MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c73e3c81e8b239aa9180b85ef86db00e3c8a9ad9c14469de56c273457ef3744e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c73e3c81e8b239aa9180b85ef86db00e3c8a9ad9c14469de56c273457ef3744e
SHA3-384 hash: acc751d61d2ce12319b02d9722bc350277a4c77be81043f5d1f6125aaad83ed50529214f87ad026e8003682a0eaf78d1
SHA1 hash: dfcf77cc72f463a208ef037659b3b5819373e8da
MD5 hash: 882eae9db1263720e6642e99db0c3fe9
humanhash: mississippi-tennis-sink-beryllium
File name:FedEx 00237794891929_MI_20239002382_pdf.rar
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:468'885 bytes
First seen:2023-05-11 06:24:55 UTC
Last seen:2023-05-11 06:44:12 UTC
File type: rar
MIME type:application/x-rar
ssdeep 12288:EC2du0kLYiu3h3IKkHbQGT1sqNSHh10hAGy/UA3wV0eF4jPGL:pFLNmbysxHzmcUAgOC4juL
TLSH T153A423CD802E67DDBF547C8AD85ED1BCBE46BFD9318BD1B967CB780A41A8624F540280
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:rar RemcosRAT


Avatar
cocaman
Malicious email (T1566.001)
From: "FedEx Notification <fedex.orders03@mail.com>" (likely spoofed)
Received: "from [45.81.243.199] (unknown [45.81.243.199]) "
Date: "11 May 2023 01:55:25 +0200"
Subject: "Delivery #2088302238 Required Information"
Attachment: "FedEx 00237794891929_MI_20239002382_pdf.rar"

Intelligence

File Origin
# of uploads :
6
# of downloads :
148
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:FedEx 00237794891929_MI_20239002382_pdf.exe
File size:484'278 bytes
SHA256 hash: cf8056e691bd5d73dbffedb8228a1cb2bee27791633c7cf2114041112f66b93d
MD5 hash: f1ebe62c0ab6fc311d1e02faf85b0c58
MIME type:application/x-dosexec
Signature RemcosRAT
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27382.Rar5Heur.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/c73e3c81e8b239aa9180b85ef86db00e3c8a9ad9c14469de56c273457ef3744e/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo nemesis overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/645c8a414427eddb118c0963/reports/b7be607b-d3c0-4a0e-8239-8ac51f4203b2/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c73e3c81e8b239aa9180b85ef86db00e3c8a9ad9c14469de56c273457ef3744e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c73e3c81e8b239aa9180b85ef86db00e3c8a9ad9c14469de56c273457ef3744e/
Threat name:
Win32.Trojan.ZmutzyPong
Create hunting rule
Status:
Malicious
First seen:
2023-05-11 02:37:21 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
19 of 37 (51.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y47dzapiwi42vemaxbppq3nqby6ivgwzyfcgtxswyjzuk7xtorha._file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar c73e3c81e8b239aa9180b85ef86db00e3c8a9ad9c14469de56c273457ef3744e

(this sample)

RemcosRAT

Executable exe cf8056e691bd5d73dbffedb8228a1cb2bee27791633c7cf2114041112f66b93d

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 cf8056e691bd5d73dbffedb8228a1cb2bee27791633c7cf2114041112f66b93d
  
Dropping
RemcosRAT
  
Dropping
MD5 f1ebe62c0ab6fc311d1e02faf85b0c58

Comments