MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6adbd879d0b20d0ca5057006a890284e0ca9b477f6f07b2924d05b37881dfbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	d6adbd879d0b20d0ca5057006a890284e0ca9b477f6f07b2924d05b37881dfbf
SHA3-384 hash:	6b0437e3ee170e2fde118cf08aa54c9a1afed4e703fa6964ece15d95174ca81dc389a6349308bb116f1578b67b294491
SHA1 hash:	9202f6958c8439e5bd003a7e49468cfcd6b2e927
MD5 hash:	f3b6f2be974bae7146c215dbb66cc4c9
humanhash:	coffee-oscar-georgia-virginia
File name:	RFQ No. 01.300.TRGVH.zip
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	789'118 bytes
First seen:	2022-10-25 12:14:00 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	24576:w6sl0XqI6NdG8tvNEY0QpDn8LJohaYL5VUa8s6C:oLELGmohaQR
TLSH	T17CF433FFD9E58AB60189177E1738C5B6F08B9602EBEDCF48414CD84E9566F9CB878240
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	RemcosRAT RFQ zip

cocaman

Malicious email (T1566.001)
From: ""Amy Strawberry" <k.rohit@fortune-it.com>" (likely spoofed)
Received: "from mageneet.com (unknown [194.180.48.38]) "
Date: "25 Oct 2022 05:10:19 -0700"
Subject: "Re: RE : URGENT REQUEST // REF**RFQ: 01.300.TRGVH"
Attachment: "RFQ No. 01.300.TRGVH.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

177

Origin country :

n/a

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	RFQ No. 01.300.TRGVH.exe
File size:	821'248 bytes
SHA256 hash:	b9a0c1222bea7c7a90eb111e5101dd2ca3355966af79dbd7a490498a8f3d6a58
MD5 hash:	ec36ba050f837fc4326c0efaa9835fc7
MIME type:	application/x-dosexec
Signature	RemcosRAT

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fs2098.UNOFFICIAL

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/d6adbd879d0b20d0ca5057006a890284e0ca9b477f6f07b2924d05b37881dfbf

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d6adbd879d0b20d0ca5057006a890284e0ca9b477f6f07b2924d05b37881dfbf/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2022-10-25 07:20:29 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=22w33b45bmqnbssqk4agvcicqtqmvg2hp5xqpmusjuc3g6eb367q._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/221025-pebq8scff2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Remcos

Malware Config

C2 Extraction:

51.75.209.245:2404

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d6adbd879d0b20d0ca5057006a890284e0ca9b477f6f07b2924d05b37881dfbf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.