MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69cb9d1f83f7200a60d57437451f0ccb30a68a42227b82d68253f24c44b680d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69cb9d1f83f7200a60d57437451f0ccb30a68a42227b82d68253f24c44b680d7
SHA3-384 hash: 80e782b4b95bc2c6b07e984b84a6933aa1593b47139d46059b36732f2de3346d626e19b5507d46dbea1188830c3bd549
SHA1 hash: fe1c4070af53adefa10e7466dca6318de1636aaf
MD5 hash: 7745b58372095b36e16465753de783d4
humanhash: low-johnny-georgia-skylark
File name:付款凭证04R927.iso
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'230'848 bytes
First seen:2020-12-21 07:39:55 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 12288:3MG12n7hCTpSreKFhlbt537Xe0wbd4PkNvfsrciJwUZpA7QHhRI3MgBhKblDR6yd:WsGFrbtA0M+PNciJwapA10
TLSH 1245CF2439EA901DF273AF755BE47592DAAFF7733B03E45E2084038A4B13941DE92639
Reporter abuse_ch
Tags:iso nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: vps.kirostip.com
Sending IP: 45.85.90.115
From: han.nguyen <han.nguyen@ascenti.com.vn>
Subject: Reply: Payment Voucher 04R927
Attachment: 付款凭证04R927.iso (contains "付款凭证04R927.exe")

RemcosRAT C2:
mikegrace2020.ddns.net:2991 (79.134.225.9)

Pointing to nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Heur.18080.17812.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69cb9d1f83f7200a60d57437451f0ccb30a68a42227b82d68253f24c44b680d7/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-12-21 07:40:07 UTC
AV detection:
7 of 48 (14.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nhfz2h4d64qauygvoq3ukhymzmykncscej5yfvuckpzeyrfwqdlq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/69cb9d1f83f7200a60d57437451f0ccb30a68a42227b82d68253f24c44b680d7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 69cb9d1f83f7200a60d57437451f0ccb30a68a42227b82d68253f24c44b680d7

(this sample)

RemcosRAT

Executable exe aba81a1155ddb5054a5c433eab88203d7551fa52296a98c0f5e376b479da1795

  
Dropping
MD5 72c3542d202465256af178d3a65d34fd
  
Dropping
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 aba81a1155ddb5054a5c433eab88203d7551fa52296a98c0f5e376b479da1795

Comments