MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c400fa0429a3b241dd2757ce322082c15786c3bb18eb71fe2ef3a1eb60c7e0d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	c400fa0429a3b241dd2757ce322082c15786c3bb18eb71fe2ef3a1eb60c7e0d8
SHA3-384 hash:	bc857f4c3f79c9833389e1cb8f6a00c57bb480d1483d9c7570feada3f31abb8bc4e557125b7eb471767187f32ff34bf9
SHA1 hash:	6e6a7ed2f5b2301a74d67c94d67ae84cb1bcd91a
MD5 hash:	121bea217c0f5e700514e7354b6dfceb
humanhash:	fifteen-delta-stream-arizona
File name:	pagamento.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	897'488 bytes
First seen:	2021-02-22 12:34:53 UTC
Last seen:	2021-02-22 15:00:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	123e9c36cc1595f744449f97bcf23cbf (6 x RemcosRAT, 1 x Loki, 1 x Formbook)
ssdeep	24576:RYUkRHVFnyXv1qhqJ7ANT8QNE1C5h7bmhNK:RY9b0Uhq7hc
TLSH	C6156EB29B4A4F22F06B143DCC4AE6F60715BC45372B59B71E98FB474AA2780B5E0077
Reporter	JAMESWT_WT
Tags:	RemcosRAT signed

Code Signing Certificate

Organisation:	Word
Issuer:	Word
Algorithm:	sha1WithRSA
Valid from:	2021-02-20T22:44:55Z
Valid to:	2039-12-31T23:59:59Z
Serial number:	3f8b1d4c656982a34435f971c9f3c301
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	d251ece1b477449c75147a689c4a4e73241a0eee3131b751446a250e1b9d040f
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

129

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

pagamento.exe

Verdict:

Malicious activity

Analysis date:

2021-02-22 08:14:48 UTC

Tags:

rat remcos keylogger

Link:

https://app.any.run/tasks/e79ebc0c-f8fe-483c-a4df-3419b26895b5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DLAgent07

Link:

https://www.capesandbox.com/analysis/118307/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a UDP request

Sending a custom TCP request

Creating a file

Deleting a recently created file

Unauthorized injection to a recently created process

Connecting to a non-recommended domain

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Setting a global event handler for the keyboard

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/614045

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Detected Remcos RAT

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Remcos

Sigma detected: Suspicious Program Location Process Starts

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c400fa0429a3b241dd2757ce322082c15786c3bb18eb71fe2ef3a1eb60c7e0d8/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2021-02-22 07:49:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

32 of 48 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yqapubbjuozedxjhk7hdeiecyflynq53ddvxd7ro6oq6wygh4dma._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos persistence rat

Link:

https://tria.ge/reports/210222-k88mjn8bzj/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Remcos

Malware Config

C2 Extraction:

export.zapto.org:4021

Unpacked files

SH256 hash:

0e7586027be2b00d10dcc585232de1b4fe8f23be8298dad1f3bc86475946b5c9

MD5 hash:

ee5230700e4a146fed27eab5f8d9caa6

SHA1 hash:

809225fca3c38e5cd30eb35b9b667393becfb516

Link:

https://www.unpac.me/results/7353e3c7-60fb-49fe-b14c-d599a4d1bb5c/

SH256 hash:

c400fa0429a3b241dd2757ce322082c15786c3bb18eb71fe2ef3a1eb60c7e0d8

MD5 hash:

121bea217c0f5e700514e7354b6dfceb

SHA1 hash:

6e6a7ed2f5b2301a74d67c94d67ae84cb1bcd91a

Link:

https://www.unpac.me/results/7353e3c7-60fb-49fe-b14c-d599a4d1bb5c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c400fa0429a3b241dd2757ce322082c15786c3bb18eb71fe2ef3a1eb60c7e0d8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/118307/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample