MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3187611531a581563edecd336427c050d1d54435d541044e21c33a8fcea93439. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3187611531a581563edecd336427c050d1d54435d541044e21c33a8fcea93439
SHA3-384 hash: 18e91ad92b1b0fc2046718aa43e3e2f9c4c5828099d2c0b0d41c4e49a3a5bb8add071ecf0e23192d546d331fd19cd993
SHA1 hash: 06f334f7c77070491810054ca5d663785c155995
MD5 hash: fccfa91cf5d87f2a0d162ac8254396db
humanhash: maine-sodium-papa-eleven
File name:CMACGM-WBINS9013246-20210714-125247.pdf.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'069 bytes
First seen:2022-05-09 14:08:17 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:S19QZMH7JslY9NZmlKoeqe6JF1rSh0SRxh1/WVtoHozvEMbs90Bd+lPDv:EFrcJF1rShXRgyme/Dv
Threatray 1'275 similar samples on MalwareBazaar
TLSH T14D51744E709F756055397FB7EC1B046EAB330B43A6A405467A09AACACD7803DD6C0C1E
Reporter abuse_ch
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.SNH.ScriptDropper.12664.32290.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/62792054a40dfc4df210e959/reports/26014396-b638-4772-8d6f-9701c5f35c38/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/990345
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
DLL side loading technique detected
Drops PE files to the startup folder
Drops VBS files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell drops PE file
System process connects to network (likely due to code injection or exploit)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 622846 Sample: CMACGM-WBINS9013246-2021071... Startdate: 09/05/2022 Architecture: WINDOWS Score: 100 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for URL or domain 2->66 68 5 other signatures 2->68 7 wscript.exe 14 2->7         started        11 wscript.exe 15 2->11         started        process3 dnsIp4 38 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49731, 49744 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->38 40 onedrive.live.com 7->40 46 2 other IPs or domains 7->46 78 System process connects to network (likely due to code injection or exploit) 7->78 80 Wscript starts Powershell (via cmd or directly) 7->80 82 Very long command line found 7->82 13 powershell.exe 14 19 7->13         started        17 cmd.exe 1 7->17         started        42 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49736 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->42 44 onedrive.live.com 11->44 48 2 other IPs or domains 11->48 19 powershell.exe 11->19         started        signatures5 process6 dnsIp7 50 l-0004.l-dc-msedge.net 13->50 52 l-0003.l-dc-msedge.net 13->52 58 3 other IPs or domains 13->58 84 Writes to foreign memory regions 13->84 86 DLL side loading technique detected 13->86 88 Injects a PE file into a foreign processes 13->88 90 Powershell drops PE file 13->90 22 RegAsm.exe 2 2 13->22         started        26 conhost.exe 13->26         started        92 Drops VBS files to the startup folder 17->92 94 Drops PE files to the startup folder 17->94 28 conhost.exe 17->28         started        54 l-0003.l-dc-msedge.net 19->54 56 zigimg.am.files.1drv.com 19->56 60 2 other IPs or domains 19->60 34 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 19->34 dropped 30 conhost.exe 19->30         started        32 RegAsm.exe 19->32         started        file8 signatures9 process10 dnsIp11 36 hjieyhe.ddns.net 91.193.75.131, 49781, 8578 DAVID_CRAIGGG Serbia 22->36 70 Contains functionality to steal Chrome passwords or cookies 22->70 72 Contains functionality to inject code into remote processes 22->72 74 Contains functionality to steal Firefox passwords or cookies 22->74 76 2 other signatures 22->76 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3187611531a581563edecd336427c050d1d54435d541044e21c33a8fcea93439/
Threat name:
Win32.Downloader.Nemucod
Create hunting rule
Status:
Malicious
First seen:
2022-05-09 13:24:25 UTC
File Type:
Text (VBS)
AV detection:
3 of 42 (7.14%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ggdwcfjruwavmpw6zuzwij6akdi5krbv2vaqitrbym5i7tvjgq4q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1ccf09551ed031fa0755e2d2c22e05f8136cce389c5b6585d3f3395041637389
RemcosRAT
369fb7c024c9009a015b69b40e87501395aa4a3c6cf4da5531c33c6840ebe5dd
RemcosRAT
6d21985a34efde10ae60b32f3d1f309da2707f6421bdb78f1da14ec1341b22ec
RemcosRAT
81a08b163648f4a09fbba230dc34b1b2c7e7e979fedc23c6bf89af0f39f32cff
RemcosRAT
b8df890fac057175f86dc5f301f1e1f6d45b2a1b36598934c3fc0144cf433137
RemcosRAT
c32a878240bdd4de7b8ccb5a013e97fec1ddf804ab1e6481592971eddb5033f1
RemcosRAT
e2957cb5fb3bc6646533495ea0e907b852d768839e39cd49f362b2cb1ab53df9
RemcosRAT
+ 1'265 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:may rat
Link:
https://tria.ge/reports/220509-rf6zwadeb2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
hjieyhe.ddns.net:8578
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3187611531a5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3187611531a581563edecd336427c050d1d54435d541044e21c33a8fcea93439

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments