MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea5f7ceccf5540860f32abe23534330ccb4b5b082d94b2afb5aa1e6d26a1ae56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea5f7ceccf5540860f32abe23534330ccb4b5b082d94b2afb5aa1e6d26a1ae56
SHA3-384 hash: 00b5b589d3b9fcc0c8498a3b334ec5c67bd2b69ab5f37fdd0e16464696c4b83833aaa668fd632852605ce0ffd58dcd30
SHA1 hash: d4a176469b3e6e74ac434d746c1234790f8bb562
MD5 hash: 632e3d1eedfc816446787802aad4152f
humanhash: lima-florida-lemon-beer
File name:DHL kvittering 8897209547, pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:690'176 bytes
First seen:2020-05-27 11:56:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 82ee847d3412bd91ec2252cf3901e308 (16 x AgentTesla, 4 x Loki, 1 x NanoCore)
ssdeep 12288:1i8qmDnPyX8ylwhz8n4l7OUrYqYwYTtlNdUJIP0+0OzGTREZhIZOqv8:sBeyXKx8n4IUrWtVQl+0Oz3tq0
Threatray 796 similar samples on MalwareBazaar
TLSH B9E48D2EE2E04837F1661A3D9D0B5774982EBE102A2869466BF4DD4C9FF934D3C36193
Reporter abuse_ch
Tags:DHL exe nVpn RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: vps.ancleald.com
Sending IP: 45.95.169.157
From: DHL Express Cargo <delivery@dhl.com>
Subject: Levering DHL
Attachment: DHL kvittering 8897209547, pdf.iso (contains "DHL kvittering 8897209547, pdf.exe")

RemcosRAT C2:
79.134.225.75:7171

Hosted on nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 12:37:50 UTC
File Type:
PE (Exe)
Extracted files:
275
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
035eaa4837d35a30fff60618e860e93811e6ad310ff606b65c3ccd71b78232cd
RemcosRAT
39b6534e71eea7f25cd242cbeec0e465b211f8cd453172f284feac37ae8c973d
RemcosRAT
56a559cba0b0d2eef43c8d32d4b2a2710fb04f1c3f18dd65ddebdcdf3ee4e89d
RemcosRAT
5cd183da8ceb32dfce5219ece25684d9eb1624ca8e0ec30e374219732944c8e5
RemcosRAT
97dd79655e302fc504c36a27eef5b5bc385b42976b9db47c359e81d00eadecf8
RemcosRAT
9c76803cb5acd81ad611eed2bc4daa50f1a4e27cd2cea75e40f0d5011047e2a9
RemcosRAT
b2f999593d2004d1ea8797e0d1a20096b204e5211d1b39b5e4998e7835555e41
RemcosRAT
b362bb2946e02fd0ef8c7a7b186ac41ce12c2c71e798b0a31e16fbfd0c83d958
RemcosRAT
e1b4622454cead31c14bd55cf1985eb6b5e93483989b183cf32e79e07ee4dc13
RemcosRAT
f89c8debd5a5759bd372622cf7be54424d5e87c8b8246fb44835ea94d1f72bad
RemcosRAT
+ 786 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/201109-y1jqjhj1b6/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
79.134.225.75:7171
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 5a3039c6564850098f563e23637cf802a9c5ad004c8c5a87cbddd7bdc984d1d5

RemcosRAT

Executable exe ea5f7ceccf5540860f32abe23534330ccb4b5b082d94b2afb5aa1e6d26a1ae56

(this sample)

  
Dropped by
MD5 983e6c893ca389631431d16d0ad21720
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5a3039c6564850098f563e23637cf802a9c5ad004c8c5a87cbddd7bdc984d1d5

Comments