MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3be00040e51cd821bbdf73024cfc37f441ba985017128ff832391022988433d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 5 File information Comments

SHA256 hash:	3be00040e51cd821bbdf73024cfc37f441ba985017128ff832391022988433d9
SHA3-384 hash:	18a498a03c7e79e0d06ceda40851b25e4f548344f05629cd98d98df513cd25356793bc7e1e6fff7f4c92c2d83ed1ee47
SHA1 hash:	4f8c30ac5d89c9b63186966af3adbddd1e4e8e84
MD5 hash:	2b30c6285d042d1cc5ef18d3b1bcae60
humanhash:	nine-iowa-failed-south
File name:	Confirmación del pedido Urgente.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	740'352 bytes
First seen:	2021-09-27 14:12:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ceaa652f3ced51b4d37f51c5b68fecf1 (4 x RemcosRAT)
ssdeep	12288:2FOlCoLQAsZX1x4kIkA7aMks4rimoAkQ:2/AsZlx4m4xksK
Threatray	221 similar samples on MalwareBazaar
TLSH	T177F46CD5E7C908F3C0663DBC8CD8F66194A3BCB15E182CC46DE82980BB74666793562F
dhash icon	acacacb6a2968eaa (13 x RemcosRAT, 4 x Formbook, 4 x AveMariaRAT)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
185.140.53.130:6642

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.140.53.130:6642	https://threatfox.abuse.ch/ioc/227067/

Intelligence

File Origin

# of uploads :

# of downloads :

151

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Confirmación del pedido Urgente.exe

Verdict:

Suspicious activity

Analysis date:

2021-09-27 14:17:06 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4b1c39ed-d6c7-48b5-9890-546ecd33543b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/192155/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Malware family:

Remcos RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6d1e8fdf-ea9c-459c-bbe3-3990d72c5e0e

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/859106

Signature

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Yara detected DBatLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3be00040e51cd821bbdf73024cfc37f441ba985017128ff832391022988433d9/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2021-09-07 19:32:21 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hpqaaqhfdtmcdo67ombez7bx6ra3vgcqc4ji76bsheicfgeegpmq._file

Verdict:

malicious

RemcosRAT

1b1eb8f42b0b48cf428e19c9c8b21676c41faca886e392c6d6f05de3120297c9

RemcosRAT

270ac39c0d7cda087e43b6945c1204c6bddeed0d26001f566b4bee9a902ae43c

RemcosRAT

4b3e872365db5c5fd41d596837b761900d549c8d70247105b2a3451a34b7e74d

RemcosRAT

6a96d22dec9171b154bb1a94c68fa02dda51713709dad161681a759f64cc3014

RemcosRAT

8aa2379084127a3eaa67bf4aadd0ee90c8189cc9696d516256211dbbcc7d39c5

RemcosRAT

8cb9b0ac073c398ffc0147a1a84ffa9c2db217df67c5a89f34f4a5fb12be7cc3

RemcosRAT

b70ee93e9f63d90785264d45dae48012a1d00b92f63c21ccae0f5d2003c00554

RemcosRAT

dbf0fff8619800b75efb046b9028d1bfca9e7fa079f65a4b83d18773df15f787

RemcosRAT

+ 211 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/210927-rjfbbshcak/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

cd4b225505e84218ef7418c8e5f41acbb67c51bd43e9ddcfa25341259377d3df

MD5 hash:

b7816cb3535b2f2675804d3052295003

SHA1 hash:

db4588853aa1ec16b1f2d29b1e873a653a1ecb13

Link:

https://www.unpac.me/results/df0911e8-9643-4c67-a8ff-fb105b80d62b/

SH256 hash:

3be00040e51cd821bbdf73024cfc37f441ba985017128ff832391022988433d9

MD5 hash:

2b30c6285d042d1cc5ef18d3b1bcae60

SHA1 hash:

4f8c30ac5d89c9b63186966af3adbddd1e4e8e84

Link:

https://www.unpac.me/results/df0911e8-9643-4c67-a8ff-fb105b80d62b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3be00040e51cd821bbdf73024cfc37f441ba985017128ff832391022988433d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/192155/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample