357914292e21825a52bfae5809f449bd88650d84b/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 17:33:07 UTC
AV detection:
17 of 47 (36.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c3fv2lmfnjmhlwjckabvpekcslrbqjnffp5olae7isn5rbsq3bfq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16cb5d2d856a5875d922500357914292e21825a52bfae5809f449bd88650d84b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img 16cb5d2d856a5875d922500357914292e21825a52bfae5809f449bd88650d84b

(this sample)

RemcosRAT

Executable exe d2169ac5c124981adad2629a6f763a39b0031e22d082ee4e07130630a3ee308b

  
Dropping
MD5 10c0f58505e536746e14ff6b4b4ecc74
  
Dropping
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 d2169ac5c124981adad2629a6f763a39b0031e22d082ee4e07130630a3ee308b

Comments