MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f29294e310a4049e2239c5beccb99d4be17c16abca0a7837c89ac45ebbfd865. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f29294e310a4049e2239c5beccb99d4be17c16abca0a7837c89ac45ebbfd865
SHA3-384 hash: 3da9b444ca1246afb4fa62228e06e2fd0d26181bf35120549570a1a3822bf8b73685c3bde5bd3090e71239b12aac0800
SHA1 hash: 71f3e73c08ab2a3e9592cff138aad948b4628fdf
MD5 hash: 40aa8d77929c5558cf5fafda013b320b
humanhash: alaska-juliet-edward-william
File name:covid-19 New Order.rar
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:37'609 bytes
First seen:2020-03-29 08:19:40 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 768:lfJ7I8FB/PEMrR3Zo2H3F4e4kowgMzmB+Y:0ihcM93GuFJ4wgMyd
TLSH 31F2F1BFF65D41997CC2B5ABD169B1E3FB6DF7CAA574E30F00C9458B163A096006910C
Reporter abuse_ch
Tags:COVID-19 GuLoader rar RemcosRAT


Avatar
abuse_ch
COVID-19 themed malspam distributing GuLoader->RemcosRAT:

HELO: 66s.66hosting.net
Sending IP: 162.241.191.203
From: ldiaz <ldiaz@dizar.net>
Subject: URGENT NEW ORDER COVID-19 RAPID PRODUCTS
Attachment: covid-19 New Order.rar (contains: covid-19 New Order.exe)

GuLoader payload URL dropping RemcosRAT:
https://drive.google.com/uc?export=download&id=15LuIHBrj-wA53hulXGu_fVUZhKCw3_3o

RemcosRAT C2:
bunkman.duckdns.org:1556

bunkman.duckdns.org points to 185.165.153.149:

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacy-matters.co'

inetnum: 185.165.153.0 - 185.165.153.255
netname: PRIVACY_MATTERS
remarks: This prefix belongs to a VPN service provider.
remarks: For us the privacy of our customers matters, which means we store no logs
remarks: related to any IP addresses.
remarks: Spamhaus, please note that blacklisting the clean prefixes of our hosting
remarks: partners and upstream providers is an act of coercion and will no longer
remarks: be tolerated.
remarks: Coercion is punishable by a custodial sentence or by a monetary penalty.
remarks: If you continue such practice we will not only take legal actions against
remarks: your organization, but also make such blackmailing attempts public in the
remarks: media.
country: AT

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-03-29 08:35:29 UTC
AV detection:
18 of 31 (58.06%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p4usstrrbjaetyrdtrn6zs4z2s7bpqlkxsqkpa34rgwel2573bsq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 7f29294e310a4049e2239c5beccb99d4be17c16abca0a7837c89ac45ebbfd865

(this sample)

RemcosRAT

Executable exe cd124647e3d17ddb97840adeb42a87da5a5ef6cfd5b51babf3011037f0e3a1b7

RemcosRAT

Executable exe 0c34ed46c75b33e392091d8fb7b4449b2fd78b6a56ae7d89f5e6441c48f10692

  
URLhaus
https://urlhaus.abuse.ch/url/331587/
  
Dropping
MD5 eae7f1370e2b9bb381a599dccfe715e7
  
Dropping
SHA256 0c34ed46c75b33e392091d8fb7b4449b2fd78b6a56ae7d89f5e6441c48f10692
  
Dropping
GuLoader
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 0c34ed46c75b33e392091d8fb7b4449b2fd78b6a56ae7d89f5e6441c48f10692

Comments