MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8aa088219b5afcf0dd7d02debe430c259404cf2461bfa62f4fffa814d65ec10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments

SHA256 hash:	c8aa088219b5afcf0dd7d02debe430c259404cf2461bfa62f4fffa814d65ec10
SHA3-384 hash:	2cb37cc0bd8a5e893eab65703bba366be6832a254b30d7e923f32d727cf293e8d2adde9e63d321284c96105760583e61
SHA1 hash:	c2088551aa760de9666e425495d5d2eb910955d7
MD5 hash:	2de5e60d91fc4bca287c754347a00dee
humanhash:	ceiling-ten-illinois-one
File name:	plugmanzx.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'077'248 bytes
First seen:	2023-04-09 22:35:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:zC4C90lhnlCuaY/P3M1Azizcn5EjlVMNdJT:zCtshq4GqFn5ulmdF
Threatray	2'439 similar samples on MalwareBazaar
TLSH	T13E35230CB5A95776CE6EB37F9560254C9375DE498762E2BE1EC920330EF2BC8D602C46
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	ventress
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

274

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

86d1c9c79fa1542d1157b34de32d34e33ffc9b6b3b1ecda900b86025395f8354.doc

Verdict:

Malicious activity

Analysis date:

2023-03-23 00:25:06 UTC

Tags:

exploit cve-2017-11882 loader rat remcos

Link:

https://app.any.run/tasks/24c1755e-ef58-4cfd-8880-cbb7f6006649

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/381123/

Detection(s):

Win.Packed.Formbook-9994793-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed remcos

Link:

https://www.filescan.io/uploads/64333dd3c41e8bc6a3b09e10/reports/e8eae291-e36f-4b35-8c8c-9cbc406f4564/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/c8aa088219b5afcf0dd7d02debe430c259404cf2461bfa62f4fffa814d65ec10

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/01fda0c9-1d7c-4da3-93cb-2725b801945f

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1210952

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to modify clipboard data

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/c8aa088219b5afcf0dd7d02debe430c259404cf2461bfa62f4fffa814d65ec10/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-03-15 09:17:26 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 37 (67.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zcvaraqzwwx46dox2aw6xzbqyjmuathsiyn7uyxu775ictlf5qia._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

0c10e1c8152eb2a30a9270ef79401b905e42bb6706d71094b59dd46502336f8e

RemcosRAT

16a1100ab0af5497ee45778f1a516357b3bae96797c9417d2e028a31ebe2bf80

RemcosRAT

1d0a51787f8726c44aa40f88422d01f084c4e533c2f190f4aef1696f9fd600d9

RemcosRAT

a767b580fa20f007fcac6ef48b4fc9e7397a47c00feed0334ecfb6d118f2da9c

RemcosRAT

c3653e6517e48603a356a5978cdc1b210bd20e023146fd561c611c3b82c0736c

RemcosRAT

c3f43d2f1e2f99cf22384cf00cfde5edadebd79e5d60bbaffee2cd5431fc0fab

RemcosRAT

+ 2'429 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/230409-2h8atsfd4x/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

bmarch459.sytes.net:6110

Unpacked files

SH256 hash:

6daf669248a0f81d2725459fd81cb6fb8667b9bf0789d2a17f513c6681ad959f

MD5 hash:

64697105c9804e675568a6e2851dc7c6

SHA1 hash:

e4cbbec280145596961dde4132ba6ca0d5505d70

Link:

https://www.unpac.me/results/7ebda5ba-04c1-432c-842d-83e11d662043/

SH256 hash:

66c112f913b5f981cfac11bd66fe811a899a5ea5c128585db6188ff8bec246a9

MD5 hash:

d454c0f6e0e06233665c94c74fce4784

SHA1 hash:

d4ea306ae5208c480929ae63a082dc5347f4bb32

Link:

https://www.unpac.me/results/7ebda5ba-04c1-432c-842d-83e11d662043/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/7ebda5ba-04c1-432c-842d-83e11d662043/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

be29e54389ff7e16dedf453ee84433a5fb0d83a1ccea4898747bfbcc9929a418

MD5 hash:

84f828d5944694b882101d03a567c701

SHA1 hash:

7351595760e05afaa38383bba2ee1b3954dfe714

Link:

https://www.unpac.me/results/7ebda5ba-04c1-432c-842d-83e11d662043/

SH256 hash:

c3c3428c38671fb64d80d709c028ba84cff23e9b0833b74b36d1c429779e8f12

MD5 hash:

472dc4bc993d82a437af660892b36f8e

SHA1 hash:

20ed3e677b98e97a78e8d34a77cddc51638e2acd

Detections:

Remcos

win_remcos_auto

Link:

https://www.unpac.me/results/7ebda5ba-04c1-432c-842d-83e11d662043/

Parent samples :

16a1100ab0af5497ee45778f1a516357b3bae96797c9417d2e028a31ebe2bf80
269d6429c989705ba5ceec8be419711c882b67e5b507f5d4de180d04b58873c8
c8aa088219b5afcf0dd7d02debe430c259404cf2461bfa62f4fffa814d65ec10

SH256 hash:

c8aa088219b5afcf0dd7d02debe430c259404cf2461bfa62f4fffa814d65ec10

MD5 hash:

2de5e60d91fc4bca287c754347a00dee

SHA1 hash:

c2088551aa760de9666e425495d5d2eb910955d7

Link:

https://www.unpac.me/results/7ebda5ba-04c1-432c-842d-83e11d662043/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c8aa088219b5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c8aa088219b5afcf0dd7d02debe430c259404cf2461bfa62f4fffa814d65ec10

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

exe c8aa088219b5afcf0dd7d02debe430c259404cf2461bfa62f4fffa814d65ec10

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2260834/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/381123/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample