MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bd30faef9e89799bc33f076afc8f3521bc84018c8e27829e8f475ee1c8dc13b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bd30faef9e89799bc33f076afc8f3521bc84018c8e27829e8f475ee1c8dc13b
SHA3-384 hash: b349934c1a6f3b02d14912537cdc7c52ddc45d490a982cdf9bee9cdd73bbc1d0ea36334a6554256833fcdee58d8014a2
SHA1 hash: 11b482fb990a4d6c6720af18ac628f5f060f1cbe
MD5 hash: 361908600e2dd73063e91d7cd3a4dbbd
humanhash: fish-south-virginia-vermont
File name:CHATTING.EXE
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:110'592 bytes
First seen:2020-03-30 18:43:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a157e3e198b305ca2d7d3824259be243 (1 x RemcosRAT)
ssdeep 1536:uinIaAogvHoGZ64Z/dx0o1bcaeMFWTkMaPIkQDvBm:uslst6wL0m7RQ0
Threatray 1'475 similar samples on MalwareBazaar
TLSH 82B3F816F900BC95DDEC4DB78771CA9C53567E276E0AAA03348C3ECFBAB1250714299B
Reporter abuse_ch
Tags:COVID-19 exe GuLoader RemcosRAT


Avatar
abuse_ch
COVID-19 malspam distributing GuLoader->RemcosRAT:

HELO: mta0.veresegyhaz.tk
Sending IP: 161.35.58.139
From: WHO<info@veresegyhaz.tk>
Subject: Re: COVID-19 Relief: How to Access Complimentary Products
Attachment: Covid-19.001 (contains "CHATTING.EXE")

GuLoader payload URL (RemcosRAT):
https://onedrive.live.com/download?cid=CFD8E120D47DF1A4&resid=CFD8E120D47DF1A4%211132&authkey=AFrU_0NCOPZWS7A

RemcosRAT C2:
91.193.75.126:2019

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NON-LOGGING-VPN-SERVICE
descr: Please note that we don't store any user data.
descr: Our main effort is not to make money, but to preserve values like the
descr: freedom of expression, the freedom of press, the right to data protection
descr: and informational self-determination.
descr: We ask all employees of Spamhaus and all self-proclaimed deputy sheriffs
descr: to stop your attacks against us.
country: EU

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Fareitvb-7644747-0
Create hunting rule

Win.Dropper.Remcos-7647550-0
Create hunting rule

Win.Trojan.Ponystealer-7648176-0
Create hunting rule

Win.Trojan.Generic-7648215-0
Create hunting rule

Win.Dropper.Remcos-7683428-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-03-30 19:35:29 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
24 of 30 (80.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fpjq7lxz5clztpbt6b3k7shtkin4qqayzdrhqkpi6r264henye5q._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
guloader
Create hunting rule
Similar samples:
12b62af6539e46350a256cc22d72b17b2d005507ff7332390da2fc2ebe159bb1
RemcosRAT
4fb3528f5fc1a30b03cf69920e1db68cd4943c1c303a09cac0723a10abfcc378
RemcosRAT
5cd5f57afb04ba3ce4e5aaee5a7fa7d10b24a334e30911a49a4cc4cb52982848
RemcosRAT
65bd5f3bc433f60bfc5ea392aaa33539592d657cbe2d316b25b24c9e12c225cc
RemcosRAT
859cc79621eca1e9b1bc85a569d0ddfcdf83440090e8e4ed7aa8054e2c9c460a
RemcosRAT
b267c228b488319e3514de6a929f16f55e18cf8ac9924f2989b199ebe6b51a59
RemcosRAT
d3aa9fd1ed4af3cc3a49e612b93a03f799ada340c1c086f7403448fe77115bb1
RemcosRAT
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
RemcosRAT
e7cf4a0d3f94afea480bf5e64a658029d02191330244697ba9afd81dd5b56386
RemcosRAT
fff7d8c78dd6f34509bde90ea015593f8e2fce0b0022899f96982f0772c6b9b2
RemcosRAT
+ 1'465 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

001 67ac1003054313a24c35d4d431017c1e387ce5b5d2221eafe3997d3ce9d98c0c

RemcosRAT

Executable exe 2bd30faef9e89799bc33f076afc8f3521bc84018c8e27829e8f475ee1c8dc13b

(this sample)

RemcosRAT

Executable exe 477b9f95d01a38672655cf452657193fbd4e82a06ca769e041ad31da49a882fa

  
URLhaus
https://urlhaus.abuse.ch/url/332307/
  
Dropped by
MD5 a867b5b810215bf1c71bfce525c785ca
  
Dropped by
SHA256 67ac1003054313a24c35d4d431017c1e387ce5b5d2221eafe3997d3ce9d98c0c
  
Dropping
MD5 9b57244d14c82ad2f8f8a7e0349574c6
  
Dropping
SHA256 477b9f95d01a38672655cf452657193fbd4e82a06ca769e041ad31da49a882fa
  
Dropping
RemcosRAT
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::EVENT_SINK_AddRef

Comments