MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9ff3cabaa916b089296be748aab797ddcd928c6f8157d04ad640faf2f328023. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9ff3cabaa916b089296be748aab797ddcd928c6f8157d04ad640faf2f328023
SHA3-384 hash: 5c396ca3811a0062e6f8ebcec0a5039e98e35af3f71aeacdda4c4934c4ed1b6258bd8ac5e0b8b386c009af1230d18ff2
SHA1 hash: ba10b24ae2c9db88be5042fb5c234653868c5214
MD5 hash: 86ac0c7f893ac0f800d0147954f0df71
humanhash: sixteen-venus-magazine-sweet
File name:APKI-180515 FL-180515,pdf.iso
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'607'680 bytes
First seen:2020-07-10 07:34:03 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 12288:NdNBlWS3MVbDQmQQSzZEjBcoIdGmYb0xj3Zj:rbvcbDQmQzGjz2Gnbi
TLSH EA757E22F2D18437F16A1A78CC5B97A55839BDD33D24AC463BEC3D0C5F3A681742A297
Reporter abuse_ch
Tags:iso nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: li2143-208.members.linode.com
Sending IP: 172.105.189.208
From: Ramil Alonzo <sales@asiaprimera.net>
Subject: PO APKI-180515& FL-180515
Attachment: APKI-180515 FL-180515,pdf.iso (contains "ASP-180515& FL-180515,pdf.exe")

RemcosRAT C2:
anotherlevel.ddns.net:7213 (194.5.99.12)

Pointing to nVpn:

% Information related to '194.5.99.0 - 194.5.99.255'

% Abuse contact for '194.5.99.0 - 194.5.99.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.99.0 - 194.5.99.255
netname: INTER_CLOUD_SERVICES_RUSSIA
admin-c: ICTR1-RIPE
tech-c: ICTR1-RIPE
org: ORG-ICR2-RIPE
country: RU
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-07-20T20:42:53Z
last-modified: 2020-07-04T13:20:18Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9ff3cabaa916b089296be748aab797ddcd928c6f8157d04ad640faf2f328023/
Threat name:
Win32.Trojan.Injects
Create hunting rule
Status:
Malicious
First seen:
2020-07-10 07:35:07 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7h7tzk5ksfvqreuwxz2ivk3zpxonskgg7akx2bfnmqh26lzsqarq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso f9ff3cabaa916b089296be748aab797ddcd928c6f8157d04ad640faf2f328023

(this sample)

RemcosRAT

Executable exe 06fbbbc992085d6851383435dd9f114b5c58e936d392f7ccd3861a27f8eaa04b

  
Dropping
MD5 107c36766069163806782196e3c9e4f7
  
Dropping
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 06fbbbc992085d6851383435dd9f114b5c58e936d392f7ccd3861a27f8eaa04b

Comments