MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d8df098798099b8106386eb335e7f793d9ce4c14c863105aa2f260cea331c44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d8df098798099b8106386eb335e7f793d9ce4c14c863105aa2f260cea331c44
SHA3-384 hash: 043c0203784cfa8946998e3023f8deb85be38175cf24de84fd936a9399082b110295effe15aeb957e11128e4ef55ddb7
SHA1 hash: 5b27e7f42dbf4862c67476a597980bcaea155a4a
MD5 hash: 71c7268140f881d25f8a3644cb791997
humanhash: cardinal-lake-lion-cup
File name:DHL_144632.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:637'952 bytes
First seen:2020-06-04 15:22:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 13bda32eb13d3eb49bc287f44d7db8e9 (3 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 6144:BrVWTPtdNikCddIwVszNQM/ck4YvntuwJD8gxOeOMUkH+xZX+jI5M7IrYd2t/ouI:tVWPt5IIwVs1v9PUk+niUrYk9D3b
Threatray 808 similar samples on MalwareBazaar
TLSH 6DD48D62B7A24477D133077D8C1BCE78643BBD156E78684B2AEA7C4C9F36282352B147
Reporter abuse_ch
Tags:DHL exe nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: 52-247-208-187.plesk.page
Sending IP: 13.66.249.187
From: DHL <support@dhl.com>
Subject: Your Parcel has Arrived
Attachment: DHL_144632.IMG (contains "DHL_144632.exe")

RemcosRAT C2:
boot.awsmppl.com:2266 (79.134.225.105)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-06-04 15:35:45 UTC
AV detection:
14 of 31 (45.16%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dwg7bgdzqcm3qeddq3vtgxt7pe6zzzgbjsddcbnkf4taz2rtdrca._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0b8d469babc7b057403a1d7ca0f781c9a675523941cfcc8bb6eae582680746c4
RemcosRAT
1df9aa28e1f0652e0797e7531c2965387107ecb56b2988f260d758a932ce3d1b
RemcosRAT
3a90457357756473cd15940468d7af9b7862d683c3c29fa0f01e69720023bdd1
RemcosRAT
4692d4716a224f54c928808d2d7ee7e9eaeb8531f1cd29b91886fa511a12f07a
RemcosRAT
644aa25d23ed0bde16287cbf053890168f01b13ba8909a1c9b984f8f2f58180f
RemcosRAT
71d8902ce64db45af7c463dcf085067198b934c43169e3eff51e58495a0f65bb
RemcosRAT
9ad345199fba200ac03609aa9a93be1c10663b7c2c1f3d0467e747f0f0147caf
RemcosRAT
a7d93e9c9bb80f0f8a271ae4a101f305bac535e197697b35f291794fa83ef538
RemcosRAT
b05eb1ace6dd219a6e5ea23d25ea88bbd672ad379ac4dcaa935acbfdece37c0b
RemcosRAT
e9f204296b816ecf645ea8401bd531f3880634c81fb37224f39d9af058e2c08f
RemcosRAT
+ 798 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader
Link:
https://tria.ge/reports/201109-324syrk32a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img e33aa3c8259b17332a97d11c3d34677050a4ef797d0ed0263bb0147a0d8d1097

RemcosRAT

Executable exe 1d8df098798099b8106386eb335e7f793d9ce4c14c863105aa2f260cea331c44

(this sample)

  
Dropped by
MD5 5b317070cb12b4a401afad254e331026
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e33aa3c8259b17332a97d11c3d34677050a4ef797d0ed0263bb0147a0d8d1097

Comments