MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cf13bb5ddbc61a5057d476f9ce1c27265a56f46e1e89f5ada07ac39ce19916d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	3cf13bb5ddbc61a5057d476f9ce1c27265a56f46e1e89f5ada07ac39ce19916d
SHA3-384 hash:	43ca6d32b71a2062120568eb961a5270e383f52d73b662ad3769af56156902c2790cb97dbacbc0bfe48b615f3125264c
SHA1 hash:	bb4e25679323c4f74cc53e24e1c8ff3cec1b07cd
MD5 hash:	612a753fda401029ddca1989452bd74a
humanhash:	undress-nitrogen-charlie-india
File name:	RFQ BRAS BASE 7683465 2023.R00
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	829'943 bytes
First seen:	2023-06-27 10:15:42 UTC
Last seen:	Never
File type:	r00
MIME type:	application/x-rar
ssdeep	24576:H54B6Oq05q5nXLkg6Iakc23Cwzs3hcsnxEskd2:H56q05q5XQg6Iakc2yRmsnxEskd2
TLSH	T1E205233BA91049638C17F6FE2DD632FE6B36CE4074B852FB181214BC7F4A89996448D7
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	r00 RemcosRAT RFQ

cocaman

Malicious email (T1566.001)
From: ""Mr. Jayant S. Pingle <mkt.cabt@chaitanyagroupindia.com>"
<sales@hostwt.com>" (likely spoofed)
Received: "from whitfield.hostwt.com (whitfield.hostwt.com [88.209.205.96]) "
Date: "Tue, 27 Jun 2023 01:41:12 -0700"
Subject: "NEW ORDER AP-ALTECO 2023"
Attachment: "RFQ BRAS BASE 7683465 2023.R00"

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	RFQ BRAS BASE 7683465 2023.exe
File size:	920'576 bytes
SHA256 hash:	4400353ebbbd72f1a260b3021c48fa67439ec6accd01ecd27ada202052f27391
MD5 hash:	826572294dd7857d627783220e0fefa6
MIME type:	application/x-dosexec
Signature	RemcosRAT

Vendor Threat Intelligence

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed remcos

Link:

https://www.filescan.io/uploads/649ab6e3df3d0b939156d8a6/reports/823cbdc9-6802-40cf-90cd-08d8491cab7c/overview

Verdict:

Malicious

Labled as:

Mal/DrodRar

Link:

https://www.hybrid-analysis.com/sample/3cf13bb5ddbc61a5057d476f9ce1c27265a56f46e1e89f5ada07ac39ce19916d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3cf13bb5ddbc61a5057d476f9ce1c27265a56f46e1e89f5ada07ac39ce19916d/

Threat name:

Win32.Trojan.Zmutzy

Status:

Malicious

First seen:

2023-06-27 10:15:46 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

11 of 37 (29.73%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=htytxno5xrq2kbl5i5xzzyocojs2k32g4huj6ww2a6wdttqzsfwq._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3cf13bb5ddbc61a5057d476f9ce1c27265a56f46e1e89f5ada07ac39ce19916d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.