MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c49b4e3b554aeac842b8dc4daf0c5cf24015f96b68e935ddb4adb168b35a696. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c49b4e3b554aeac842b8dc4daf0c5cf24015f96b68e935ddb4adb168b35a696
SHA3-384 hash: b0008f0d7e60f193708995c36b6d38d1e88dcb2f0b4e9056053d579204cfd3cdad8b55fbd9d8cf3a0fa1c03f2711cbad
SHA1 hash: 6cbe44825ba7a2e0d68579a222b055f72d7db856
MD5 hash: 02bf7b0beee44f62d6a12deb45248554
humanhash: triple-single-bravo-spring
File name:eInviocing,pdf.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'731 bytes
First seen:2021-10-12 07:13:24 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:7T75LNsNxxw6ZUlcffqV1qY0mq/qTJGCqVvdqTj/UO//CZ7:7JNsNbwSyaYASdGXtEf/U8+7
Threatray 727 similar samples on MalwareBazaar
TLSH T176514689F8CB41B10F119F0540A3F66F98AB4C63ED40654DF0AF6299AB38BDC0992377
Reporter abuse_ch
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196787/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/616535c6fd35fe780c3a09bd/reports/5757f256-e5ba-4cad-a8ff-cae474dbacc9/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/868356
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates an undocumented autostart registry key
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Sigma detected: CrackMapExec PowerShell Obfuscation
Sigma detected: Suspicious PowerShell Command Line
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Obfuscated Powershell
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c49b4e3b554aeac842b8dc4daf0c5cf24015f96b68e935ddb4adb168b35a696/
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 07:14:15 UTC
AV detection:
2 of 45 (4.44%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dre3jy5vksxkzbblrxcnv4gfz4sacx4ww2hjgxo3jlnrnczvu2la._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0bb25dccd5ee69b35f2c03c04b50ec23573929d193739becb1c623d32db64e4a
RemcosRAT
1730338ca0fbfe0985bed5638fc8599a6dd38761ab8b89e3d8a076947a320028
RemcosRAT
4c60bb36a8789392f4d2c953f08dac0a0056e0c493a0584481ed3fd4a946cad7
RemcosRAT
5d94b24f251b4fd9b9a59a3d60b86512528add9c95a880d8e32e76b1f54b8eea
RemcosRAT
5e1473cb44990bf7a1d8da8ad410642430bc6c5663859bc4e4c738e22b3cc71e
RemcosRAT
6f476c63a6d699d1f0166313deb1e0f623c689882de8411bcd4f0b4f880526dd
RemcosRAT
b3e18d1026779e01b6bc834a8da488eeb669e5e366ef8d495c109c0f1424d3c1
RemcosRAT
b9c5a6059ee5150b5837e446196c4349571d80336b438056f687d7044cd246b9
RemcosRAT
e4b26e2c09188228c4db16281887a17e90baaf95c7b691fa75d05af9f79ff20a
RemcosRAT
f4177fb3986e1f8c74df732b13752ece8d3dbb2e2ea6969b0cf328fc71ebd400
RemcosRAT
+ 717 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:cts rat
Link:
https://tria.ge/reports/211012-h2rmmsbfd5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
Officialsw.chickenkiller.com:2310
official.ydns.eu:2310
hurricane.ydns.eu:2310
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1c49b4e3b554/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c49b4e3b554aeac842b8dc4daf0c5cf24015f96b68e935ddb4adb168b35a696

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/196787/

Comments