MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67ac1003054313a24c35d4d431017c1e387ce5b5d2221eafe3997d3ce9d98c0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67ac1003054313a24c35d4d431017c1e387ce5b5d2221eafe3997d3ce9d98c0c
SHA3-384 hash: cda24c96909552240c43f7d45b12d96eb0fed6a23b1da3f539afbd133cfb59862200a85256bea08d2a3d6f15a8dc7c4f
SHA1 hash: 70e35dc3e37c6714277c8b6d9875b40f3fa5f41d
MD5 hash: a867b5b810215bf1c71bfce525c785ca
humanhash: dakota-comet-golf-minnesota
File name:Covid-19.001
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'245'184 bytes
First seen:2020-03-30 18:43:27 UTC
Last seen:Never
File type: 001
MIME type:application/x-iso9660-image
ssdeep 1536:pSqinIaAogvHoGZ64Z/dx0o1bcaeMFWTkMaPIkQDvBm:cqslst6wL0m7RQ0
TLSH 02450812FA00BCA5DDEC4DB78770CA9C5355BE276A06AA03348C3EDFBBB1250754295B
Reporter abuse_ch
Tags:COVID-19 GuLoader RemcosRAT udf


Avatar
abuse_ch
COVID-19 malspam distributing GuLoader->RemcosRAT:

HELO: mta0.veresegyhaz.tk
Sending IP: 161.35.58.139
From: WHO<info@veresegyhaz.tk>
Subject: Re: COVID-19 Relief: How to Access Complimentary Products
Attachment: Covid-19.001 (contains "CHATTING.EXE")

GuLoader payload URL (RemcosRAT):
https://onedrive.live.com/download?cid=CFD8E120D47DF1A4&resid=CFD8E120D47DF1A4%211132&authkey=AFrU_0NCOPZWS7A

RemcosRAT C2:
91.193.75.126:2019

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NON-LOGGING-VPN-SERVICE
descr: Please note that we don't store any user data.
descr: Our main effort is not to make money, but to preserve values like the
descr: freedom of expression, the freedom of press, the right to data protection
descr: and informational self-determination.
descr: We ask all employees of Spamhaus and all self-proclaimed deputy sheriffs
descr: to stop your attacks against us.
country: EU

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Fareitvb-7644747-0
Create hunting rule

Win.Dropper.Remcos-7647550-0
Create hunting rule

Win.Trojan.Ponystealer-7648176-0
Create hunting rule

Win.Trojan.Generic-7648215-0
Create hunting rule

Win.Dropper.Remcos-7683428-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-03-30 19:35:31 UTC
File Type:
Binary (Archive)
Extracted files:
3
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m6wbaayfimj2etbv2tkdcal4dy4hzznv2irb5l7dtf6tz2ozrqga._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

001 67ac1003054313a24c35d4d431017c1e387ce5b5d2221eafe3997d3ce9d98c0c

(this sample)

RemcosRAT

Executable exe 477b9f95d01a38672655cf452657193fbd4e82a06ca769e041ad31da49a882fa

RemcosRAT

Executable exe 2bd30faef9e89799bc33f076afc8f3521bc84018c8e27829e8f475ee1c8dc13b

  
URLhaus
https://urlhaus.abuse.ch/url/332307/
  
Dropping
SHA256 2bd30faef9e89799bc33f076afc8f3521bc84018c8e27829e8f475ee1c8dc13b
  
Dropping
MD5 361908600e2dd73063e91d7cd3a4dbbd
  
Dropping
GuLoader
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 2bd30faef9e89799bc33f076afc8f3521bc84018c8e27829e8f475ee1c8dc13b

Comments