MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da392819f729c30ac6bed9b8fef78c3f3c48d16259b675a5ca13aa69e60143f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da392819f729c30ac6bed9b8fef78c3f3c48d16259b675a5ca13aa69e60143f5
SHA3-384 hash: 12618089872fcfe97024fffca2369a0475d1f7915cd000a60d8bde0d72b9701532b226c3b4e6a81508d2769bc29bc6f1
SHA1 hash: 441621e15bf7eee4ede82b286bc0847aa34d1204
MD5 hash: 8beae521ffc5328ae64c9115c8b12f24
humanhash: sierra-oklahoma-wisconsin-football
File name:FG133.z
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:989'126 bytes
First seen:2023-12-30 07:35:59 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 24576:5svRgNd4jgnfegLO3aUqMh8M3dqH1lbgYPNi88J22+XQvCPgpeWCH:KUd4jMfegq3/qMhz3dqH1tgYPN18J22y
TLSH T13425337ED6B2E01257A10CE936042F2CD34D9F2ED04E0682F935EAD2962FB47A6D4DD4
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:INVOICE QUOTATION RemcosRAT z zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Muhammad zain Ghous<comercial.rspharma@gmail.com>" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [45.137.22.114]) "
Date: "29 Dec 2023 03:03:20 +0100"
Subject: "Quotation invoice"
Attachment: "FG133.z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:FG133.exe
File size:1'508'352 bytes
SHA256 hash: 85e1ad6c1503ecfec6e03b38c24b93ce7c92a08f3c84f43db8946359054938c6
MD5 hash: dd801c9810d646f04c1ebaa46784fbe9
MIME type:application/x-dosexec
Signature RemcosRAT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit bladabindi control darkkomet greyware keylogger lolbin packed remcos shell32 threat
Link:
https://www.filescan.io/uploads/658fc8636b1c2460460fcffa/reports/62420c08-5cba-49d9-bd31-4ffd2fb505db/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/da392819f729c30ac6bed9b8fef78c3f3c48d16259b675a5ca13aa69e60143f5
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/da392819f729c30ac6bed9b8fef78c3f3c48d16259b675a5ca13aa69e60143f5
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
100%
Verdict:
Malware
File Type:
Archive
Link:
https://malprob.io/report/da392819f729c30ac6bed9b8fef78c3f3c48d16259b675a5ca13aa69e60143f5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da392819f729c30ac6bed9b8fef78c3f3c48d16259b675a5ca13aa69e60143f5/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-12-29 17:19:52 UTC
File Type:
Binary (Archive)
Extracted files:
20
AV detection:
13 of 37 (35.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3i4sqgpxfhbqvrv63g4p554mh46erulclg3hljokcovgtzqbip2q._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:dollar collection rat
Link:
https://tria.ge/reports/231230-natktahcc4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
AutoIT Executable
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Drops startup file
Executes dropped EXE
Loads dropped DLL
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
107.175.229.139:8087
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da392819f729c30ac6bed9b8fef78c3f3c48d16259b675a5ca13aa69e60143f5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip da392819f729c30ac6bed9b8fef78c3f3c48d16259b675a5ca13aa69e60143f5

(this sample)

RemcosRAT

Executable exe 85e1ad6c1503ecfec6e03b38c24b93ce7c92a08f3c84f43db8946359054938c6

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 85e1ad6c1503ecfec6e03b38c24b93ce7c92a08f3c84f43db8946359054938c6
  
Dropping
MD5 dd801c9810d646f04c1ebaa46784fbe9

Comments