MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75923a3d9662a5d5db57fcbba73e1dd2a65d4f8c355f486d615153c01163576c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75923a3d9662a5d5db57fcbba73e1dd2a65d4f8c355f486d615153c01163576c
SHA3-384 hash: ca6d927174be6f1295c35eb3dab14fdcee51a29c847a5717b782b94d7b12e5c37878aba2610c098a2f3862d91c245a7c
SHA1 hash: 7e86cccfaf40cc2a438bfe292b3ce2c9e154e789
MD5 hash: fa36d2a566b870ef9cc7b0ea4cf17014
humanhash: indigo-nitrogen-lemon-vegan
File name:statement.pdf.z
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:458'714 bytes
First seen:2020-08-18 12:04:05 UTC
Last seen:Never
File type: z
MIME type:application/x-rar
ssdeep 6144:RkI60k95y6dxIGdnALebYGNUo3tgCfonGSuo8xNU+RdyK0GOTtCBh7i8kway9koz:RkVnvn3YKUo3tgq0G84d+IbiFXImuDnl
TLSH 62A423C13177B886FD7B093C6A46E6DE334F46552CAE1F648D76E80FEA93614F408298
Reporter abuse_ch
Tags:nVpn RAT RemcosRAT z


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: server1.englam.com.sg
Sending IP: 103.11.189.83
From: IRAS <tax@iras.com>
Subject: Importance Notice From IRAS.
Attachment: statement.pdf.z (contains "statement.exe")

RemcosRAT C2:
salespaul.hopto.org:24005 (91.193.75.25)

Pointing to nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NET-NINAZU
remarks: ------------------------------------------
remarks: * This network is used for a VPN service.
remarks: * No logs are stored in any shape or form.
remarks: ------------------------------------------
country: RU
admin-c: NVS100-RIPE
tech-c: NVS100-RIPE
abuse-c: NVS100-RIPE
mnt-by: NINAZU-MNT
mnt-by: RIPE-NCC-END-MNT
org: ORG-KHd1-RIPE
sponsoring-org: ORG-MW1-RIPE
status: ASSIGNED PI
created: 2012-06-04T11:05:55Z
last-modified: 2020-07-28T21:23:48Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75923a3d9662a5d5db57fcbba73e1dd2a65d4f8c355f486d615153c01163576c/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-08-18 12:06:05 UTC
AV detection:
5 of 48 (10.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=owjdupmwmks5lw2x7s52opq52ktf2t4mgvpuq3lbkfj4aeldk5wa._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75923a3d9662a5d5db57fcbba73e1dd2a65d4f8c355f486d615153c01163576c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

z 75923a3d9662a5d5db57fcbba73e1dd2a65d4f8c355f486d615153c01163576c

(this sample)

RemcosRAT

Executable exe f18bf944f9365beda201e63d97f1b93139994d9cef424f855d691cf797c33d0f

  
Dropping
MD5 b85dd2b6ed6d1b2d5c343deab844f5d8
  
Dropping
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 f18bf944f9365beda201e63d97f1b93139994d9cef424f855d691cf797c33d0f

Comments