MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c6d9a8770fee14f7194840c71381b4baccaa76da66c5a43a0b7e73352ea4ec1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c6d9a8770fee14f7194840c71381b4baccaa76da66c5a43a0b7e73352ea4ec1
SHA3-384 hash: 155793c2960e0b011f9676464d0a95ac030117bb8e5b8afb7bd4a3e036c66605a1911f6b5f086f5327f4e83b26082c3f
SHA1 hash: 5b5043cb5ef5fc110bbbadf9972c44cbdac8dce3
MD5 hash: 16409837535e98ba979174d428cac117
humanhash: helium-lactose-magazine-white
File name:win.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'059 bytes
First seen:2022-03-22 17:26:01 UTC
Last seen:2022-03-24 18:36:20 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:8O1oaSfoRza+NM4JqrnLFuYwOPYIJ940Uq//e3k:8Oy6Ba+QrnxuYwgJHj
Threatray 1'189 similar samples on MalwareBazaar
TLSH T1094150EDF08FB4650B2308B1D95B685F9A31A182C538A480F60DDFCD1D3915893666ED
Reporter James_inthe_box
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/254969/
Detection(s):
SecuriteInfo.com.VBS.Agent.ALM.genEldorado.23853.24312.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/623a06b8b94fb38cb4d04a36/reports/25c4ae09-3bb3-42d3-b5e8-6d453ad67ca9/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962263
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Drops PE files to the startup folder
Drops VBS files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 594740 Sample: win.vbs Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 31 shiestynerd.dvrlists.com 2->31 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 4 other signatures 2->45 8 wscript.exe 1 2->8         started        11 iexplore.exe 1 73 2->11         started        13 wscript.exe 2->13         started        signatures3 process4 signatures5 47 Wscript starts Powershell (via cmd or directly) 8->47 49 Very long command line found 8->49 15 powershell.exe 14 19 8->15         started        18 powershell.exe 12 8->18         started        20 iexplore.exe 31 11->20         started        process6 dnsIp7 57 Writes to foreign memory regions 15->57 59 Injects a PE file into a foreign processes 15->59 23 RegAsm.exe 2 15->23         started        27 conhost.exe 15->27         started        61 Drops VBS files to the startup folder 18->61 63 Drops PE files to the startup folder 18->63 29 conhost.exe 18->29         started        33 209.127.19.101, 49766, 49767, 49774 SERVER-MANIACA Canada 20->33 signatures8 process9 dnsIp10 35 shiestynerd.dvrlists.com 79.134.225.111, 10174, 49785, 49786 FINK-TELECOM-SERVICESCH Switzerland 23->35 37 192.168.2.1 unknown unknown 23->37 51 Contains functionality to steal Chrome passwords or cookies 23->51 53 Contains functionality to steal Firefox passwords or cookies 23->53 55 Delayed program exit found 23->55 signatures11
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0c6d9a8770fee14f7194840c71381b4baccaa76da66c5a43a0b7e73352ea4ec1/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 17:26:02 UTC
File Type:
Text (VBS)
AV detection:
6 of 26 (23.08%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
09b75cdc3edcad3cc8b1729683a1132506e851c9d7a1d864fc842284822d1ba5
RemcosRAT
4d1cfc06d50c33a02572d8d32f34c277bb89bad8d2932c4e0549409d98d5ddda
RemcosRAT
5c374e1534ffb2f6ae7e6fc88f9034dcf475551c5813bed15458d94cb62767e2
RemcosRAT
6a182d41a2d215552343174e699a7dba2d6282136f338a88826ac5eac8f0e7f6
RemcosRAT
a1b385afa0592f1fc9e0eaacd751beb5e15ff4151f2ac98e0166f29955690b9c
RemcosRAT
a439a0f9a25819c7b124965c1d48eff1f981aa3d6190c3f24239c97ec39b2c39
RemcosRAT
a5235adab75f69fd47b814a81ed89fe195e9a37e59c742e42363379742fc3b43
RemcosRAT
ea812747173109ca7a8724a7a6a14b1518f436417a00e92d03b962d99821664c
RemcosRAT
f4b96c1a853a6bdc9a811511c4338262e8a33311d21cea5690c74daa1d2dae32
RemcosRAT
+ 1'179 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:shiesty rat
Link:
https://tria.ge/reports/220322-vzwj2acgfp/
Behaviour
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
shiestynerd.dvrlists.com:10174
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0c6d9a8770fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c6d9a8770fee14f7194840c71381b4baccaa76da66c5a43a0b7e73352ea4ec1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/254969/
  
URLhaus
https://urlhaus.abuse.ch/url/2111221/

Comments