MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11404fa706a38634153e774541af43880bba9b04e21df51ffc55e80ab3cac7e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11404fa706a38634153e774541af43880bba9b04e21df51ffc55e80ab3cac7e8
SHA3-384 hash: edbc3bf3b240d99234d4688099008ebccf34e375b9a266945000ae7b0822174416207c770eafec234b242d82e6ef842a
SHA1 hash: 7c7146a0263815175a1bbadca57800073d177de8
MD5 hash: a38bbd470eb96937af724dc7588cedff
humanhash: pennsylvania-eighteen-eight-butter
File name:bestfuturewithgreatskillnevergivebestter.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'010 bytes
First seen:2025-07-01 10:02:59 UTC
Last seen:2025-07-01 16:56:46 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 24:hPgSw2dSAT2lhNeAfg0sgf9yRrloAOFb3QmeNwiXECLoiXJIy/gpdypwybe5MCO:tgBqSdq0sgfsRZORgmeS0oOB4HSeSCO
TLSH T1EA418A224D0D85881B761DA3ACE7C005F2E481E3C9559CADBB5CC83A6FB43CF59D489A
Magika vba
Reporter abuse_ch
Tags:hta RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
23
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.HTA.Agent-E.1978.24407.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.HTA.Agent-E.24466.7247.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6863b26f0fceda814b47a18f
Tags:
obfuscate xtreme shell
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/11404fa706a38634153e774541af43880bba9b04e21df51ffc55e80ab3cac7e8/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
HTML/TrojanDropper.Agent
Link:
https://www.hybrid-analysis.com/sample/11404fa706a38634153e774541af43880bba9b04e21df51ffc55e80ab3cac7e8
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.spre.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1726261
Signature
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Legitimate Application Dropped Script
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Remcos
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected VBS Downloader Generic
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1726261 Sample: bestfuturewithgreatskillnev... Startdate: 01/07/2025 Architecture: WINDOWS Score: 100 48 weneedverysweetgirlwholovesmebetterthana.duckdns.org 2->48 50 geoplugin.net 2->50 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 66 21 other signatures 2->66 11 mshta.exe 2 2->11         started        signatures3 64 Uses dynamic DNS services 48->64 process4 file5 44 C:\Windows\Temp\gapesing.bat, DOS 11->44 dropped 14 cmd.exe 2 11->14         started        process6 file7 46 C:\Windows\Temp\compromised.vbs, ASCII 14->46 dropped 96 Potential malicious VBS script found (suspicious strings) 14->96 98 Command shell drops VBS files 14->98 18 wscript.exe 1 14->18         started        22 conhost.exe 14->22         started        24 timeout.exe 1 14->24         started        signatures8 process9 dnsIp10 52 62.60.208.170, 49687, 49688, 49692 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 18->52 68 System process connects to network (likely due to code injection or exploit) 18->68 70 Suspicious powershell command line found 18->70 72 Wscript starts Powershell (via cmd or directly) 18->72 74 3 other signatures 18->74 26 powershell.exe 15 16 18->26         started        signatures11 process12 signatures13 82 Writes to foreign memory regions 26->82 84 Found suspicious powershell code related to unpacking or dynamic code loading 26->84 86 Injects a PE file into a foreign processes 26->86 29 CasPol.exe 4 13 26->29         started        33 conhost.exe 26->33         started        process14 dnsIp15 54 weneedverysweetgirlwholovesmebetterthana.duckdns.org 198.55.102.43, 14646, 49693, 49694 ASN-QUADRANET-GLOBALUS United States 29->54 56 geoplugin.net 178.237.33.50, 49695, 80 ATOM86-ASATOM86NL Netherlands 29->56 88 Contains functionality to bypass UAC (CMSTPLUA) 29->88 90 Detected Remcos RAT 29->90 92 Tries to steal Mail credentials (via file registry) 29->92 94 7 other signatures 29->94 35 CasPol.exe 1 29->35         started        38 CasPol.exe 1 29->38         started        40 CasPol.exe 14 29->40         started        42 3 other processes 29->42 signatures16 process17 signatures18 76 Tries to steal Instant Messenger accounts or passwords 35->76 78 Tries to steal Mail credentials (via file / registry access) 35->78 80 Tries to harvest and steal browser information (history, passwords, etc) 38->80
Score:
2%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/11404fa706a38634153e774541af43880bba9b04e21df51ffc55e80ab3cac7e8
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Html
Link:
https://app.malva.re/file/a38bbd470eb96937af724dc7588cedff
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/11404fa706a38634153e774541af43880bba9b04e21df51ffc55e80ab3cac7e8/
Threat name:
Document-HTML.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-07-01 10:03:33 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cfae7jyguoddifj6o5cudl2draf3vgye4io7kh74kxuavm6ky7ua._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:evaangel collection discovery execution rat
Link:
https://tria.ge/reports/250701-l3jj7ssyhv/
Behaviour
Delays execution with timeout.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
weneedverysweetgirlwholovesmebetterthana.duckdns.org:14646
Dropper Extraction:
http://62.60.208.170/xampp/cv/universe-1733359315202-8750.jpg
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/11404fa706a38634153e774541af43880bba9b04e21df51ffc55e80ab3cac7e8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

HTML Application (hta) hta 11404fa706a38634153e774541af43880bba9b04e21df51ffc55e80ab3cac7e8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3572650/
  
Delivery method
Distributed via web download

Comments