MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5450af8cdb916003b5ef00f39783067b58f165ce50417545d09934da358cc0c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5450af8cdb916003b5ef00f39783067b58f165ce50417545d09934da358cc0c7
SHA3-384 hash: e2e6e7a6a062728dc659a8d6caf6ffbc3e5fa7d1affbd4d733168bbbdc8e392b341401d21f76759f5e8c4f8f7c747a12
SHA1 hash: 053d74ff5309c54538bdb935f2747bc5722752cc
MD5 hash: 9f2ee9d2c770b085c485c887c4ac66d1
humanhash: autumn-saturn-cat-bluebird
File name:HB23090003.7z
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:382'034 bytes
First seen:2023-09-01 12:30:44 UTC
Last seen:Never
File type: 7z
MIME type:application/x-7z-compressed
ssdeep 6144:iWCtX/C1JMHsN4dSRY6Y2MKtoTSrYCt9nHowHgJI8UO08pPXkknxopt6B7bFR:iWCorOhdSYitgIQXhapYp
TLSH T1DD8423A48BC3E5A7A9932E07D4C30CEA424C08DA933A509F7F941DF2E2D46557F9B84D
TrID 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1)
42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Reporter cocaman
Tags:7z


Avatar
cocaman
Malicious email (T1566.001)
From: ""Martin Keller" <mendez@fekaautomotive.live>" (likely spoofed)
Received: "from mail0.fekaautomotive.live (unknown [208.123.119.145]) "
Date: "1 Sep 2023 10:08:39 -0700"
Subject: "Angebotsanforderung"
Attachment: "HB23090003.7z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:HB23090003.exe
File size:601'600 bytes
SHA256 hash: b2d5e15268cb130c995118e17afa1198ca19604a20b91f1907a7ef18210db30f
MD5 hash: 1becaa0726bae1f669da8d39ac13509b
MIME type:application/x-dosexec
Signature RemcosRAT
Vendor Threat Intelligence
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/5450af8cdb916003b5ef00f39783067b58f165ce50417545d09934da358cc0c7/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed remcos
Link:
https://www.filescan.io/uploads/64f1d9867444d2eb09f4c06a/reports/7fe50fd8-4376-425b-94c7-92b3458260d7/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/5450af8cdb916003b5ef00f39783067b58f165ce50417545d09934da358cc0c7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5450af8cdb916003b5ef00f39783067b58f165ce50417545d09934da358cc0c7/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-09-01 12:30:49 UTC
File Type:
Binary (Archive)
Extracted files:
86
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=krik7dg3sfqahnppadzzpaygpnmpczookbaxkroqte2nunmmyddq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:working rat
Link:
https://tria.ge/reports/230901-rdt8asfd27/
Behaviour
Suspicious use of SetWindowsHookEx
Program crash
Remcos
Malware Config
C2 Extraction:
37.139.129.251:2404
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5450af8cdb916003b5ef00f39783067b58f165ce50417545d09934da358cc0c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

7z 5450af8cdb916003b5ef00f39783067b58f165ce50417545d09934da358cc0c7

(this sample)

RemcosRAT

Executable exe b2d5e15268cb130c995118e17afa1198ca19604a20b91f1907a7ef18210db30f

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 b2d5e15268cb130c995118e17afa1198ca19604a20b91f1907a7ef18210db30f
  
Dropping
MD5 1becaa0726bae1f669da8d39ac13509b

Comments