MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 308d44c8ce98023c0712fe824c49b0d7b82aa6af0fe5e25b78b6b0d3d0635453. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 308d44c8ce98023c0712fe824c49b0d7b82aa6af0fe5e25b78b6b0d3d0635453
SHA3-384 hash: c22a67b495de16388f0ba49b8042b811e80d5792a78b7fd955b6e3f7347aaa55df7fdc0c8acdc10c65a377c6600f206d
SHA1 hash: bb546caaa3b089c06cd5ab1ba9b30c35314a32f7
MD5 hash: 3cbe6627d771102db3b2ab06cbf6d940
humanhash: happy-asparagus-six-bluebird
File name:plugzx.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:760'832 bytes
First seen:2024-01-30 13:26:44 UTC
Last seen:2024-01-30 15:23:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Gr0+mHhd9kPZvsWMZzOAA1/mGGYwbbvBJ/Bce0nskIISDlLIkn3RqFFFFFFx+zho:Gr0+mHhd9kPZEWpAWk/Ce0rSY+zh1Itf
Threatray 3'658 similar samples on MalwareBazaar
TLSH T1ECF412E5E68E43A7D7D52939FEA535E40AF4F61138C39F2E60A8123F06B37064D1A760
TrID 35.4% (.EXE) Win64 Executable (generic) (10523/12/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 8606460e0f397536 (3 x AgentTesla, 2 x Loki, 2 x Formbook)
Reporter e24111111111111
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
299
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
INQ # 8721.doc
Verdict:
Malicious activity
Analysis date:
2024-01-30 04:59:43 UTC
Tags:
rat remcos remote exploit cve-2017-11882 keylogger
Link:
https://app.any.run/tasks/d44610cd-0de0-482b-8f04-dd5938bcb241

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/473593/
Detection(s):
SecuriteInfo.com.Trojan.Siggen25.10743.10908.27189.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed remcos remote
Link:
https://www.filescan.io/uploads/65b8f92d40cbb80fe04969c0/reports/089dacbc-b6ac-4aa7-824b-e8b67a4a6a0d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/308d44c8ce98023c0712fe824c49b0d7b82aa6af0fe5e25b78b6b0d3d0635453
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a546216-1248-4eb3-9e93-cc042012cf4e
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1383299
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1383299 Sample: plugzx.exe Startdate: 30/01/2024 Architecture: WINDOWS Score: 100 27 7070bc8.sytes.net 2->27 29 geoplugin.net 2->29 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 11 other signatures 2->47 8 plugzx.exe 3 2->8         started        signatures3 process4 signatures5 49 Contains functionality to bypass UAC (CMSTPLUA) 8->49 51 Tries to steal Mail credentials (via file registry) 8->51 53 Contains functionalty to change the wallpaper 8->53 55 6 other signatures 8->55 11 plugzx.exe 3 15 8->11         started        process6 dnsIp7 31 7070bc8.sytes.net 87.121.87.143, 49704, 49705, 6696 SKATTV-ASBG Bulgaria 11->31 33 geoplugin.net 178.237.33.50, 49706, 80 ATOM86-ASATOM86NL Netherlands 11->33 25 C:\ProgramData\remcos\logs.dat, data 11->25 dropped 57 Maps a DLL or memory area into another process 11->57 59 Installs a global keyboard hook 11->59 16 plugzx.exe 1 11->16         started        19 plugzx.exe 1 11->19         started        21 plugzx.exe 2 11->21         started        23 2 other processes 11->23 file8 signatures9 process10 signatures11 35 Tries to steal Instant Messenger accounts or passwords 16->35 37 Tries to harvest and steal browser information (history, passwords, etc) 16->37 39 Tries to steal Mail credentials (via file / registry access) 19->39
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/308d44c8ce98023c0712fe824c49b0d7b82aa6af0fe5e25b78b6b0d3d0635453
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/308d44c8ce98023c0712fe824c49b0d7b82aa6af0fe5e25b78b6b0d3d0635453/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-01-29 17:42:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gcgujsgotabdybys72beysnq264cvjvpb7s6ew3yw2ynhuddkrjq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4138dc6d4ea9f822aa3bac00c6304b9675c13b140fadb75736f21dd33e8dcba6
RemcosRAT
82703bb5de0f44978e23f29a593094ae3951c3a623bb40bfd54238978e3c8819
RemcosRAT
9c365f7df9b2bb958a53890dc80a258de1f5ea0781155f7c2b3741b9dd593867
RemcosRAT
a0c4a547b08cd4669362420f9c50b04f084e0174f13911f4e8b95cec7ba12cd8
RemcosRAT
cf14c5b8ca5ad71f9ca5b37e4784001d9128b161958f6daf5807540eca4ffcc4
RemcosRAT
dfd724316cb0edbf1212cbf5e71f007d22b7a38e7860d96d4d4bedf17eaa85ea
RemcosRAT
fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd
RemcosRAT
+ 3'648 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:b70inc collection rat spyware stealer
Link:
https://tria.ge/reports/240130-qp3s5shegl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
7070bc8.sytes.net:6696
Unpacked files
SH256 hash:
45c7b64a55dca23ee1239649e03a7c361813dbcfc2a0817b0d8e94c907d6ed4b
MD5 hash:
fb1bc19121c4e190d83672bc71b493f0
SHA1 hash:
c3488b969ba578e28ee360be24b6416425a224a0
Link:
https://www.unpac.me/results/66f79c43-9e8f-4779-a519-3a1b326d56ad/
SH256 hash:
3ffe86bf1ac317e3b37302273d4a91c695c934a9b7f97538ee3ea901a2e8649a
MD5 hash:
86afc9ef304e9d21b9d8453f0649105e
SHA1 hash:
b91ad870f68e7de630f1dd20a801e67495e018f1
Link:
https://www.unpac.me/results/66f79c43-9e8f-4779-a519-3a1b326d56ad/
SH256 hash:
ef65d5fc33b67069bb98465761a5100b81c8759b331ec0341c9fd0e2209e1076
MD5 hash:
199796bdcb4792f963e8b7454e11374f
SHA1 hash:
6a066d110be7d6402726f84392fe71d74b9be97e
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/66f79c43-9e8f-4779-a519-3a1b326d56ad/
Parent samples :
4ccdd2e1363c834aca696233e52247cea7545b194d173f3edfc83fa99f61d69e
f313ed23323b609ed09075856805772adf3487d3b565429adde2b71793cb73bf
308d44c8ce98023c0712fe824c49b0d7b82aa6af0fe5e25b78b6b0d3d0635453
SH256 hash:
308d44c8ce98023c0712fe824c49b0d7b82aa6af0fe5e25b78b6b0d3d0635453
MD5 hash:
3cbe6627d771102db3b2ab06cbf6d940
SHA1 hash:
bb546caaa3b089c06cd5ab1ba9b30c35314a32f7
Link:
https://www.unpac.me/results/66f79c43-9e8f-4779-a519-3a1b326d56ad/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/308d44c8ce98/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/308d44c8ce98023c0712fe824c49b0d7b82aa6af0fe5e25b78b6b0d3d0635453

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Word file doc 37c8f5e19f127340ffd5813ab06d3e03d2bc73ae862ff0953f30c918fa561394

RemcosRAT

Executable exe 308d44c8ce98023c0712fe824c49b0d7b82aa6af0fe5e25b78b6b0d3d0635453

(this sample)

  
Dropped by
SHA256 37c8f5e19f127340ffd5813ab06d3e03d2bc73ae862ff0953f30c918fa561394
Cape
Cape
https://www.capesandbox.com/analysis/473593/
  
URLhaus
https://urlhaus.abuse.ch/url/2753643/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2753608/
  
Dropped by
MD5 09ed61ac54ec9307db27fe3872bdb9b5

Comments