MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5669b1eea4e4f305ea0d6f674e00638dcdb16dd08d15019996ac7f2317fdea41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5669b1eea4e4f305ea0d6f674e00638dcdb16dd08d15019996ac7f2317fdea41
SHA3-384 hash: 0f0c06e5a6e8c990a47e765c786cda18538bff884c49b4a72164ea501bd30bc1045ec18f9b2d9fad22d0c061ed3e800e
SHA1 hash: 54dd0bb96265964d92b189575e962bd7b2eefff4
MD5 hash: 92ecf99136de3ee6374018e9860f0a93
humanhash: summer-freddie-september-coffee
File name:BL-INVOICE SHIPPING DOCUMENTS.zip
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:523'191 bytes
First seen:2022-05-26 10:41:22 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:FXP67FUgjnvyE4v0+ZpV3NmHlXPGGCYFJHpPHFdik+8WPtNVMEmpuhfr:gJFvyE41ZpV3olXPGGCYFJJPH7ijrNAy
TLSH T131B423BAD01F033DC3F45A94D0EB91C48681F52FFB5C8984E4A4ABC16774A67FA96039
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:INVOICE Maersk RemcosRAT Shipping zip


Avatar
cocaman
Malicious email (T1566.001)
From: "MAERSK SHIPPING<marietherese.diouf@msc.com>" (likely spoofed)
Received: "from msc.com (unknown [103.151.123.30]) "
Date: "25 May 2022 13:03:56 -0700"
Subject: "Re: Shipping Advice - ETD 29MAY. 2022"
Attachment: "BL-INVOICE SHIPPING DOCUMENTS.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.1.28216.17256.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
andromeda control.exe overlay packed remcos shell32.dll wacatac
Link:
https://www.filescan.io/uploads/628f59b73ec49f83a6cd81f7/reports/07016973-0791-48c6-8e21-bb0df6e7c5c9/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/5669b1eea4e4f305ea0d6f674e00638dcdb16dd08d15019996ac7f2317fdea41
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5669b1eea4e4f305ea0d6f674e00638dcdb16dd08d15019996ac7f2317fdea41/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-05-25 16:24:36 UTC
File Type:
Binary (Archive)
Extracted files:
5
AV detection:
19 of 41 (46.34%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kzu3d3ve4tzql2qnn5tu4addrxg3c3oqrukqdgmwvr7sgf755jaq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:new persistence rat
Link:
https://tria.ge/reports/220526-mrm9paeefm/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
172.111.153.127:3033
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.53
Link:
https://yomi.yoroi.company/submissions/5669b1eea4e4f305ea0d6f674e00638dcdb16dd08d15019996ac7f2317fdea41

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 5669b1eea4e4f305ea0d6f674e00638dcdb16dd08d15019996ac7f2317fdea41

(this sample)

RemcosRAT

Executable exe 900274d5916f078ac30bedfc6b3bf5812c09de4cc1bdddd4e25d5efa1e3bb1c3

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 900274d5916f078ac30bedfc6b3bf5812c09de4cc1bdddd4e25d5efa1e3bb1c3
  
Dropping
RemcosRAT

Comments