MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c84f0e2ebe0acee753051a837057e379323311cda4a31a16781db7ba4d0d9251. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c84f0e2ebe0acee753051a837057e379323311cda4a31a16781db7ba4d0d9251
SHA3-384 hash: 2d0f5d232d56f941c1b334a868da3f0950f2ae10b6de693bcdb65cafaf7d730b6b604c11c39b6e07aa89e26787a899d8
SHA1 hash: a0e2ab3afc4e92068887fe0dd52ef130264b3af2
MD5 hash: 1915a376d878521af55bb252e6a0ebb5
humanhash: edward-king-summer-venus
File name:Attachment.iso
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'441'792 bytes
First seen:2021-09-07 05:29:34 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 12288:5LUwnIaDC0hJxObWyRSIySFtzzZ6/S47G/61L/riV6szYOgI:5LTnIGhJsJAp6N0Pjre6iY
TLSH T130657C65A7C814FBF0212E7D8D1AB28730293B4137A5CC925FDC5D863E31AA2693E54F
Reporter cocaman
Tags:DHL iso RemcosRAT


Avatar
cocaman
Malicious email (T1566.001)
From: "Dhl Customer Support <info@deliveryphl.com>" (likely spoofed)
Received: "from mail.deliveryphl.com (hwsrv-903891.hostwindsdns.com [192.236.178.159]) "
Date: "Mon, 06 Sep 2021 09:02:58 -0700"
Subject: "Order Delivery Failed"
Attachment: "Attachment.iso"

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c84f0e2ebe0acee753051a837057e379323311cda4a31a16781db7ba4d0d9251/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-06 16:12:38 UTC
File Type:
Binary (Archive)
Extracted files:
43
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zbhq4lv6blhoouyfdkbxav7dpezdgeonusrruftydw33utinsjiq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/210907-f67hjsbhe2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
freelife.hopto.org:2404
freelife1.hopto.org:2404
freelife2.hopto.org:2404
freelife01.hopto.org:2404
freelife3.hopto.org:2404
freelife4.hopto.org:2404
freelife5.hopto.org:2404
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c84f0e2ebe0acee753051a837057e379323311cda4a31a16781db7ba4d0d9251

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso c84f0e2ebe0acee753051a837057e379323311cda4a31a16781db7ba4d0d9251

(this sample)

RemcosRAT

Executable exe 6a96d22dec9171b154bb1a94c68fa02dda51713709dad161681a759f64cc3014

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 6a96d22dec9171b154bb1a94c68fa02dda51713709dad161681a759f64cc3014
  
Dropping
RemcosRAT

Comments