MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8c2bd110b5cce3629702c7b3d5ee03019050f53b05a688a156a16a09f552dc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8c2bd110b5cce3629702c7b3d5ee03019050f53b05a688a156a16a09f552dc4
SHA3-384 hash: 9f61b85d2d1c92f8b332fd3cd0aae31e0bba02d63844aa3e2412ed658fcbf9088bd89f51e54ba1ea41a024b51524b894
SHA1 hash: 1935dd3214cac1f7e146a65550e0ba8a00b75733
MD5 hash: 084e88fe22bc7eb765d699c1fef7d64c
humanhash: bluebird-rugby-fix-vegan
File name:FINALE Shipping documentsPA 419-2025.pdf.arj
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:615'169 bytes
First seen:2025-06-24 01:19:34 UTC
Last seen:2025-06-24 11:53:01 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:S2MKHX2mL+UNHGyCUicuiQ5UGOKsJVE5ox5vQGPHNt:S9KT+XWicxQnOK8VE5e4GPtt
TLSH T183D4235534F2D9FE112B298FC086EC976F5BEE854E632EBB36478D0840282DC9C567B1
Magika zip
Reporter cocaman
Tags:arj RemcosRAT Shipping zip


Avatar
cocaman
Malicious email (T1566.001)
From: ""Sara ERRADI " <info@cascaderec.org>" (likely spoofed)
Received: "from server.webmajik2.net (server.webmajik2.net [147.135.40.253]) "
Date: "24 Jun 2025 13:52:16 +0200"
Subject: "Shipping details PA 419-2025"
Attachment: "FINALE Shipping documentsPA 419-2025.pdf.arj"

Intelligence

File Origin
# of uploads :
2
# of downloads :
746
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:FINALE Shipping documentsPA 419-2025pdf.exe.exe
File size:794'992 bytes
SHA256 hash: 773c760fa277bdce3c9f6ac20f1ea2209bcad434ab2e23fe1794dcc2d9feaa75
MD5 hash: 0bcf6a2f74f41e352c4111f6aa2d6c14
MIME type:application/x-dosexec
Signature RemcosRAT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6859fd7332ed47a3a8d6a97c
Tags:
injection obfusc virus
Result
Verdict:
Suspicious
File Type:
PE File
Link:
https://app.docguard.net/d8c2bd110b5cce3629702c7b3d5ee03019050f53b05a688a156a16a09f552dc4/results/dashboard
Verdict:
Suspicious
Labled as:
Mal/DrodZp
Link:
https://www.hybrid-analysis.com/sample/d8c2bd110b5cce3629702c7b3d5ee03019050f53b05a688a156a16a09f552dc4
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/d8c2bd110b5cce3629702c7b3d5ee03019050f53b05a688a156a16a09f552dc4
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
86%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/d8c2bd110b5cce3629702c7b3d5ee03019050f53b05a688a156a16a09f552dc4
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) Zip Archive
Link:
https://app.malva.re/file/084e88fe22bc7eb765d699c1fef7d64c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8c2bd110b5cce3629702c7b3d5ee03019050f53b05a688a156a16a09f552dc4/
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2025-06-24 01:19:40 UTC
File Type:
Binary (Archive)
Extracted files:
16
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3dbl2eillthdmklqfr5t2xxagamqkd2twbngrcqvnilkbh2vfxca._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:remotehost credential_access discovery downloader execution persistence rat stealer
Link:
https://tria.ge/reports/250624-fkfspsxyew/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Malware Config
C2 Extraction:
196.251.66.55:2404
196.251.66.55:5000
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d8c2bd110b5cce3629702c7b3d5ee03019050f53b05a688a156a16a09f552dc4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip d8c2bd110b5cce3629702c7b3d5ee03019050f53b05a688a156a16a09f552dc4

(this sample)

RemcosRAT

Executable exe 773c760fa277bdce3c9f6ac20f1ea2209bcad434ab2e23fe1794dcc2d9feaa75

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 773c760fa277bdce3c9f6ac20f1ea2209bcad434ab2e23fe1794dcc2d9feaa75
  
Dropping
MD5 0bcf6a2f74f41e352c4111f6aa2d6c14
  
Dropping
RemcosRAT

Comments