MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0717daa265162ca602b432ef694dfc9d3fd6126854f80d4aab2175830a420781. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0717daa265162ca602b432ef694dfc9d3fd6126854f80d4aab2175830a420781
SHA3-384 hash: 23da658201862e7f2e7b56c764c6c1499d372835f7ea7293f527c683cc4483a643054c4ee9c7360899bcc207611c2978
SHA1 hash: dc00dee4deaf0f14c929b9af4c8a35c950c3478d
MD5 hash: 417fd4f902368e2f28aba811aa3c96b0
humanhash: monkey-cup-leopard-potato
File name:RFQ.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'178 bytes
First seen:2022-09-05 09:06:52 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:X59N1ZegfQKLf9X2A0OUlzyxCeaApu4u0+:xegpLfccXaAgR0+
Threatray 2'007 similar samples on MalwareBazaar
TLSH T15D61130E744B2129E4335CB1CC4B157EB9F2B24362BA85507A0EF6D6AD3846CA796D3C
Reporter 0xToxin
Tags:RemcosRAT vbs


Avatar
0xToxin
https://onedrive.live.com/download?cid=ED7F3ACDCBA1F7D2&resid=ED7F3ACDCBA1F7D2!429&authkey=AHJ8XFpQGpBESqk

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/307792/
Detection(s):
SecuriteInfo.com.Trojan.GenericFCA.Script.12103.27979.6476.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6315bc7b7ab07f2f4ec6681f/reports/ecd041b5-59ae-4e7d-95d7-8152f4acaa2a/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1065000
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Drops PE files to the startup folder
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Powershell drops PE file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 697524 Sample: RFQ.vbs Startdate: 05/09/2022 Architecture: WINDOWS Score: 100 60 god7.duckdns.org 2->60 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 84 Yara detected Remcos RAT 2->84 86 3 other signatures 2->86 10 wscript.exe 15 2->10         started        14 wscript.exe 17 2->14         started        signatures3 process4 dnsIp5 94 System process connects to network (likely due to code injection or exploit) 10->94 96 Wscript starts Powershell (via cmd or directly) 10->96 98 Very long command line found 10->98 16 powershell.exe 10->16         started        21 cmd.exe 1 10->21         started        62 unified-credit-tf.online 162.213.255.48, 443, 49719, 49720 NAMECHEAP-NETUS United States 14->62 23 powershell.exe 14 20 14->23         started        25 cmd.exe 1 14->25         started        signatures6 process7 dnsIp8 56 unified-credit-tf.online 16->56 54 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 16->54 dropped 68 Writes to foreign memory regions 16->68 70 DLL side loading technique detected 16->70 72 Injects a PE file into a foreign processes 16->72 27 RegAsm.exe 2 17 16->27         started        31 conhost.exe 16->31         started        74 Drops VBS files to the startup folder 21->74 76 Drops PE files to the startup folder 21->76 33 conhost.exe 21->33         started        58 unified-credit-tf.online 23->58 78 Powershell drops PE file 23->78 35 conhost.exe 23->35         started        37 RegAsm.exe 23->37         started        39 conhost.exe 25->39         started        file9 signatures10 process11 dnsIp12 64 god7.duckdns.org 91.193.75.209, 1984, 49743, 49745 DAVID_CRAIGGG Serbia 27->64 66 geoplugin.net 178.237.33.50, 49746, 49759, 80 ATOM86-ASATOM86NL Netherlands 27->66 100 Tries to steal Mail credentials (via file registry) 27->100 102 Maps a DLL or memory area into another process 27->102 104 Installs a global keyboard hook 27->104 41 RegAsm.exe 27->41         started        44 RegAsm.exe 27->44         started        46 RegAsm.exe 27->46         started        48 2 other processes 27->48 signatures13 process14 signatures15 88 Tries to steal Instant Messenger accounts or passwords 41->88 90 Tries to steal Mail credentials (via file / registry access) 41->90 92 Tries to harvest and steal browser information (history, passwords, etc) 44->92 50 conhost.exe 48->50         started        52 reg.exe 48->52         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0717daa265162ca602b432ef694dfc9d3fd6126854f80d4aab2175830a420781/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a4l5vitfcywkmavuglxwstp4tu75metikt4a2svlef2ygcsca6aq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1eb85ede00f809ba0f2ae9ea64c78615705f7314f31934887849c60f86b6505e
RemcosRAT
20d06c9366037f9c7d08d843ddcb74e264accf481dbefd7b1f77669abb4d9be9
RemcosRAT
21717cdfec5b3e14e7493537a9ca67045929faa591dc041350bc29070ca65681
RemcosRAT
24bb842bb98ba84cbd9db57c226cbf30bd30d240007b18c3c9a734fd4f8e63a7
RemcosRAT
2cf1525cdb58ec9e5d47e5c66619b9cf2966155ece68a66e9bf935369971ccdc
RemcosRAT
6c3193fce2bc8edb1884269cc6c43445db0c8a7ca04d89605d588a72510b3ca1
RemcosRAT
b0e78152cf5f5eca9be7cc47e833600e77db47786c09cc2be451f310c50881d9
RemcosRAT
b563d460e40277fd18dfa645f16081ed6328f519e218afc6570dafe951f5feea
RemcosRAT
cce110eed95c36bf618669b1a290ee90b5152ee9c660b6b37f3e11dca7431419
RemcosRAT
ec0a3b7d3636b52ae025418ec21669e06c30f58930f11303571a2af6993ef365
RemcosRAT
+ 1'997 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:tech collection evasion rat spyware stealer trojan
Link:
https://tria.ge/reports/220905-k3bc6aghe9/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
UAC bypass
Malware Config
C2 Extraction:
god7.duckdns.org:1984
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0717daa26516/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0717daa265162ca602b432ef694dfc9d3fd6126854f80d4aab2175830a420781

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/307792/

Comments