MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1647393d7971b61b15821198c9acb29501e0698e785d69d8d4de46b0c98952ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	1647393d7971b61b15821198c9acb29501e0698e785d69d8d4de46b0c98952ec
SHA3-384 hash:	7a2165371faa33e595f3f79ba368d28b9037664260b9e9be668eddd72f127341d45202c9d04f17f744b589262f390507
SHA1 hash:	2ec1461c65469339f1813ccfdbc8ad679a481f0c
MD5 hash:	c47d7c3439418afc7b945d23cdff4620
humanhash:	virginia-helium-montana-alanine
File name:	dataf.vbs
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	2'654 bytes
First seen:	2022-02-07 20:53:01 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	48:E4jgI6UDSV7YuJWs4MbjCNmEUB31AidWOo206YazGIuhSK3+LL7JW0:E4jgI6UaJN4MSNmJB31AiQBu4IuhOLLb
Threatray	986 similar samples on MalwareBazaar
TLSH	T11651979F3297E134B5271CA2EF4B44AD96A1516E307884507A0CCBC44F3856CAF8AD5D
Reporter	adm1n_usa32
Tags:	RemcosRAT vbs

Intelligence

File Origin

# of uploads :

1

# of downloads :

94

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/236749/

Detection(s):

SecuriteInfo.com.VB.Trojan.Valyria.6005.11903.15490.UNOFFICIAL

Result

Verdict:

UNKNOWN

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/935579

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1647393d7971b61b15821198c9acb29501e0698e785d69d8d4de46b0c98952ec/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-02-07 20:54:07 UTC

File Type:

Text (VBS)

AV detection:

1 of 43 (2.33%)

Threat level:

5/5

Verdict:

malicious

Label(s):

remcos

Similar samples:

069e33991bd7de11fd8defd71166ec16592380f263c3c71cd657abfba072cb60

41c5f1255cce4354260808461f21f81be011b7114a1782e60a28c3092e73f8af

4f43f9b5de8e532a4c7f31df433fd2c5d9d66e269247a1181c8345d36bb058ad

5508d3fe5c41c4dec4a7570f0d60af3b6ba8cb9251ee1eae91e8fc061c3f58ef

af171290cc03d72c2c1272b039193cb71fdec5b612330f832dad2220753cb406

b1c5e602c1646d6f3d05c37e301c7b808b21e3128fea2687821b1348f41a892d

b1df072eba923c472e461200b35823fde7f8e640bfb468ff5ac707369a2fa35e

ddfc4415217ec461350071b0965a1132ad43472bdc15980da23c46d8f1da188e

+ 976 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:shiesty rat

Link:

https://tria.ge/reports/220207-zpdcxshccn/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Checks computer location settings

Loads dropped DLL

Blocklisted process makes network request

Remcos

Malware Config

C2 Extraction:

shiestynerd.dvrlists.com:10174

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

vbs 1647393d7971b61b15821198c9acb29501e0698e785d69d8d4de46b0c98952ec

(this sample)

anyrun

any.run

https://app.any.run/tasks/63323e1e-2f3b-4077-bb86-343ec1483457

URLhaus

https://urlhaus.abuse.ch/url/2035239/

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/236749/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample