MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab98a78665b6c28cd761be1c6b82017c3e0747285f272956397661383013e7e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab98a78665b6c28cd761be1c6b82017c3e0747285f272956397661383013e7e0
SHA3-384 hash: 00e0d7ed91cd759a3dd993c77e8c284be1f57527c9f0f6a89d62215dfa7bac524561a313d22c698fe848e6e1c6165734
SHA1 hash: 9a54608a6a26aa6cf6797b0268e295714258dab8
MD5 hash: 3644e9886531420d6480a2afb09f420b
humanhash: mobile-magnesium-fruit-delta
File name:RFQ_NEW ORDER INQUIRY.ARJ
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:856'990 bytes
First seen:2024-01-30 16:18:23 UTC
Last seen:Never
File type: arj
MIME type:application/x-rar
ssdeep 24576:dU677c+2YbciXCB6hC+H07yEuJ/DJeOOIWw:dZgziciXCB6hC+U7yE8MO9
TLSH T1F10533EA2F427551D66333C46E9619F39FA034893DC47992E4A5CBD7FE27202B6081E3
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:arj RemcosRAT RFQ


Avatar
cocaman
Malicious email (T1566.001)
From: "Highstar Contracting LLC <engineers@highstar.ae>" (likely spoofed)
Received: "from [194.33.191.107] (unknown [194.33.191.107]) "
Date: "30 Jan 2024 18:18:16 -0800"
Subject: "New Order-Inquiry "
Attachment: "RFQ_NEW ORDER INQUIRY.ARJ"

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:RFQ_NEW ORDER INQUIRY.exe
File size:915'456 bytes
SHA256 hash: 930de6b7369a7c5b68405b1873f531a0df45101717631afe651dd8ab3bbee8ef
MD5 hash: 7b95bd97c6282f65eee7eab6097957f4
MIME type:application/x-dosexec
Signature RemcosRAT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Zmutzy.837.4331.27137.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit fingerprint keylogger lolbin masquerade packed packed packed shell32 upx
Link:
https://www.filescan.io/uploads/65b9217f4e14bc829404a741/reports/a081c821-3357-4688-8d84-be96f1142c7b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ab98a78665b6c28cd761be1c6b82017c3e0747285f272956397661383013e7e0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab98a78665b6c28cd761be1c6b82017c3e0747285f272956397661383013e7e0/
Threat name:
Script-AutoIt.Trojan.Zmutzy
Create hunting rule
Status:
Malicious
First seen:
2024-01-30 16:18:27 UTC
File Type:
Binary (Archive)
Extracted files:
17
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vomkpbtfw3bizv3bxyogxaqbpq7aorzil4tssvrzozqtqmat47qa._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/ab98a78665b6c28cd761be1c6b82017c3e0747285f272956397661383013e7e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

arj ab98a78665b6c28cd761be1c6b82017c3e0747285f272956397661383013e7e0

(this sample)

RemcosRAT

Executable exe 930de6b7369a7c5b68405b1873f531a0df45101717631afe651dd8ab3bbee8ef

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 930de6b7369a7c5b68405b1873f531a0df45101717631afe651dd8ab3bbee8ef
  
Dropping
MD5 7b95bd97c6282f65eee7eab6097957f4

Comments