MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c2ffc42864aba9e07bb8cd494141ea7125a2d24a8717f0cf0a33da8020dbdfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c2ffc42864aba9e07bb8cd494141ea7125a2d24a8717f0cf0a33da8020dbdfb
SHA3-384 hash: 75a649296ab82fb0517576c1d7c089bcfabfc7c3f7367ef884962fecf5c8883d1a510050fec122198ee6faf3a7bcfa46
SHA1 hash: 4e3e3d17f11c5339b96ea7d367ffe692a0d23238
MD5 hash: bc54f9e4ead035489d7c76247fda8e87
humanhash: finch-texas-venus-mobile
File name:ProofOfPayment1.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:896'000 bytes
First seen:2023-04-20 10:17:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:8waGLBFP0feaikAvAKPzxCiBgN7dtGMiNdIW1:nvvAKPz0GW7dtG3NdIW
Threatray 1'966 similar samples on MalwareBazaar
TLSH T1C11502F862C0975FD8202FFE2614985827FA4DF8C4D5CECDC96AA4CB0AFD7225404E69
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
ProofOfPayment1.exe
Verdict:
Malicious activity
Analysis date:
2023-04-20 10:40:06 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/fd25efd6-c689-4602-97ad-92ce7ef21aaa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/383735/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6441114c4619b92d77579891/reports/bad62754-5253-426c-869a-5efcda458da4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3c2ffc42864aba9e07bb8cd494141ea7125a2d24a8717f0cf0a33da8020dbdfb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/702601a7-f882-4666-9ab6-f58a887d7f76
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1217864
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 850810 Sample: ProofOfPayment1.exe Startdate: 20/04/2023 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 10 other signatures 2->54 7 zDGzgl.exe 5 2->7         started        10 ProofOfPayment1.exe 7 2->10         started        process3 file4 58 Antivirus detection for dropped file 7->58 60 Multi AV Scanner detection for dropped file 7->60 62 Contains functionality to bypass UAC (CMSTPLUA) 7->62 68 6 other signatures 7->68 13 schtasks.exe 1 7->13         started        15 zDGzgl.exe 7->15         started        17 zDGzgl.exe 7->17         started        36 C:\Users\user\AppData\Roaming\zDGzgl.exe, PE32 10->36 dropped 38 C:\Users\user\...\zDGzgl.exe:Zone.Identifier, ASCII 10->38 dropped 40 C:\Users\user\AppData\Local\...\tmp3EAE.tmp, XML 10->40 dropped 42 C:\Users\user\...\ProofOfPayment1.exe.log, ASCII 10->42 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 10->64 66 Adds a directory exclusion to Windows Defender 10->66 19 ProofOfPayment1.exe 3 15 10->19         started        24 powershell.exe 21 10->24         started        26 schtasks.exe 1 10->26         started        signatures5 process6 dnsIp7 28 conhost.exe 13->28         started        44 212.193.30.230, 3366, 49695 SPD-NETTR Russian Federation 19->44 46 geoplugin.net 178.237.33.50, 49696, 80 ATOM86-ASATOM86NL Netherlands 19->46 34 C:\ProgramData\remcos\logs.dat, data 19->34 dropped 56 Installs a global keyboard hook 19->56 30 conhost.exe 24->30         started        32 conhost.exe 26->32         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c2ffc42864aba9e07bb8cd494141ea7125a2d24a8717f0cf0a33da8020dbdfb/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hqx7yqugjk5j4b53rtkjifa6u4jfuljevbyx6dhqum62qaqnxx5q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0a65bdc8a4ddc23e2d4fed87eb161185359b5ce38f9483ba5e0786d3c8aa8c34
RemcosRAT
1d507bf363414ee632d706b9c53f5351715c641585a54c9cbc93f82c880fda02
RemcosRAT
285f52c66b141680b77dcbb20f42a4ee9fab83815bd7c47a0e3cf581dad1404f
RemcosRAT
3b5ac4dabb34a13b2deef8dd1844b125c592e6eac2801a2c69c09b4b44675320
RemcosRAT
80d41016c2bf67df26677e38cbb13ab1ea552e4bad0e8ecb5e6e462297a7694f
RemcosRAT
935a2843dc01d80582184dd6aa77fc2f4c99aaeb48b9dfef6a1e1df2e927feda
RemcosRAT
c4c6102b12d328c012b37dece55392c5404069a05c831c0bc7b402d21429e495
RemcosRAT
d8e49e503a8556a54310f2019db3151ef7287e2271aaaf788dc39372dc705f13
RemcosRAT
e79b787e97db18226583aa9c61b0b6bb5de29945714c74636eca2cdf4947cb11
RemcosRAT
ee734d6d93d42624ffd7f363f3252ee46cfbc5b6adef174447232605bda7d607
RemcosRAT
+ 1'956 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:host collection rat spyware stealer
Link:
https://tria.ge/reports/230420-mbhn9shb94/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
212.193.30.230:3366
Unpacked files
SH256 hash:
c53a1136ea72e25eba623a022a14bfc1c5ceea0fe1a523d53ddee0a86c484018
MD5 hash:
ee2513239eda4855f8c5f5ae1e1cb36c
SHA1 hash:
bf2421f17432439035e55a50b2350904a8a95286
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/e786914d-44eb-40db-affd-d2532a0dc35f/
Parent samples :
10889504234fe600c781aefe6ba0918e2e1d98a777f6e4e03da6d006a06bffb0
b84d775cf5de9234ec178e4a94c5c459f0c6e8ad3bffc977ba20b116b4d9d88e
3c2ffc42864aba9e07bb8cd494141ea7125a2d24a8717f0cf0a33da8020dbdfb
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/e786914d-44eb-40db-affd-d2532a0dc35f/
SH256 hash:
734b33ce2e366cfa1dcfab649e73b04756da6ade705ffdd3e3bdddc8125ce36d
MD5 hash:
ad95c5e310fdd2be0d0cb3dc95dbd6a5
SHA1 hash:
86429bd78e0b7b0b4fee395a5ee45246c2f95205
Link:
https://www.unpac.me/results/e786914d-44eb-40db-affd-d2532a0dc35f/
SH256 hash:
05370547c93a2ad72857114ebf67f6b80aa4bbeda0ec60f99ea452135c4fd743
MD5 hash:
ec2920277b7518e7b511e11717869412
SHA1 hash:
6172b4db0aa7d78f913bbf5163b93a38a023c853
Link:
https://www.unpac.me/results/e786914d-44eb-40db-affd-d2532a0dc35f/
SH256 hash:
f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1
MD5 hash:
567bbf43aac601560b1def4a872d4089
SHA1 hash:
21dfc6e6ecf39c9c23927c114ca911559ca4593e
Link:
https://www.unpac.me/results/e786914d-44eb-40db-affd-d2532a0dc35f/
SH256 hash:
3c2ffc42864aba9e07bb8cd494141ea7125a2d24a8717f0cf0a33da8020dbdfb
MD5 hash:
bc54f9e4ead035489d7c76247fda8e87
SHA1 hash:
4e3e3d17f11c5339b96ea7d367ffe692a0d23238
Link:
https://www.unpac.me/results/e786914d-44eb-40db-affd-d2532a0dc35f/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3c2ffc42864a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c2ffc42864aba9e07bb8cd494141ea7125a2d24a8717f0cf0a33da8020dbdfb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 3c2ffc42864aba9e07bb8cd494141ea7125a2d24a8717f0cf0a33da8020dbdfb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383735/

Comments