MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 078025707e0069438637644d4b57c0ab3f20c21fc738117589b15716d4e429d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 078025707e0069438637644d4b57c0ab3f20c21fc738117589b15716d4e429d5
SHA3-384 hash: 2d4969af9ec332fc9741182f65ef1f145f095d16bfaea45c5e454d83a1edfb28797071c58ecb92dbffeffe346b571ced
SHA1 hash: aa307ccb72b6796befc5c801388d525add300321
MD5 hash: 8ed7f44228669882a183e11c08a9ad1b
humanhash: massachusetts-violet-happy-quebec
File name:script.ps1
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:5'191 bytes
First seen:2021-09-17 04:48:41 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 96:CpG725YLUlm0rmjddoeuEoBqUOflq8TzFg78Znws0ZQ3Jzmc4LWl:l25fc0Sddvtllq8TBgoZws0iJzmcmWl
Threatray 637 similar samples on MalwareBazaar
TLSH T168B17A3AC172FCC54F8C3A4281760E6B294C7955DBFB1E24DB0D5CFE35A2A619B10A29
Reporter JAMESWT_WT
Tags:DHLShipmentNotification ps1 RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PowerShell_Case_Anomaly.16723.20317.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/61752642a9d585e6d537128a/reports/5a419fb3-5750-4e9e-ab18-3c20289ee166/overview
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/078025707e0069438637644d4b57c0ab3f20c21fc738117589b15716d4e429d5/
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0b1970568987b6e2a949dde9d4e249d704cbfaf622c80741db02dd711838abff
RemcosRAT
12769dfad3c04708ff571307f8591db3acd2469ffdf25813f0eb6ea3ecc3af73
RemcosRAT
1974f2f3c94bc79af6872802cae45f9113ce6b708635930a77aa73db92898852
RemcosRAT
41ed87725575a97d3f1a04554cb78dd3fb973e209950d2f7c54168626ce57ef4
RemcosRAT
4a84faebc419ed0cddbc9e37b337a3090a01051d3ed7d1650c2845369b9a1d63
RemcosRAT
653162513b0b91ca4232620e9233402d8da6b89a362c78475d2c20da78f9e72d
RemcosRAT
6b4a57c6eb6a005e9641a19c161334890128dfd6b15477f1add890041b7c8bf8
RemcosRAT
6dca812163e8e3bf8cfc6a82fd8f14b6cb3cc3c8b72c0b4a0a4dc549f3dc3202
RemcosRAT
6eed5350c18b26f6aadaf28e5ceb48ca742db7fbee28fbe9aa7f3c552651e048
RemcosRAT
+ 627 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:popup persistence rat suricata
Link:
https://tria.ge/reports/210917-ffnyhshehl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Downloads MZ/PE file
Remcos
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
204.44.86.179:49151
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/078025707e0069438637644d4b57c0ab3f20c21fc738117589b15716d4e429d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PowerShell_Case_Anomaly
Create hunting rule
Author:Florian Roth
Description:Detects obfuscated PowerShell hacktools
Reference:https://twitter.com/danielhbohannon/status/905096106924761088

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments