MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac120fadb0fde46db30df42a52a0b65d34fa6621fa13f18c11b5fe93626dcf6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac120fadb0fde46db30df42a52a0b65d34fa6621fa13f18c11b5fe93626dcf6d
SHA3-384 hash: cccb1dc404c770342d6b2de99e648ade3bc1c6667fba7d9fdcfdb7105560bc8c34555f5f99d807f075db34a82eccb70a
SHA1 hash: 5af2fe2708ae8262491629e19a25c80019ceed32
MD5 hash: 4e33a373b21438a477269d5a126291c4
humanhash: table-lima-butter-indigo
File name:Resit DHL 8897209547, pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:406'528 bytes
First seen:2020-06-10 06:17:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'631 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Xc5KalBldKk51U6fE5FCl2AGYYZLytEGxIERH1442N+u:Xc5Ku91U6feKviL
Threatray 4'069 similar samples on MalwareBazaar
TLSH 4B846A9C7651BADFC827CD778A982C64AA207477830BD203A41719ED9A4DADBCF141F3
Reporter abuse_ch
Tags:DHL exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: vps.inebenthe.com
Sending IP: 45.95.169.158
From: DHL Express Cargo <delivery@dhl.com>
Subject: Penghantaran barang DHL
Attachment: Resit DHL 8897209547, pdf.iso (contains "Resit DHL 8897209547, pdf.exe")

RemcosRAT C2:
egommbute2020.ddns.net:7171 (185.19.85.135)


% Information related to '185.19.84.0 - 185.19.85.255'

% Abuse contact for '185.19.84.0 - 185.19.85.255' is 'abuse@datawire.ch'

inetnum: 185.19.84.0 - 185.19.85.255
netname: DATAWIRE-DATACENTERS
descr: CUSTOMERS ZG01
country: CH
admin-c: DA4314-RIPE
tech-c: DA4314-RIPE
status: ASSIGNED PA
mnt-by: DATAWIRE-NOC
created: 2013-09-23T14:18:55Z
last-modified: 2013-09-23T14:18:55Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.fc.26355.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 06:19:05 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqja7lnq7xsg3myn6qvffifwlu2puzrb7ij7ddarwx7jgytnz5wq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
013272a7f6fd9926e268e175cfeb2bcb0aeab1573a68693c872a119bfdfa4402
RemcosRAT
667d35d2cff2979ca84df0afe1eca6c164e1d919b989e16b97166c7a30c77a87
RemcosRAT
6d6c5f16e0a786ca6fd218be24a98fe8ea46b6d73fa77a84e31b22717d81aad8
RemcosRAT
738ea925d9f26dc03c18efd41de5e310285a36eef0147e7767a25dcf3fb1b24d
RemcosRAT
7d6b63c5a80035e7823a17dc7493048dbf0bdd33110ae9df169a3bcee02527b9
RemcosRAT
93c327b46d6354a91a9b20311a2f1e1873e132765816ec26443eb1971ccd2946
RemcosRAT
af1cf572150e95fd75306a13eb3d2306e1e1fb4ef6c238f53f30f2525389e07b
RemcosRAT
b8a03fd14b3a3695af8b6c781eb946214a98986279678c6b2a477f22ba1ac3cf
RemcosRAT
ce9eea7daa40294ea32ee596e1a88ec5e6301ed44e08420ec9ab6bb5d810846a
RemcosRAT
f9441d3651d67748ec1a2fd325ea1aa9d914208c7fae0853e5b769e52e66ccb8
RemcosRAT
+ 4'059 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/201109-nhbn2xv6r2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
egommbute2020.ddns.net:7171
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 44beaae082739aac29ed63bf2624d2b3eb5fc407ff988374df481647fab01638

RemcosRAT

Executable exe ac120fadb0fde46db30df42a52a0b65d34fa6621fa13f18c11b5fe93626dcf6d

(this sample)

  
Dropped by
MD5 ef33de31362e7d20ffb6c64a0eede122
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 44beaae082739aac29ed63bf2624d2b3eb5fc407ff988374df481647fab01638

Comments