MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a0e01967f1ac51c2460b37ecc814b043e240e7613d9ddcd6699116fdbd54a33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a0e01967f1ac51c2460b37ecc814b043e240e7613d9ddcd6699116fdbd54a33
SHA3-384 hash: 764e01b1b91fc2d6dc3f5e5c8ac97160d7cb7fe3362b74f40cefb3c40a16502f9c3b73a987a7558936e527507b49fbdd
SHA1 hash: caa58eb0e84c893c46892cc5477b7af7490cb24a
MD5 hash: e510f87a7d3c89575411132d19c330c1
humanhash: hotel-minnesota-red-winner
File name:Shipping document PL and BL0070,pdf.iso
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'331'200 bytes
First seen:2020-12-22 07:29:38 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 24576:lLz7dLEioY4zFrW1jYr8FQY8H4sUaAzwB:l5SzVW9YavK1Uar
TLSH C9556B6835E9719FE473DD729AE82CA4EE9ABD73530B81475013228D8B3ED42CF501B6
Reporter abuse_ch
Tags:DHL iso nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: mail10.promptcheng.com
Sending IP: 164.90.152.139
From: DHL Express <delivery@dhl.com>
Subject: Your DHL Delivery exception -Friday, December 18, 2020
Attachment: Shipping document PL and BL0070,pdf.iso (contains "Shipping document PL and BL0070,pdf.exe")

RemcosRAT C2:
graceman2021.ddns.net:1717 (185.244.30.22)

Pointing to nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.30.0 - 185.244.30.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-HU
country: HU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-10-07T21:39:48Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
336
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Iso_badexts72.UNOFFICIAL
Create hunting rule

Result
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a0e01967f1ac51c2460b37ecc814b043e240e7613d9ddcd6699116fdbd54a33/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-12-22 02:15:02 UTC
AV detection:
21 of 46 (45.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pihadft7dlcryjdawn7mzaklaq7cidtwcpm53tlgteiw7w6vjizq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7a0e01967f1ac51c2460b37ecc814b043e240e7613d9ddcd6699116fdbd54a33

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 7a0e01967f1ac51c2460b37ecc814b043e240e7613d9ddcd6699116fdbd54a33

(this sample)

RemcosRAT

Executable exe b4156e553eb5b0bad1d240dd170820106d6ca6bc0d1984a9d09030864349d964

  
Dropping
MD5 fea95783acab7e5d4404358fd26e2c43
  
Dropping
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 b4156e553eb5b0bad1d240dd170820106d6ca6bc0d1984a9d09030864349d964

Comments