MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 af67c6d706b4d05ecce49bb094c8ff46bb25a3cc043d71bc17519dfc01b53a25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RemcosRAT
Vendor detections: 3
| SHA256 hash: | af67c6d706b4d05ecce49bb094c8ff46bb25a3cc043d71bc17519dfc01b53a25 |
|---|---|
| SHA3-384 hash: | 76c1db3f663b2d5b5bfe00392eccccc7cbd1620779330b782bf04f818ea078241aaf4cd7b382ac2e1c50eaf4527902ac |
| SHA1 hash: | 3466e376a93838a2e75832ca1b82995c1f326214 |
| MD5 hash: | f0ff154c8fff9287e6f287440f5987a0 |
| humanhash: | uncle-undress-angel-mirror |
| File name: | RFQ 20RFQ00106 - ID N°. 04129.cab |
| Download: | download sample |
| Signature | RemcosRAT |
| File size: | 354'662 bytes |
| First seen: | 2021-02-09 12:16:03 UTC |
| Last seen: | Never |
| File type: | rar |
| MIME type: | application/x-rar |
| ssdeep | 6144:N8dKAT2uSOfEULvJYnLh6sz4rk4P0H6/7MTI0BlQGGzC2FPizQL+qK5:N8d5TXvLvOnd/zs0oMgm2BiUa5 |
| TLSH | 957423D4A8E6799DE0DCCB8F192E626208F10F890157780F4F9F72727A44FAC569EB14 |
| Reporter |  abuse_ch |
| Tags: | cab nVpn RAT RemcosRAT |
abuse_ch
Malspam distributing RemcosRAT:From: Balaban Furkan <info@armosan.com.tr>
Subject: RFQ 20RFQ00106 - ID N°. 04129
Attachment: RFQ 20RFQ00106 - ID N°. 04129.cab (contains "RFQ 20RFQ00106 - ID N°. 04129.exe")
RemcosRAT c2:
highwayraider2021.ddns.net:7369 (194.5.98.14)
Pointing to nVpn:
% Information related to '194.5.98.0 - 194.5.98.255'
% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@privacyfirst.sh'
inetnum: 194.5.98.0 - 194.5.98.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-NO
country: NO
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-04-26T16:42:54Z
last-modified: 2020-10-07T21:35:29Z
source: RIPE
Intelligence
File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
Win32.Infostealer.BestaFera
Status:
Malicious
First seen:
2021-02-09 12:16:10 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
5/5
Detection(s):
Malicious file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
exe Dropping
RemcosRAT
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.