MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aaf10709d314a4b8d1c56871e6f83fc52c913384bc5c4c236398e9ceacaa61ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aaf10709d314a4b8d1c56871e6f83fc52c913384bc5c4c236398e9ceacaa61ae
SHA3-384 hash: edebc44dc791a6b9d5b57cfe1f12e2c4a86d25d8eb03d8a294b4cdab113b6c0d55b55355c479be5c5ed08527d91ba17c
SHA1 hash: 58180e9b39873c0c47bdcd3406015c13f4443cc5
MD5 hash: e4d6224c10d76c31030e679936bf4b46
humanhash: missouri-utah-maryland-beryllium
File name:INVOICE_FEB19-888201-2024.Tar
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'310'849 bytes
First seen:2024-02-19 15:34:39 UTC
Last seen:2024-02-19 15:35:17 UTC
File type: rar
MIME type:application/x-rar
ssdeep 24576:10Drvwz6+97nPM/4+fLnNliTWjqLeDWsv/1kwKsv27XrxglexN8H:Qo9VPJEnNUTWjqQW4/1k9svrMNm
TLSH T13B5533BD604A70C21566AF118B8FF84697DFBD81D3520BF3A6DAABC7937650C8E4409C
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:INVOICE rar RemcosRAT tar


Avatar
cocaman
Malicious email (T1566.001)
From: "Fuji Trading Co., Ltd <sales@seikoen-kiku.co.jp>" (likely spoofed)
Received: "from seikoen-kiku.co.jp (unknown [45.9.168.92]) "
Date: "18 Feb 2024 18:16:13 -0800"
Subject: "Re: REMINDER! INVOICE_FEB19-888201-2024"
Attachment: "INVOICE_FEB19-888201-2024.Tar"

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
CH CH
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
certutil lolbin masquerade obfuscated ping
Link:
https://www.filescan.io/uploads/65d3752b781f5716463daff0/reports/49670b98-943c-4652-a03a-f5a74d098103/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/aaf10709d314a4b8d1c56871e6f83fc52c913384bc5c4c236398e9ceacaa61ae
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aaf10709d314a4b8d1c56871e6f83fc52c913384bc5c4c236398e9ceacaa61ae/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-02-19 05:26:29 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vlyqocotcsslruofnby6n6b7yuwjcm4exroeyi3dtdu45lfkmgxa._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost collection persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240219-t38s4agc31/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Runs ping.exe
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Creates new service(s)
ModiLoader Second Stage
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
127.0.0.1:45671
127.0.0.1:55677
192.3.101.8:55677
192.3.101.8:45671
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aaf10709d314a4b8d1c56871e6f83fc52c913384bc5c4c236398e9ceacaa61ae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar aaf10709d314a4b8d1c56871e6f83fc52c913384bc5c4c236398e9ceacaa61ae

(this sample)

RemcosRAT

Batch (bat) bat 8be97a9c113f3bb0e739c7a0eada8c929df2c750a5f68acf9bb8a2e48bf2acee

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 8be97a9c113f3bb0e739c7a0eada8c929df2c750a5f68acf9bb8a2e48bf2acee
  
Dropping
MD5 760a719d5ef1ba9c35a2eb7a7289cc1f

Comments