MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 535875e408bbb344d35c6423d432b6886cd348199a62435ba313c21fbc0a7cc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 535875e408bbb344d35c6423d432b6886cd348199a62435ba313c21fbc0a7cc9
SHA3-384 hash: 9f6c8da0b476927c46b708e679048e2ceb4a525dff6d93da7bbd501f2b3e63b4fb1dbc61d69b1e958613ac31d4b207dd
SHA1 hash: 9501babacdc3bc54af8eda093a28a34b9ae2d384
MD5 hash: c4038a129f903e7feb4fab2953974454
humanhash: thirteen-bacon-autumn-jupiter
File name:Attachment.iso
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'507'328 bytes
First seen:2022-03-09 15:30:46 UTC
Last seen:2022-04-20 10:22:38 UTC
File type: iso
MIME type:application/x-iso9660-image
ssdeep 12288:ePMS5rQMPN376hkPire9wd2rUnyMRZv5YDQfzl/WRIlRfkKOOikh:QMsld6hkie9wdFnDZv5Ymht7f
TLSH T1E665AEEEB7901832C1226A398D6753B46419FE112F10A4873BE87D0FBFB55517A393A3
Reporter cocaman
Tags:DHL iso RemcosRAT


Avatar
cocaman
Malicious email (T1566.001)
From: ""Dhl Helpdesk" <mail@logisticswish.com>" (likely spoofed)
Received: "from postfix-inbound-v2-4.inbound.mailchannels.net (inbound-egress-5.mailchannels.net [199.10.31.237]) "
Date: "Wed, 09 Mar 2022 04:44:36 -0800"
Subject: "Delivery Failed"
Attachment: "Attachment.iso"

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Downloader-FCIV20E9C8F413AD.7994.21144.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger packed
Link:
https://www.filescan.io/uploads/6228c83b0cd58dbd926f85bf/reports/567099b9-d659-4ba3-bd59-0b686b51a64b/overview
Result
Verdict:
SUSPICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/535875e408bbb344d35c6423d432b6886cd348199a62435ba313c21fbc0a7cc9/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-09 15:31:10 UTC
File Type:
Binary (Archive)
Extracted files:
26
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=knmhlzaixozuju24mqr5imvwrbwngsaztjregw5dcpbb7pakpteq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection persistence rat
Link:
https://tria.ge/reports/220309-sx2xxsaaa2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
sinzu1.camdvr.org:2404
sinzu2.camdvr.org:2404
sinzu3.kozow.com:2404
sinzu4.ddnsgeek.com:2404
sinzu5.giize.com:2404
sinzu6.camdvr.org:2404
sinzu7.camdvr.org:2404
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/535875e408bbb344d35c6423d432b6886cd348199a62435ba313c21fbc0a7cc9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 535875e408bbb344d35c6423d432b6886cd348199a62435ba313c21fbc0a7cc9

(this sample)

RemcosRAT

Executable exe c536b84ee17abfc596058bf5aca74f161cc372669760aba80804d497bb256bfa

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 c536b84ee17abfc596058bf5aca74f161cc372669760aba80804d497bb256bfa
  
Dropping
RemcosRAT

Comments