MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6da7d4b675fdc9853add6602c89dbe327fbb91d022652489713b98e884b1391. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6da7d4b675fdc9853add6602c89dbe327fbb91d022652489713b98e884b1391
SHA3-384 hash: 90b0ba9d2152d193f8bad8e01393a137f31c1f2c43fc4d8e9f83cdfdffe2f895182a324db636573771d152609f3d17d9
SHA1 hash: cb7bdd33962ab443309fe56cc381ccb4dd0792a0
MD5 hash: 849d076884b4e4575592ae3eaea13a8b
humanhash: lamp-stream-fish-west
File name:ORDERI0987654-0098800000-pdf.r12
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:355'074 bytes
First seen:2023-11-16 16:20:10 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 6144:GrtaR5Gx5ftM/bQy2TXeyVIfjdwKLWRm7pvUXFyXl/G+12lyOIPk:GJ0GtcbQyKeyVIb7yk186le+1lOUk
TLSH T12B742296F38F1161E13142797AB893136989A0D94D8F41A91CEC59DF28BF06CE0BF67C
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook INVOICE payment r12 RemcosRAT zip


Avatar
cocaman
Malicious email (T1566.001)
From: "pearlfibeexport@gmail.com" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [45.137.22.131]) "
Date: "16 Nov 2023 04:50:40 +0100"
Subject: "Payment invoice"
Attachment: "ORDERI0987654-0098800000-pdf.r12"

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
107.175.229.139:8087 https://threatfox.abuse.ch/ioc/1199401/

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
CH CH
File Archive Information

This file archive contains 3 file(s), sorted by their relevance:

File name:qhnlknnvg.a
File size:258'263 bytes
SHA256 hash: 3a771752b239f75a7bbef2e0e95d8ba7d74c5f070160e970c15325c1d5502735
MD5 hash: ddbc7a941cc8a41868214bf457414ba3
MIME type:application/octet-stream
Signature RemcosRAT
File name:hmgffhl.exe
File size:183'296 bytes
SHA256 hash: d79d1c50863e99b5d93d3d5f7f6c68a0f7774cd53e329a9cd626123c2d8b4716
MD5 hash: af8589ad7b9edf29559886b6c11320c5
MIME type:application/x-dosexec
Signature Formbook
File name:ORDERI0987654-0098800000.BAT
File size:368'839 bytes
SHA256 hash: 653f628893de874793983dc90b8868c7e56229e28f7eaf79d615c55490179411
MD5 hash: baa40e739a7b86a71f5ce1cc9ef151b8
MIME type:application/x-dosexec
Signature RemcosRAT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.582.9172.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
ZIP File
Link:
https://app.docguard.net/e6da7d4b675fdc9853add6602c89dbe327fbb91d022652489713b98e884b1391/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed remcos shell32
Link:
https://www.filescan.io/uploads/655641700290ea202bc623f4/reports/60363200-0921-4805-82e6-55e33d764eec/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/e6da7d4b675fdc9853add6602c89dbe327fbb91d022652489713b98e884b1391
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e6da7d4b675fdc9853add6602c89dbe327fbb91d022652489713b98e884b1391
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6da7d4b675fdc9853add6602c89dbe327fbb91d022652489713b98e884b1391/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-11-16 01:17:44 UTC
File Type:
Binary (Archive)
Extracted files:
3
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=43nh2s3hl7ojqu5n2zqczco34mt7xoi5aitfesexco4y5cclcoiq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e6da7d4b675fdc9853add6602c89dbe327fbb91d022652489713b98e884b1391

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip e6da7d4b675fdc9853add6602c89dbe327fbb91d022652489713b98e884b1391

(this sample)

RemcosRAT

Executable exe 653f628893de874793983dc90b8868c7e56229e28f7eaf79d615c55490179411

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 653f628893de874793983dc90b8868c7e56229e28f7eaf79d615c55490179411
  
Dropping
MD5 baa40e739a7b86a71f5ce1cc9ef151b8

Comments