MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f937c7dddcdc31780807b68e4b93eea42d4146195b9c45d671bf6ed2f52a5bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f937c7dddcdc31780807b68e4b93eea42d4146195b9c45d671bf6ed2f52a5bc
SHA3-384 hash: e326b4bd9aba2a1943641fe4e6b5bd24a30543a1775c2db93a95811a603a3ef3db14e4785561829d0553f9151fd6ab1b
SHA1 hash: cef1e792bbd5049e7a15d97d93258ab01e077e72
MD5 hash: ad05f0c477b38274558768134e4253ff
humanhash: jersey-nevada-green-alaska
File name:Paid Approval_ Quote_PDF_99998737t3838799998765635678_76378783773663638822.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'711'254 bytes
First seen:2020-08-18 12:55:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1d3807efc70a0a5a6d2ab497250e9cb5 (4 x RemcosRAT, 1 x AZORult, 1 x AveMariaRAT)
ssdeep 24576:5m/TyzPWwuUDpoEwECcKpkON/0no0VhtuMN0BnT1qZwXh/xhR3PKiFdqVOjZU0Jv:EExXE0no0Vhd0BnxqS1RUVAZoHaIM
Threatray 314 similar samples on MalwareBazaar
TLSH 9885D026F2C1F63EC3FA4AF49CA96F845925FE4023409C8B62F63D59C936A40F5D3259
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: rdns1.iplumpo.xyz
Sending IP: 51.210.21.231
From: noreply@paystores.com
Subject: RE: Quote - Approval AT635528 Paid
Attachment: Paid Approval_ Quote_PDF_99998737t3838799998765635678_76378783773663638822.rar (contains "Paid Approval_ Quote_PDF_99998737t3838799998765635678_76378783773663638822.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47861/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f937c7dddcdc31780807b68e4b93eea42d4146195b9c45d671bf6ed2f52a5bc/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 12:57:05 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h6jxy7o5zxbrpaeapnuojoj65jbnifdbsw44ixlhdp3o2l2suw6a._file
Verdict:
malicious
Similar samples:
1c517ddebb6f5893d52918c51a70e56f68b50dd65e0460a673cce3625a0f8a2b
RemcosRAT
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
RemcosRAT
51966d322a39d2b7c08c85a58e19b558ab678862385be75ab90e69b84fde583f
RemcosRAT
51c81d6e49ad27baa52a1d1047fe0a5c61c209d39110b81ab07cd2aa30a221ab
RemcosRAT
5ef2d70f9e7fa30c9fea637c8b0c60276ca69505640ffb417a27a320575f3807
RemcosRAT
b44646b530b067dadca8a6b31582efa9b9738c068a209af3b1bb4d403bd574fc
RemcosRAT
bdf0628de7c3965db41f88705c2b900a19fc12499435fd77f6eabc172c397861
RemcosRAT
c10cdf38e26339e4373c7e0a9a119381e703c7b8404ce0ed694fb3aae286d9b9
RemcosRAT
c8dda41b34e9b16da333bfa30653a6f46be67c657158ecfd2c0463903b01e54d
RemcosRAT
f54187c724636062fdf6287ad5b83c5c198e44577158b30b15d1144c287f4c17
RemcosRAT
+ 304 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:remcos
Link:
https://tria.ge/reports/200818-ya2nrrz5gj/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f937c7dddcdc31780807b68e4b93eea42d4146195b9c45d671bf6ed2f52a5bc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 62f24d70435453d6ac796a990f03c4506bf31cea92600dc35dcdbef002399f8f

RemcosRAT

Executable exe 3f937c7dddcdc31780807b68e4b93eea42d4146195b9c45d671bf6ed2f52a5bc

(this sample)

  
Dropped by
MD5 fc5e8cb368c871febf1ec659963102f9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 62f24d70435453d6ac796a990f03c4506bf31cea92600dc35dcdbef002399f8f
Cape
Cape
https://www.capesandbox.com/analysis/47861/

Comments