MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ff4fb4ccc187c5ce24154fd6f9bd2af267e3cc46fbfdb6e5848bf2059c516f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ff4fb4ccc187c5ce24154fd6f9bd2af267e3cc46fbfdb6e5848bf2059c516f3
SHA3-384 hash: f36de13b278ab5e72ab0e70a348626d6b6627a9e451115d7df4930df3f708130e5f22934b72d995b09f1b89a1b95039f
SHA1 hash: 9888a2e8ab12e161bd33e8ca90303621bdb8b51a
MD5 hash: 3ec82bddfe9b89fcffd48e1db04d05f0
humanhash: neptune-march-sierra-winner
File name:purchase order MPO-51720.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:14'558'614 bytes
First seen:2026-06-25 13:27:23 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/csv
ssdeep 1536:hqmOL/ZIIzuhBGRwIz2RhwoIQLFw5fcUUCMJZekktDN+BHd/5xOuYLtwId0EW2E/:f
TLSH T1FEE6C8499B4C11059BFF27C19AFCF406A8FBBE4485FD6ECE39762E256A9C04853867C0
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter lowmal3
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71987/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3d2cca1548daf709f9ba4f
Tags:
infosteal emotet
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/6a3d2cc4b2fdc7fa40eb43b4/reports/bb5e6adc-e01f-461c-a494-1ce9ed25732e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2ff4fb4ccc187c5ce24154fd6f9bd2af267e3cc46fbfdb6e5848bf2059c516f3
Verdict:
Malicious
File Type:
vbs
First seen:
2026-06-25T06:55:00Z UTC
Last seen:
2026-06-25T10:18:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/2ff4fb4ccc187c5ce24154fd6f9bd2af267e3cc46fbfdb6e5848bf2059c516f3/results?tab=lookup
Result
Threat name:
Remcos, Clipboard Hijacker, Sirius Rat,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1933725
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected malicious Powershell script
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to hide user accounts
Contains functionality to register a low level keyboard hook
Contains functionality to start a terminal service
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates processes via WMI
Delayed program exit found
Deletes shadow drive data (may be related to ransomware)
Detected large data written to user environment variables, potentially indicating payload staging for fileless execution
Detected Remcos RAT
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Potential dropper URLs found in powershell memory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Environment Variable Has Been Registered
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected Clipboard Hijacker
Yara detected Generic Stealer
Yara detected Remcos RAT
Yara detected Sirius Rat
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1933725 Sample: purchase order MPO-51720.vbs Startdate: 25/06/2026 Architecture: WINDOWS Score: 100 85 citra-unggul.com 2->85 87 keyauth.win 2->87 89 ip-api.com 2->89 101 Suricata IDS alerts for network traffic 2->101 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 26 other signatures 2->107 10 powershell.exe 14 15 2->10         started        14 powershell.exe 3 18 2->14         started        17 wscript.exe 13 1 2->17         started        19 4 other processes 2->19 signatures3 process4 dnsIp5 95 citra-unggul.com 103.157.26.230, 443, 49699 IDNIC-LINKGO-AS-IDPTLinkgoMetroTeknologiID Indonesia 10->95 141 Found many strings related to Crypto-Wallets (likely being stolen) 10->141 143 Writes to foreign memory regions 10->143 145 Potential dropper URLs found in powershell memory 10->145 153 3 other signatures 10->153 21 CasPol.exe 3 13 10->21         started        26 conhost.exe 10->26         started        97 102.211.234.60, 49700, 80 GIGABIT-MYGigabitHostingSdnBhdMY Malaysia 14->97 83 C:\Users\Public\LibrariesbehaviorgraphVrGX12dRd.vbs, CSV 14->83 dropped 28 wscript.exe 14->28         started        147 Suspicious powershell command line found 17->147 149 Wscript starts Powershell (via cmd or directly) 17->149 151 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->151 155 4 other signatures 17->155 30 powershell.exe 15 17->30         started        99 127.0.0.1 unknown unknown 19->99 32 conhost.exe 19->32         started        34 conhost.exe 19->34         started        file6 signatures7 process8 dnsIp9 91 155.103.71.146, 49703, 777 WHITELABELUS Turkey 21->91 75 C:\Users\user\AppData\...\windows32s.exe, PE32 21->75 dropped 77 C:\Users\user\AppData\Local\Temp\kjwxfi.exe, PE32+ 21->77 dropped 79 C:\Users\user\AppData\Local\Temp\iijfog.exe, PE32 21->79 dropped 81 2 other malicious files 21->81 dropped 131 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->131 133 Encrypted powershell cmdline option found 21->133 36 iijfog.exe 21->36         started        39 kjwxfi.exe 21->39         started        42 powershell.exe 21->42         started        50 3 other processes 21->50 135 Suspicious powershell command line found 28->135 137 Wscript starts Powershell (via cmd or directly) 28->137 139 WScript reads language and country specific registry keys (likely country aware script) 28->139 44 powershell.exe 28->44         started        46 powershell.exe 28->46         started        48 conhost.exe 30->48         started        file10 signatures11 process12 dnsIp13 109 Antivirus detection for dropped file 36->109 111 Detected Remcos RAT 36->111 113 Contains functionalty to change the wallpaper 36->113 127 4 other signatures 36->127 93 ip-api.com 208.95.112.1 TUT-AS-TotalUptimeTechnologiesLLCUS United States 39->93 115 Multi AV Scanner detection for dropped file 39->115 117 Contains functionality to start a terminal service 39->117 119 Contains functionality to hide user accounts 39->119 129 2 other signatures 39->129 121 Suspicious powershell command line found 42->121 53 powershell.exe 42->53         started        55 conhost.exe 42->55         started        123 Writes to foreign memory regions 44->123 125 Injects a PE file into a foreign processes 44->125 57 conhost.exe 44->57         started        59 CasPol.exe 44->59         started        61 conhost.exe 46->61         started        63 CasPol.exe 46->63         started        73 C:\Users\user\AppData\Local\Temp\CasPol.exe, PE32 50->73 dropped 65 conhost.exe 50->65         started        67 cvtres.exe 50->67         started        69 2 other processes 50->69 file14 signatures15 process16 process17 71 conhost.exe 53->71         started       
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ff4fb4ccc187c5ce24154fd6f9bd2af267e3cc46fbfdb6e5848bf2059c516f3/
Verdict:
Malicious
Threat:
Trojan-Downloader.MSIL.Crypt
Link:
https://tip.neiki.dev/file/2ff4fb4ccc187c5ce24154fd6f9bd2af267e3cc46fbfdb6e5848bf2059c516f3
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f72pwtgmdb6fzysbkt6w7g6sv4th4pgen675w3syjc7sawofc3zq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/2ff4fb4ccc187c5ce24154fd6f9bd2af267e3cc46fbfdb6e5848bf2059c516f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Visual Basic Script (vbs) vbs 2ff4fb4ccc187c5ce24154fd6f9bd2af267e3cc46fbfdb6e5848bf2059c516f3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71987/

Comments