MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d451ccbf03a26ade8ebf9ac8ab623025dd3148b45dd1bfc85e5761e13226308d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 3


Intelligence 3 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d451ccbf03a26ade8ebf9ac8ab623025dd3148b45dd1bfc85e5761e13226308d
SHA3-384 hash: 6f905c693f6b7d9119f89873ebdc04e80136f8e289a6ff93fdf50413d6595a6fcbfb498b5b31a9861e6f0f5b6f9c4a5c
SHA1 hash: 286e9389e7ba7ca503c383989ae8b37bd35fcef2
MD5 hash: a162f390c06775db352e460cf39938dc
humanhash: twenty-salami-venus-cardinal
File name:2054956719,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:920'064 bytes
First seen:2020-05-19 06:08:20 UTC
Last seen:2020-05-19 07:13:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a60eeb16c5e8e15ff22c79959616ed49 (4 x RemcosRAT)
ssdeep 12288:7dvX6zWt8YVrL4fjlkNhIvgwGHd3jxv9A7BwkItGkWtK+Zd2QOf41DA4BwGc6pOP:78qEfyIFGHFls4tYj+RtoPXpONR08
Threatray 114 similar samples on MalwareBazaar
TLSH B0157D62F2D08433C123297D9D1B97A49D3ABE613E542C466FE86D8C4F3E792343A197
Reporter abuse_ch
Tags:exe geo IND MailChannels nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: crocodile.birch.relay.mailchannels.net
Sending IP: 23.83.209.45
From: Toppuror International <info@toppuror.com.tw>
Subject: Fwd: Re: आदेश पावती s42523 #Attd-O-2054956719
Attachment: 2054956719,pdf.iso (contains "2054956719,pdf.exe")

RemcosRAT C2:
goddywin.freedynamicdns.net (185.165.153.17)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacy-matters.co'

inetnum: 185.165.153.0 - 185.165.153.255
netname: PRIVACY_MATTERS
remarks: This prefix belongs to a VPN service provider.
remarks: For us the privacy of our customers matters, which means we store no logs
remarks: related to any IP addresses.
remarks: Spamhaus, please note that blacklisting the clean prefixes of our hosting
remarks: partners and upstream providers is an act of coercion and will no longer
remarks: be tolerated.
remarks: Coercion is punishable by a custodial sentence or by a monetary penalty.
remarks: If you continue such practice we will not only take legal actions against
remarks: your organization, but also make such blackmailing attempts public in the
remarks: media.
country: AT
admin-c: PMVS3-RIPE
tech-c: PMVS3-RIPE
org: ORG-PMVS1-RIPE
status: ASSIGNED PA
mnt-by: PM-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2019-10-18T13:31:16Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Downloader.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 06:37:04 UTC
File Type:
PE (Exe)
Extracted files:
97
AV detection:
26 of 48 (54.17%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ri4zpydujvn5dv7tlekwyrqexotcsfulxi37sc6k5q6cmrggcgq._file
Verdict:
suspicious
Similar samples:
029c973cf95aad6fd32af2475d767633002e6139a7d04bc6d23574dcd7e49eda
RemcosRAT
06c3086d2a9a4456f1e98b32ce177c455ed82caf13ae4bdc2e402d78f566160c
RemcosRAT
3484fffe14e6d045c8a5c568187f686d4479693dadb3fc4631b7d307000b5148
RemcosRAT
4d993cb21ffe5a2b315ceede2a9e021f65fba6df052e1d0a400afba3ba76c17a
RemcosRAT
5e499f9a72195ce2d1d2e0ca6dffbacc880ae5bc0847ea03e65060c993e35146
RemcosRAT
654dcb8cbaca77d6679523c36f44ea656e39a97ce7e4d6f91b089fe8d54f9787
RemcosRAT
663921e0ebe32e8c57da404739f780f14ce4e9a86c13d47530e25649df2324d8
RemcosRAT
6bd678bf71a6b8c33bd6b03d2559ee5e43fef7b6449d48962a2c4032ce7a8138
RemcosRAT
e24298b174f7e0ac0ff54e424e20981739f31d285969d829dfb0b7b95272b7d6
RemcosRAT
f6b725654c8d666688aaa90def223e8592a17110aead0e275c35c64e18c10985
RemcosRAT
+ 104 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-hrfq1my6n2/
Behaviour
Script User-Agent
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 82defc7c6742908dfc86f17e7aa664c4680948f85dc4e2620f67ecbf915cd21d

RemcosRAT

Executable exe d451ccbf03a26ade8ebf9ac8ab623025dd3148b45dd1bfc85e5761e13226308d

(this sample)

  
Dropped by
MD5 1a0b86758cd2b059678b5447cf8375ea
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 82defc7c6742908dfc86f17e7aa664c4680948f85dc4e2620f67ecbf915cd21d

Comments