MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd79d734bb0687a497d46e32d4880c00581a5b64c2e9e5e89cb09c135fbc55fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd79d734bb0687a497d46e32d4880c00581a5b64c2e9e5e89cb09c135fbc55fa
SHA3-384 hash: 0016b7f83a10a990d2601135fedc1cae2289ba3669c7527d95b50c4b10c6c93160989e4a98391c4e9a5f71f7686c5c7e
SHA1 hash: 279d12a54f54be87719fab5a9ce0776b5cf74783
MD5 hash: 177eaa709271367e113b1ac8fb9385b5
humanhash: sixteen-freddie-hawaii-violet
File name:Invoice and Packing.gz
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:344'436 bytes
First seen:2023-01-09 10:46:30 UTC
Last seen:2023-01-09 12:44:41 UTC
File type: gz
MIME type:application/x-rar
ssdeep 6144:UkrqN5T9gg08Xu6WNWyJib4r6seKFIZMk6X1z2esggUTMaEtyV0c1:u5GGWxM46seQJ23UTbXP1
TLSH T1DD7423A851C0FA26F2065E75AD7E8FF20A979D1F0DC160C494700AA349E9BF32FE6471
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:gz INVOICE RemcosRAT


Avatar
cocaman
Malicious email (T1566.001)
From: "=?UTF-8?B?5Y+y5Li954OC?= <ec07@yoau.cn>" (likely spoofed)
Received: "from yoau.cn (unknown [194.146.24.208]) "
Date: "09 Jan 2023 12:45:13 +0200"
Subject: "Invoice and Packing list Attached"
Attachment: "Invoice and Packing.gz"

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.5.98.63:2404 https://threatfox.abuse.ch/ioc/1067263/

Intelligence

File Origin
# of uploads :
87
# of downloads :
118
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:InvoiceandPacking09876545678909876545678987 .exe
File size:751'104 bytes
SHA256 hash: b72a8753d475c079cec084dc32cf8addec72b670d4cd094f67900d73781cace1
MD5 hash: c926b1d5c1e941381c4809c5776b6ba9
MIME type:application/x-dosexec
Signature RemcosRAT
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/63bbf0a7a66e2eb29738015a/reports/54daa5f9-2be0-48f7-8847-5385522ed9e2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd79d734bb0687a497d46e32d4880c00581a5b64c2e9e5e89cb09c135fbc55fa/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-01-08 21:22:38 UTC
File Type:
Binary (Archive)
Extracted files:
27
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zv45onf3a2d2jf6unyznjcamabmbuw3eylu6l2e4wcobgx54kx5a._file
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader trojan
Link:
https://tria.ge/reports/230109-p3gmdshf6s/
Behaviour
ModiLoader Second Stage
ModiLoader, DBatLoader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/cd79d734bb0687a497d46e32d4880c00581a5b64c2e9e5e89cb09c135fbc55fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_dbatloader_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Description:targets stager
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

gz cd79d734bb0687a497d46e32d4880c00581a5b64c2e9e5e89cb09c135fbc55fa

(this sample)

RemcosRAT

Executable exe b72a8753d475c079cec084dc32cf8addec72b670d4cd094f67900d73781cace1

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 b72a8753d475c079cec084dc32cf8addec72b670d4cd094f67900d73781cace1
  
Dropping
RemcosRAT

Comments