MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37b21e6bc2308ecdfeeebe78205a5c0c69ccbe652beb8f2bfac5063dc81da193. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37b21e6bc2308ecdfeeebe78205a5c0c69ccbe652beb8f2bfac5063dc81da193
SHA3-384 hash: 67da7b24ff81180c20e9e7f5750a1f8b3b5fe78ddf407906db19a709095d5eb509938a0d63628e9525cbce3e28e29185
SHA1 hash: 74735ac6701f8ea33816e70ba2e682cb34dabaa1
MD5 hash: a83a8cbe7d87c7ca3a5d16c8f5c41167
humanhash: failed-yankee-bravo-twenty
File name:PO5674 SPEC DETAILING.rar
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:430'758 bytes
First seen:2022-09-30 08:55:39 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:p9ZNfOVrxTf61ZthNBcHzN+I8clgUGXnPG9d4q:kfIhNBozN+IRzG/Gwq
TLSH T1C394125172E4059FCC726F36D88A8A2803B4EC543C52E3A671DAB67C0D933EB7D265C6
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:rar RemcosRAT


Avatar
cocaman
Malicious email (T1566.001)
From: "Malik Umar Tanveer <laboratory@lacsim.com>" (likely spoofed)
Received: "from ashadagroup.com (unknown [80.85.152.183]) "
Date: "22 Sep 2022 20:50:11 -0700"
Subject: "[EXTERNAL] Re: Re: Business inquiry"
Attachment: "PO5674 SPEC DETAILING.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.345.30015.16975.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37b21e6bc2308ecdfeeebe78205a5c0c69ccbe652beb8f2bfac5063dc81da193/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-09-23 02:32:24 UTC
File Type:
Binary (Archive)
Extracted files:
6
AV detection:
18 of 25 (72.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g6zb426cgchm37xoxz4caws4bru4zptffpvy6k72yudd3sa5ugjq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:gusta rat
Link:
https://tria.ge/reports/220930-kv1yvadhhm/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
freetogo01.ddns.net:4545
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/37b21e6bc2308ecdfeeebe78205a5c0c69ccbe652beb8f2bfac5063dc81da193

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 37b21e6bc2308ecdfeeebe78205a5c0c69ccbe652beb8f2bfac5063dc81da193

(this sample)

RemcosRAT

Executable exe 0055c0240aa6da781fdbe57182ebe6d1e69c9d9a1eb401cdab0ad574e9191c17

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 0055c0240aa6da781fdbe57182ebe6d1e69c9d9a1eb401cdab0ad574e9191c17
  
Dropping
RemcosRAT

Comments