MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf0a8d7b9bba62cedb94b058693ef2c3afe4e41cd4c82f4fde9ec529e99834f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf0a8d7b9bba62cedb94b058693ef2c3afe4e41cd4c82f4fde9ec529e99834f8
SHA3-384 hash: f2855be61d39166717da2d79c5ecde2a94ae0722a606562bf18f2fb25a5c0b9776801fe7b0a6077a62765635d055c996
SHA1 hash: 9da5adfd48c71cf82d54093c81a13fae94528b7f
MD5 hash: dd8f9da8f2172ebf1fb4f85f83ffd191
humanhash: sad-september-south-bakerloo
File name:c2.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'541 bytes
First seen:2025-01-16 09:56:29 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 48:zOhhqNGDj3J7EOJtQsFURf+ZfsIZOr7Fk1JdALkbYL2H4Wb/w/CO:zkq0Dj3J7nJtZUaOr7e+kkL2H4m/S
TLSH T1BD716322E96EBDA4473A73700809289AF3C70B1357615B09FCDF251FDF78610E35AA99
Magika vba
Reporter abuse_ch
Tags:hta RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
PUA.Win.Trojan.Script-44
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6788d7f4aa9c8e7858df0384
Tags:
obfuscate xtreme shell
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/cf0a8d7b9bba62cedb94b058693ef2c3afe4e41cd4c82f4fde9ec529e99834f8/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6788d7f3da9e4ac53391cf4b/reports/ab769dfe-1eaf-40be-a169-e1236c91a97f/overview
Verdict:
Malicious
Labled as:
GT:VB.Downloader.14
Link:
https://www.hybrid-analysis.com/sample/cf0a8d7b9bba62cedb94b058693ef2c3afe4e41cd4c82f4fde9ec529e99834f8
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1592620
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Multi AV Scanner detection for submitted file
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious MSHTA Child Process
Behaviour
Behavior Graph:
Download SVG
Score:
15%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/cf0a8d7b9bba62cedb94b058693ef2c3afe4e41cd4c82f4fde9ec529e99834f8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf0a8d7b9bba62cedb94b058693ef2c3afe4e41cd4c82f4fde9ec529e99834f8/
Threat name:
Win32.Exploit.Generic
Create hunting rule
Status:
Malicious
First seen:
2025-01-16 09:57:04 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4fi2643xjrm5w4uwbmgspxsyox6jza42tec6t66t3cst2mygt4a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/250116-lyxk9swlej/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/cf0a8d7b9bba62cedb94b058693ef2c3afe4e41cd4c82f4fde9ec529e99834f8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

HTML Application (hta) hta cf0a8d7b9bba62cedb94b058693ef2c3afe4e41cd4c82f4fde9ec529e99834f8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3340028/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3390125/

Comments