MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 654dcb8cbaca77d6679523c36f44ea656e39a97ce7e4d6f91b089fe8d54f9787. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 4

Intelligence 4 IOCs YARA 2 File information Comments

SHA256 hash:	654dcb8cbaca77d6679523c36f44ea656e39a97ce7e4d6f91b089fe8d54f9787
SHA3-384 hash:	636bd1027d6a149ef7ae22e25306ae29e9285fb879355c5cda694bbb1fcd7c80e2163ddde17858b3db3ecf0ceb73ac2a
SHA1 hash:	9604593411ec85d7ca7ca5e12dad5e626a3fea10
MD5 hash:	2973191282734f786aa482df0bf9bc61
humanhash:	sad-queen-pennsylvania-video
File name:	Payment Slip Invoice 154-pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'188'352 bytes
First seen:	2020-05-20 17:47:12 UTC
Last seen:	2020-05-21 08:04:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bdaba7e33391c6a591b557693e8203c7 (3 x RemcosRAT, 1 x AveMariaRAT)
ssdeep	24576:d01xAsrWCaJ67REfnnaTOs4tYj+RgUmCe/wA3:2cDCdLTOsIovUmCS
Threatray	1'033 similar samples on MalwareBazaar
TLSH	A3459F21F5E28437D273593B9E0B9634A826BF411E3759993ADC3C4CDB7B3423639292
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: node.com
Sending IP: 173.82.202.166
From: Anderson K<anderson@tammynpeterson.us>
Subject: Payment for Invoce N.154
Attachment: Payment Slip Invoice 154-pdf.gz (contains "Payment Slip Invoice 154-pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.BorlandDelphi-15

SecuriteInfo.com.Gen.NN.ZelphiCO.34110.iLW@aS5Yzqfi.26874.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Delf

Status:

Malicious

First seen:

2020-05-20 18:35:40 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mvg4xdf2zj35mz4vepbw6rhkmvxdtkl447snn6i3bcp6rvkps6dq._file

Verdict:

malicious

Label(s):

remcos

hawkeyekeylogger

emotet

RemcosRAT

3484fffe14e6d045c8a5c568187f686d4479693dadb3fc4631b7d307000b5148

RemcosRAT

82421fe6bfd0fa95f4bc1813c1dbaf3ce1fc505f2e04dafefc653316e0f1f547

RemcosRAT

90ac03fc8e415f4767b91b37351b75c5fce5e1b3b4f7a4b280cde86592c4cdd2

RemcosRAT

b4d2f2e28311317f4e568f4245c251cb0eb314e391223b2077d183e3d0de5738

RemcosRAT

c689edeb2bea45f5a7e6402ba51dc23e40e6c8b509841f60cb3d7327340b9b60

RemcosRAT

c87a719713c51891fa7b0def4b093441934d9f60ef8bd52951e2efb9a030f59c

RemcosRAT

d74d145a490143aa9b5088044bd31e46042dde2522600d119948e7914f1c4a10

RemcosRAT

ec4b8a8c2223163d74c1c9b97e26889074e995beea8e9a78ba3a8a430fde7bd0

RemcosRAT

fd4d0c198aa010dee3d726fe7d7a526725b51404c1684b7df9d520455e5d16ec

RemcosRAT

+ 1'023 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-w6sp4l3cen/

Behaviour

Script User-Agent

Legitimate hosting services abused for malware hosting/C2

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator