MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14e81b50d5d016e3aea5abd7c6264f6ae260d3a4ed0e5de8898c512d3276ee3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	14e81b50d5d016e3aea5abd7c6264f6ae260d3a4ed0e5de8898c512d3276ee3b
SHA3-384 hash:	65c51126d718ffa09d1a9e8a1af629c568ccdedc58582cfcdb5367f108e0be4d095ecd1751e11e9c95777a69588909dc
SHA1 hash:	679ed3430c35eb76d70d8c133cb8573d6a7433cb
MD5 hash:	0a88f2fd2b20d511c756407f5eea8926
humanhash:	five-potato-oklahoma-uranus
File name:	COMPLEMENTO DE PAGO.vbs
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'073'370 bytes
First seen:	2025-11-13 06:17:21 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	12288:OMh5QZKp/xCcyv3UPSHP+cTldykjUmu263yHfL3xcHu+ciSk420I1XgMeVBzDYFL:w7v30SvhO4Umu2nfL3+H33RxeVBAY56
Threatray	90 similar samples on MalwareBazaar
TLSH	T1A635F1AC8DE03C9C32DB6FD3FD127D7C03634626AD60DD9E7875224816E239497AB624
Magika	vba
Reporter	abuse_ch
Tags:	RemcosRAT vbs

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38046/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=691577f428ddbbca4d8da908

Tags:

obfuscate xtreme shell

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm base64 cmd evasive fingerprint lolbin obfuscated powershell

Link:

https://www.filescan.io/uploads/6915782c4a2200e32eee9384/reports/7f1c3d30-23e9-406d-8c97-fc6d8c8b3ff6/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/14e81b50d5d016e3aea5abd7c6264f6ae260d3a4ed0e5de8898c512d3276ee3b

Verdict:

Malicious

File Type:

text

First seen:

2025-11-11T17:43:00Z UTC

Last seen:

2025-11-15T04:32:00Z UTC

Hits:

~10000

Detections:

HEUR:Trojan.PowerShell.Tesre.sb Trojan-Downloader.JS.Cryptoload.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic Trojan.PowerShell.AmsiBypass.sb Trojan.JS.SAgent.sb

Link:

https://opentip.kaspersky.com/14e81b50d5d016e3aea5abd7c6264f6ae260d3a4ed0e5de8898c512d3276ee3b/results?tab=lookup

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1813136

Signature

.NET source code contains a sample name check

.NET source code references suspicious native API functions

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Creates processes via WMI

Detected Remcos RAT

Found malware configuration

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Sigma detected: Remcos

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected Powershell decode and execute

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/14e81b50d5d016e3aea5abd7c6264f6ae260d3a4ed0e5de8898c512d3276ee3b

Verdict:

Malware

YARA:

1 match(es)

Tags:

DeObfuscated Obfuscated scripting.filesystemobject T1059.005 VBScript

Link:

https://app.malva.re/file/0a88f2fd2b20d511c756407f5eea8926

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/14e81b50d5d016e3aea5abd7c6264f6ae260d3a4ed0e5de8898c512d3276ee3b/

Verdict:

Malicious

Threat:

Trojan.PowerShell.AmsiBypass

Link:

https://tip.neiki.dev/file/14e81b50d5d016e3aea5abd7c6264f6ae260d3a4ed0e5de8898c512d3276ee3b

Threat name:

Script-WScript.Backdoor.Remcos

Status:

Malicious

First seen:

2025-11-12 01:13:50 UTC

File Type:

Text

AV detection:

12 of 37 (32.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ctubwugv2alohlvfvpl4mjspnlrgbu5e5uhf32ejrris2mtw5y5q._file

Verdict:

malicious

Label(s):

remcos

donutloader

Result

Malware family:

n/a

Score:

10/10

Tags:

execution

Link:

https://tria.ge/reports/251113-hebmxacs4h/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: PowerShell

Badlisted process makes network request

Process spawned unexpected child process

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/14e81b50d5d0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/14e81b50d5d016e3aea5abd7c6264f6ae260d3a4ed0e5de8898c512d3276ee3b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/38046/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample