MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0dad01939e09e869b27e59d7a7d7c79fdd31bb4a8c52153844c23c3c34bf368. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 8 File information Comments

SHA256 hash:	b0dad01939e09e869b27e59d7a7d7c79fdd31bb4a8c52153844c23c3c34bf368
SHA3-384 hash:	2bcd30ee715273f7233af39b400bd57d27eff7edc9d31f518c3463911df234da341623c46bf35fd4c2b7cccc0dbea422
SHA1 hash:	cf87a401982404ba4d5ade481f0240372c3360f5
MD5 hash:	1ab95324bd080edc2b2648d62c7e201b
humanhash:	illinois-single-north-eight
File name:	pago de documento de pedido.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	870'224 bytes
First seen:	2021-03-05 07:15:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ec744fd3c932ace305ae4fea2c8994bb (2 x RemcosRAT)
ssdeep	12288:jaefnCzDZeGMM2uv/tuyOLnSTspTZzTlWQvBQ2ZwHRUhLCKWgjj3:j5/cZeGMMDv/t4rSTUVwQZ/KHRGWYv
Threatray	108 similar samples on MalwareBazaar
TLSH	FC057CE2B3414473C3A21F340C2BB6E76835BAD119D5658ABBFD6D0C6F2D2D33629096
Reporter	abuse_ch
Tags:	ESP exe geo RAT RemcosRAT

abuse_ch

RemcosRAT C2:
export.zapto.org

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

pago de documento de pedido.exe

Verdict:

Malicious activity

Analysis date:

2021-03-05 07:17:45 UTC

Tags:

rat remcos keylogger

Link:

https://app.any.run/tasks/6b2038c9-a7ba-47f1-9f0c-88ab9f9dd594

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/122408/

Detection(s):

Win.Dropper.Fareit-9838621-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a file

Deleting a recently created file

Unauthorized injection to a recently created process

Connecting to a non-recommended domain

Connection attempt

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Setting a global event handler for the keyboard

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/629476

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Detected Remcos RAT

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Remcos

Sigma detected: Suspicious Program Location Process Starts

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b0dad01939e09e869b27e59d7a7d7c79fdd31bb4a8c52153844c23c3c34bf368/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2021-03-05 07:16:07 UTC

AV detection:

25 of 47 (53.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wdnnagjz4cpingzh4woxu7l4ph65gg5uvdcscu4ejqr4hq2l6nua._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

2d8d2fd56753dde1e4b495c73f4d1b68e4b347633d8cd79a687b9cb98573f189

RemcosRAT

49a4c95599f7bfe481ed85792ded20eae37d7a3889d43f81c349314cf87e6219

RemcosRAT

4a74ac9210751c192d84ad49d567de4cc5f7d005f62767b59a6a7901051a5304

RemcosRAT

604bc26afab3f25d1c4d98e45872e798eef3061cc8720be0db28d900bddb277c

RemcosRAT

86eb335425ab87285d7fc03826498925262e64a466fac29d22c8ae1a806feaae

RemcosRAT

b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839

RemcosRAT

c3d5cfa19bb7af77abe161135bd85506171d67dca3f86fa6a68340d05e203f64

RemcosRAT

e418958dc7d42216f8f151aef40df718df0a6a20d7d70c9954f7bd82953707a7

RemcosRAT

ef6ac1293cdfda22c8d940f96c5433f406a4c3666e6941e4f094a8cf50d04ac1

RemcosRAT

+ 98 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos persistence rat

Link:

https://tria.ge/reports/210305-tbgqp9ftne/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Enumerates connected drives

Remcos

Malware Config

C2 Extraction:

export.zapto.org:4832

Unpacked files

SH256 hash:

f9f8a2abd0de5a2052dee5631163e4cd6124873fe5ee6e80089a6be9f2b209a3

MD5 hash:

2dadb1d18f8141233c7b74fd7bb31306

SHA1 hash:

5101e36d15db1f5592af8b05934b1854d9a93d8a

Link:

https://www.unpac.me/results/ca83a582-4b7a-4d9a-82ce-8ee242657d40/

SH256 hash:

4aa5685b832b5c4f6d99e09d2f04bcaa632c41b1ed76e246fc343775c4c0f84a

MD5 hash:

4fce4a6486271e50b4e6e75ede41c363

SHA1 hash:

3ce6ca07403161972d4e010268706261a73bf040

Link:

https://www.unpac.me/results/ca83a582-4b7a-4d9a-82ce-8ee242657d40/

SH256 hash:

b0dad01939e09e869b27e59d7a7d7c79fdd31bb4a8c52153844c23c3c34bf368

MD5 hash:

1ab95324bd080edc2b2648d62c7e201b

SHA1 hash:

cf87a401982404ba4d5ade481f0240372c3360f5

Link:

https://www.unpac.me/results/ca83a582-4b7a-4d9a-82ce-8ee242657d40/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b0dad01939e09e869b27e59d7a7d7c79fdd31bb4a8c52153844c23c3c34bf368

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_KB_CERT_635517466b67bd4bba805bc67ac3328c Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe b0dad01939e09e869b27e59d7a7d7c79fdd31bb4a8c52153844c23c3c34bf368

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/122408/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample