MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d01d468b1a708cdd63e86e00990dcb996eca66807175975fd139a3da4ec4b038. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d01d468b1a708cdd63e86e00990dcb996eca66807175975fd139a3da4ec4b038
SHA3-384 hash: 12766262e938da6139c4732e1441920570c2d77d3bea015008073493b435addfb195e399d114b8fd344817d8aac64042
SHA1 hash: 19a2b0b2527c076fcf86b82743cb1ce27a8cd97b
MD5 hash: 052f3d1cfc53d1e6b47189f20ebd9250
humanhash: eight-cat-missouri-moon
File name:Attachment.iso
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'703'936 bytes
First seen:2022-03-25 13:43:37 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 24576:dTLmKxzGyM4qG2AakO6fjPViDl13PdCLHbW:pl4JbsjItPdCLb
TLSH T1C8755DBDB2D0D436C02246385D16BF7857B5AE50DD34A902BAECFDD88E31EA13B25253
Reporter cocaman
Tags:iso RemcosRAT


Avatar
cocaman
Malicious email (T1566.001)
From: "<<Canada Post Delivery>> canadapost@mailingconfirm.com" (likely spoofed)
Received: "from compassionate-mahavira.206-221-176-154.plesk.page (mail.mail-server-desk.com [206.221.176.154]) "
Date: "Fri, 25 Mar 2022 12:48:40 +0000"
Subject: "Delivery Updated"
Attachment: "Attachment.iso"

Intelligence

File Origin
# of uploads :
1
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.ArtemisB4B1CF978194.29466.14590.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger replace.exe
Link:
https://www.filescan.io/uploads/623dc72c9253b276b76ce221/reports/6cbce908-03ca-4ce1-b542-eeb523dcd624/overview
Result
Verdict:
SUSPICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d01d468b1a708cdd63e86e00990dcb996eca66807175975fd139a3da4ec4b038/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-03-25 13:44:17 UTC
File Type:
Binary (Archive)
Extracted files:
33
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2aouncy2ocgn2y7inyajsdoltfxmuzuaof2zox6rhgr5utwewa4a._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/220325-q1wh7sdecm/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
flexyval01.hopto.org:2404
flexyval02.hopto.org:2404
flexyval03.hopto.org:2404
flexyval04.hopto.org:2404
flexyval06.hopto.org:2404
flexyval05.hopto.org:2404
flexyval07.hopto.org:2404
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d01d468b1a708cdd63e86e00990dcb996eca66807175975fd139a3da4ec4b038

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso d01d468b1a708cdd63e86e00990dcb996eca66807175975fd139a3da4ec4b038

(this sample)

RemcosRAT

Executable exe db5a12184d9b6acdf484a88b3e65aa9435f8a9d7eda48418aef2d028b98913d4

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 db5a12184d9b6acdf484a88b3e65aa9435f8a9d7eda48418aef2d028b98913d4

Comments