MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b859bfbee762e3fdc003bb3b4de9415f3c5e7233736f7f3c931724cc27935a55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b859bfbee762e3fdc003bb3b4de9415f3c5e7233736f7f3c931724cc27935a55
SHA3-384 hash: 3124d95fb4711f799a972816f7d62565f60abc3ab7f5144b3c4ce71277c7c06f117ac9786e049ad132fd9f7cb0a9a8ad
SHA1 hash: 4ec4b7d8d4259a42d2650014951e107337f1cace
MD5 hash: 35894f6b66a5886d8d0c76dd2c844830
humanhash: lithium-wolfram-london-sweet
File name:DHL DELIVERY DOCUMENT,pdf.zip
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:203'907 bytes
First seen:2020-06-26 08:00:31 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 3072:BX62BPWerhtUzb5mnhJXv1ZgX6JcqmS5zR4aF1fhtGNmCovImWnqKWhWP:BX6yPWQXKmzXNhrmS5zR4aRVvB2va4
TLSH D71423772D4DCB116B9C8A6D13B1FCE94302F81469462F4AFCA1B1EDFB4009F44AAC99
Reporter abuse_ch
Tags:DHL nVpn RAT RemcosRAT zip


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: corporate.orangemali.net
Sending IP: 197.155.141.42
From: DHL EXPRESS <consignments-notification@dhl.com>
Subject: DHL Shipment Notification
Attachment: DHL DELIVERY DOCUMENT,pdf.zip (contains "DHL DELIVERY DOCUMENT,pdf.exe")

RemcosRAT C2:
jamesanderson68986.ddns.net:1965 (194.5.98.23)

Pointing to nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.98.0 - 194.5.98.255
netname: Privacy_Online
descr: Longyearbyen, Svalbard und Jan Mayen
country: SJ
admin-c: RA9926-RIPE
tech-c: RA9926-RIPE
org: ORG-NFAS6-RIPE
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-04-26T16:42:54Z
last-modified: 2020-03-13T23:11:55Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.26176.ZipHeur.BadExt.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b859bfbee762e3fdc003bb3b4de9415f3c5e7233736f7f3c931724cc27935a55/
Threat name:
ByteCode-MSIL.Trojan.SchInject
Create hunting rule
Status:
Malicious
First seen:
2020-06-26 08:02:05 UTC
AV detection:
21 of 31 (67.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xbm37pxhmlr73qadxm5u32kbl46f44rtonxx6petc4smyj4tljkq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip b859bfbee762e3fdc003bb3b4de9415f3c5e7233736f7f3c931724cc27935a55

(this sample)

RemcosRAT

Executable exe cf62903c68cba144e7e336081e53e4cb8c0ac98249641f4d39d59424307c8297

  
Dropping
MD5 84d13a22751e02a61f8211479b2da57c
  
Dropping
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 cf62903c68cba144e7e336081e53e4cb8c0ac98249641f4d39d59424307c8297

Comments