MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3a2868d22be2374f1cfc8284d5572350fcd8a69929c3ff476c1323d2eda7139. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3a2868d22be2374f1cfc8284d5572350fcd8a69929c3ff476c1323d2eda7139
SHA3-384 hash: 66b4e795db0b16fac66ca5c9f14c25b196a9a32fadcd0f921fa823d5ca94a991317205776c8d2f7b9fd5b4b542a47fa3
SHA1 hash: a7d2470a01251fd6a6956a51486527b24fc98b45
MD5 hash: 3429b093e26a01a614af1a88720e5124
humanhash: october-maine-two-alpha
File name:INVO98765678000.PDF.ARJ
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:658'991 bytes
First seen:2023-12-22 07:27:38 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:OATPTDk0gnrjEBssLNCqLKKjKNI9fk/2/TEHUWJAVxrRff7VX:OsP3lgnPlsLNCqGKjKOk/2/TRxNfpX
TLSH T15CE43361BAA2F4A139D7D753F7AD368D14CC19D22265ACC2B8137F2036422252DF9B4F
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:arj INVOICE QUOTATION RemcosRAT zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Muhammad zain<comercial.rspharma@gmail.com>" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [45.137.22.114]) "
Date: "22 Dec 2023 07:17:59 +0100"
Subject: "Quotation invoice"
Attachment: "INVO98765678000.PDF.ARJ"

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
107.175.229.139:8087 https://threatfox.abuse.ch/ioc/1199401/

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
CH CH
File Archive Information

This file archive contains 3 file(s), sorted by their relevance:

File name:deaegyz.exe
File size:489'472 bytes
SHA256 hash: 148662d819b02305d0eb2c78630e218985ce18529a3729ca1aa4d8926b75e5af
MD5 hash: 49900e1a853294ac5e03deb77c041e08
MIME type:application/x-dosexec
Signature RemcosRAT
File name:midxwnqijin.ekx
File size:514'894 bytes
SHA256 hash: 320e5916c90f41b7405e1be314e9abbbe9fd3177874bbaf9748cc7261e794427
MD5 hash: 7d70dc74b5036e3ff3def409ea47f343
MIME type:application/octet-stream
Signature RemcosRAT
File name:INVO98765678000.BAT
File size:672'390 bytes
SHA256 hash: 412c4f354965eb514a79001b512c70e8d36e1d443fe599aca0916893eab369ef
MD5 hash: 0058da743288cb67e15afbfcb0ab6e1a
MIME type:application/x-dosexec
Signature RemcosRAT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.FileRepMalware.4320.26275.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed remcos shell32
Link:
https://www.filescan.io/uploads/65853a86ffafd83ebc97ba2f/reports/2ef1f6fb-9b1c-48a3-b32b-a31052d4134d/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/c3a2868d22be2374f1cfc8284d5572350fcd8a69929c3ff476c1323d2eda7139
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c3a2868d22be2374f1cfc8284d5572350fcd8a69929c3ff476c1323d2eda7139
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
99%
Verdict:
Malware
File Type:
Archive
Link:
https://malprob.io/report/c3a2868d22be2374f1cfc8284d5572350fcd8a69929c3ff476c1323d2eda7139
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3a2868d22be2374f1cfc8284d5572350fcd8a69929c3ff476c1323d2eda7139/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2023-12-22 05:04:18 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yorindjcxyrxj4opzaue2vlsguh43ctjskod75dwyezd2lw2oe4q._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:dollar persistence rat
Link:
https://tria.ge/reports/231222-jpvdfaeef8/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
107.175.229.139:8087
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3a2868d22be2374f1cfc8284d5572350fcd8a69929c3ff476c1323d2eda7139

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip c3a2868d22be2374f1cfc8284d5572350fcd8a69929c3ff476c1323d2eda7139

(this sample)

RemcosRAT

Executable exe 412c4f354965eb514a79001b512c70e8d36e1d443fe599aca0916893eab369ef

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 412c4f354965eb514a79001b512c70e8d36e1d443fe599aca0916893eab369ef
  
Dropping
RemcosRAT
  
Dropping
MD5 0058da743288cb67e15afbfcb0ab6e1a

Comments