MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4ab4a125eaf218adb62d4a458ac26f872505c95ea837cc586f92bbdb2d6ac8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	f4ab4a125eaf218adb62d4a458ac26f872505c95ea837cc586f92bbdb2d6ac8a
SHA3-384 hash:	b9b9835ad08b439e573575dd795de8d77dd4b4a559a99264700a84a22b0ab04864d9f1ff6419cfb41e5bc04fdd4a4855
SHA1 hash:	544720a58caa5dc449d2f6318ead95b7465e7ba4
MD5 hash:	000e860f92e4d6001f1d13c6525bfd52
humanhash:	high-twenty-eight-papa
File name:	TNT Original Invoice.ace
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'449'320 bytes
First seen:	2023-03-29 06:50:29 UTC
Last seen:	Never
File type:	ace
MIME type:	application/octet-stream
ssdeep	24576:iSEhJmwagrK4pFTXx2lz8SPEixhckBmG/nK3tSwHnvWpxyyni3uqfnY5Pj:iSNpguoFTXQg4EiYkEG/nK9SynvWp0y5
TLSH	T15365335B25FF2728E5C8AB00659BD04EF86503F3D65F38E069E6CCBB5A4825C20DE9C5
Reporter	cocaman
Tags:	ace INVOICE RemcosRAT TNT

cocaman

Malicious email (T1566.001)
From: ""TNT Customer Support" <service@tnt.com>" (likely spoofed)
Received: "from mageneet.com (unknown [212.87.204.248]) "
Date: "28 Mar 2023 16:21:07 -0700"
Subject: "RE: TNT Shipment Original Invoice"
Attachment: "TNT Original Invoice.ace"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.25738.AceHeur.Exe.UNOFFICIAL

Sanesecurity.Malware.25166.AceHeur.Exe.UNOFFICIAL

SecuriteInfo.com.Suspicious-ACE-exe.UNOFFICIAL

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm context-ace golang overlay packed

Link:

https://www.filescan.io/uploads/6423dfd783048b7317acc6e8/reports/18ee8cc2-54c0-450b-8595-c7eb87a52027/overview

Verdict:

Malicious

Labled as:

Mal/DrodAce

Link:

https://www.hybrid-analysis.com/sample/f4ab4a125eaf218adb62d4a458ac26f872505c95ea837cc586f92bbdb2d6ac8a

Result

Verdict:

MALICIOUS

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f4ab4a125eaf218adb62d4a458ac26f872505c95ea837cc586f92bbdb2d6ac8a/

Threat name:

Win32.Trojan.Tisifi

Status:

Malicious

First seen:

2023-03-28 11:13:17 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6svuues6v4qyvw3c2ssfrlbg7bzfaxev5kbxzrmg7ev33mwwvsfa._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/230329-n8lb4agb89/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Remcos

Malware Config

C2 Extraction:

51.75.209.245:2406

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/f4ab4a125eaf218adb62d4a458ac26f872505c95ea837cc586f92bbdb2d6ac8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ACE_Containing_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems) - based on Nick Hoffman' rule - Morphick Inc
Description:	Looks for ACE Archives containing an exe/scr file