MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e55c2aa8d84e6e7a065a78a916cbb4d03404ef93e742425e2fbc5e771eed5d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e55c2aa8d84e6e7a065a78a916cbb4d03404ef93e742425e2fbc5e771eed5d3
SHA3-384 hash: 505d1eff2ac636b4b11538b4ed4f6ea92d9b0e51ad28b73ee0d15a491ddafc53f610757c43656ce225ad86826be723a6
SHA1 hash: f49ee91c9f8294eeb38ab72b0ace5eb3c2fbc8e9
MD5 hash: e8ad16abd488ff9d5a0bab08316bee19
humanhash: robin-twenty-salami-ohio
File name:Attachment.iso
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'507'328 bytes
First seen:2022-03-05 16:15:12 UTC
Last seen:2022-04-20 10:25:31 UTC
File type: iso
MIME type:application/x-iso9660-image
ssdeep 12288:CQXbVWn5JSVgxB6IHeHMHOPrK56eXloSE2p8VMiqCGTNJ:HXxuagxB6IHesYrqTySE2p8V/nG
TLSH T1FB655A52B16988F6C4162A398C6B826454AA7E307E396D4736D43F0D7FBF2C03D2D993
Reporter cocaman
Tags:DHL iso RemcosRAT


Avatar
cocaman
Malicious email (T1566.001)
From: ""Dhl Customer Support" <delivery@logisticsmailissue.me>" (likely spoofed)
Received: "from postfix-inbound-v2-5.inbound.mailchannels.net (inbound-egress-5.mailchannels.net [199.10.31.237]) "
Date: "Sat, 05 Mar 2022 09:19:56 +0000"
Subject: "DHL Delivery Attempted"
Attachment: "Attachment.iso"

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Zbot-9849940-0
Create hunting rule

Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e55c2aa8d84e6e7a065a78a916cbb4d03404ef93e742425e2fbc5e771eed5d3/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-03-05 16:16:14 UTC
File Type:
Binary (Archive)
Extracted files:
64
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rzk4fkunqttopidfu6fjc3f3jubuatxzhz2cijpc7pc6o4po2xjq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/220305-tqslcaacgj/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
generem2022.hopto.org:2404
generem1.hopto.org:2404
hendersonk1.hopto.org:2404
gene.ddnsgeek.com:2404
henderson.camdvr.org:2404
henderson1.camdvr.org:2404
hobbyhrs.zapto.org:2404
hobbyhrs2.zapto.org:2404
hobbyhrs1.zapto.org:2404
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/8e55c2aa8d84e6e7a065a78a916cbb4d03404ef93e742425e2fbc5e771eed5d3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 8e55c2aa8d84e6e7a065a78a916cbb4d03404ef93e742425e2fbc5e771eed5d3

(this sample)

RemcosRAT

Executable exe a02d52f23eb9e8a857c9ed01d81e6220e787a1e2838d42c2734e99bc73cff250

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 a02d52f23eb9e8a857c9ed01d81e6220e787a1e2838d42c2734e99bc73cff250

Comments