MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 305e8cf66668a19599e9e03a5f32d00a524fb45a4385c28978d3713de9cca6c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 305e8cf66668a19599e9e03a5f32d00a524fb45a4385c28978d3713de9cca6c3
SHA3-384 hash: 9c6f1279cfb925cf6dd1f5e5dd92c9782db21edd7b7a5748e48e10d43ed57b0786b9ba7886d297c0fc9892e4623c330a
SHA1 hash: 90caba4c5109b0861e7ff6839aa47177b1ab006e
MD5 hash: 89ff11f1005b5b90c3619bb972f81f4c
humanhash: cup-butter-low-oregon
File name:ss2.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:28'416 bytes
First seen:2025-10-26 16:53:51 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:Kc4UGDa5EG1oH03kkmW9ZlYs8TB8juVCV6ShnqPVAjwH2ru97P1ufvxyntTACBRP:K97qtqH03kPf9qju0jqP2drzeAA5b
Threatray 2'458 similar samples on MalwareBazaar
TLSH T1F6D2E83AC854AFF00B2F60A69D0B2D5945594326BA743A0D75CE99AC3F35321CFD81EB
Magika vba
Reporter abuse_ch
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
57
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34181/
Detection(s):
TwinWave.EvilVBA.LostAtSeaFuncInDirection.20240306.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fe528d6c859164aa64e1fd
Tags:
xtreme virus shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 obfuscated obfuscated powershell
Link:
https://www.filescan.io/uploads/68fe537411ff3db29f68a7d9/reports/017d05d9-4018-45ad-8d63-875a56f7af9e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/305e8cf66668a19599e9e03a5f32d00a524fb45a4385c28978d3713de9cca6c3
Verdict:
Malicious
File Type:
vbs
First seen:
2025-10-24T17:24:00Z UTC
Last seen:
2025-10-26T18:34:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Trojan-Downloader.PowerShell.NanoShield.sb Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic HEUR:Trojan.Multi.Stego.gen
Link:
https://opentip.kaspersky.com/305e8cf66668a19599e9e03a5f32d00a524fb45a4385c28978d3713de9cca6c3/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1802032
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to determine the online IP of the system
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Remcos
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1802032 Sample: ss2.vbs Startdate: 26/10/2025 Architecture: WINDOWS Score: 100 24 hold-mayre.duckdns.org 2->24 26 3zd6k5n6q3.ufs.sh 2->26 28 6 other IPs or domains 2->28 38 Suricata IDS alerts for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 46 14 other signatures 2->46 8 wscript.exe 1 2->8         started        11 svchost.exe 1 1 2->11         started        signatures3 44 Uses dynamic DNS services 24->44 process4 dnsIp5 56 VBScript performs obfuscated calls to suspicious functions 8->56 58 Suspicious powershell command line found 8->58 60 Wscript starts Powershell (via cmd or directly) 8->60 62 2 other signatures 8->62 14 powershell.exe 14 17 8->14         started        34 127.0.0.1 unknown unknown 11->34 signatures6 process7 dnsIp8 36 3zd6k5n6q3.ufs.sh 104.21.43.201, 443, 49692, 49693 CLOUDFLARENETUS United States 14->36 64 Writes to foreign memory regions 14->64 66 Injects a PE file into a foreign processes 14->66 18 MSBuild.exe 4 14->18         started        22 conhost.exe 14->22         started        signatures9 process10 dnsIp11 30 hold-mayre.duckdns.org 192.169.69.26, 4040, 49694, 49695 WOWUS United States 18->30 32 186.169.70.5, 4040, 49747 COLOMBIATELECOMUNICACIONESSAESPCO Colombia 18->32 48 Contains functionality to bypass UAC (CMSTPLUA) 18->48 50 Detected Remcos RAT 18->50 52 Contains functionality to determine the online IP of the system 18->52 54 4 other signatures 18->54 signatures12
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/305e8cf66668a19599e9e03a5f32d00a524fb45a4385c28978d3713de9cca6c3
Verdict:
Malware
YARA:
1 match(es)
Tags:
DeObfuscated Obfuscated T1059.005 VBScript WScript.Network
Link:
https://app.malva.re/file/89ff11f1005b5b90c3619bb972f81f4c
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/305e8cf66668a19599e9e03a5f32d00a524fb45a4385c28978d3713de9cca6c3/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/305e8cf66668a19599e9e03a5f32d00a524fb45a4385c28978d3713de9cca6c3
Threat name:
Script-WScript.Backdoor.Remcos
Create hunting rule
Status:
Suspicious
First seen:
2025-10-22 22:00:47 UTC
File Type:
Text (VBS)
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gbpiz5tgncqzlgpj4a5f6mwqbjje7nc2ioc4fcly2nyt32omu3bq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
073f19c57b7df3868b83c3648938b52b94878bc4e00d9eaf0c0074a338cd510a
RemcosRAT
44b4e8fd5f88de4ef6a49b7d42e9b31c226f66346db7f73d3ad8aaf1074c7f12
RemcosRAT
5756bb7dd6781086bfa7c5af6786f9792c895f29900f37eb92284ab38224c8f8
RemcosRAT
6385ba95a2f179fac688bc5524caebdd20de2fdd3ddbbc531351f8db1965660c
RemcosRAT
724d81eb1abf92eb7520ca1534f9c10fb83a5743a2f8ce956e94e0a9af725f8d
RemcosRAT
915bbdf3cf472b1eb3ce2e4a3859214867cd885899b7c26bc13561709e122920
RemcosRAT
ab9cfb220debabf3b0789611d45cd86104f9b0b8d941fca0689b6c11ae26fc45
RemcosRAT
b5c978f16a11c1bc6589e5b4b78d08fec1cea4cf2df5df9c67b1eda26e485f6d
RemcosRAT
c734213b41e4d5eda359c15b3bbcf546a2d7a77308085cd136d3742816aeb667
RemcosRAT
d2ed08a124a2e2da4446c03d4487083a7078d901dff790c2ae0a8e61005a1eaf
RemcosRAT
error
RemcosRAT
+ 2'448 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos defense_evasion discovery execution rat
Link:
https://tria.ge/reports/251026-vp3wcsdj9x/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Badlisted process makes network request
Remcos
Remcos family
Malware Config
C2 Extraction:
hold-mayre.duckdns.org:4040
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/305e8cf66668a19599e9e03a5f32d00a524fb45a4385c28978d3713de9cca6c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Visual Basic Script (vbs) vbs 305e8cf66668a19599e9e03a5f32d00a524fb45a4385c28978d3713de9cca6c3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3686357/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/34181/

Comments