MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36b3b7fcbc48c6dbf0c3d1692e8f0f0296072f5d0d840ab69d4d95539493af98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36b3b7fcbc48c6dbf0c3d1692e8f0f0296072f5d0d840ab69d4d95539493af98
SHA3-384 hash: 0557a8686928f9497098a9420385912d694bf6b70a7502cffe950839b2caccc3476ef4e6f43b1e47b98ec6666f62a5b8
SHA1 hash: e6646a8e9cd1787a08db997ee20a06bf553a3fdd
MD5 hash: 8bcfa45995fd6641dabf5ee53fea3524
humanhash: coffee-coffee-summer-chicken
File name:PO - Quote_0093223001.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:118'939 bytes
First seen:2024-02-02 20:32:13 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:XjH+8fLmI2J8nk8ZOX7X5QfHmvJevp0kdBG4dmNuwzfc5CWwhjC:XjH+8fLqJ8nk8ZOX70HMm0kdBG4d7KGZ
Threatray 10 similar samples on MalwareBazaar
TLSH T173C38E337B42BEE52FBB2E40F41128E14D54B52B27A01998FFC41C85AEFB050DE995D9
Reporter abuse_ch
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474243/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28953.VbsHeur.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper obfuscated
Link:
https://www.filescan.io/uploads/65bd51804f733f8cc1bd9458/reports/f3147e51-109a-4ea5-bfa4-a8ca189ed927/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/36b3b7fcbc48c6dbf0c3d1692e8f0f0296072f5d0d840ab69d4d95539493af98
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1385842
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (has network functionality)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Remcos
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1385842 Sample: PO_-_Quote_0093223001.vbs Startdate: 02/02/2024 Architecture: WINDOWS Score: 100 62 sayhellotomalware.shop 2->62 64 igw.myfirewall.org 2->64 66 geoplugin.net 2->66 74 Snort IDS alert for network traffic 2->74 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 14 other signatures 2->80 11 wscript.exe 2 2->11         started        15 svchost.exe 2 2->15         started        17 svchost.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 file5 58 C:\Users\user\AppData\Local\Temp\x.exe, PE32 11->58 dropped 108 Benign windows process drops PE files 11->108 110 VBScript performs obfuscated calls to suspicious functions 11->110 112 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->112 21 x.exe 16 6 11->21         started        26 PING.EXE 15->26         started        28 calc.exe 15->28         started        114 System process connects to network (likely due to code injection or exploit) 17->114 30 calc.exe 17->30         started        32 WerFault.exe 19->32         started        34 WerFault.exe 19->34         started        signatures6 process7 dnsIp8 68 sayhellotomalware.shop 172.67.207.116, 443, 49705, 49706 CLOUDFLARENETUS United States 21->68 54 C:\Users\user\AppData\Roaming\svchost.exe, PE32 21->54 dropped 56 C:\Users\user\AppData\...\tmpA674.tmp.bat, DOS 21->56 dropped 92 Multi AV Scanner detection for dropped file 21->92 94 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->94 96 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->96 98 Drops PE files with benign system names 21->98 36 cmd.exe 1 21->36         started        100 Contains functionality to bypass UAC (CMSTPLUA) 26->100 102 Contains functionalty to change the wallpaper 26->102 104 Contains functionality to steal Chrome passwords or cookies 26->104 106 2 other signatures 26->106 file9 signatures10 process11 process12 38 svchost.exe 14 3 36->38         started        41 timeout.exe 1 36->41         started        43 conhost.exe 36->43         started        signatures13 82 Multi AV Scanner detection for dropped file 38->82 84 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->84 86 Writes to foreign memory regions 38->86 90 2 other signatures 38->90 45 calc.exe 3 15 38->45         started        88 Uses ping.exe to check the status of other devices and networks 41->88 process14 dnsIp15 70 igw.myfirewall.org 103.35.191.158, 2404, 49707 VECTANTARTERIANetworksCorporationJP Japan 45->70 72 geoplugin.net 178.237.33.50, 49708, 80 ATOM86-ASATOM86NL Netherlands 45->72 60 C:\ProgramData\remcos\logs.dat, data 45->60 dropped 116 System process connects to network (likely due to code injection or exploit) 45->116 118 Contains functionality to bypass UAC (CMSTPLUA) 45->118 120 Contains functionalty to change the wallpaper 45->120 122 5 other signatures 45->122 50 WerFault.exe 45->50         started        52 WerFault.exe 45->52         started        file16 signatures17 process18
Score:
100%
Verdict:
Malware
File Type:
ASCII
Link:
https://malprob.io/report/36b3b7fcbc48c6dbf0c3d1692e8f0f0296072f5d0d840ab69d4d95539493af98
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36b3b7fcbc48c6dbf0c3d1692e8f0f0296072f5d0d840ab69d4d95539493af98/
Threat name:
Script-WScript.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2024-02-01 12:29:13 UTC
File Type:
Text (VBS)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g2z3p7f4jddnx4gd2fus5dypaklaol25bwcavnu5jwkvhfetv6ma._file
Verdict:
malicious
Similar samples:
23c5a80cfa31db9c405065513f6f2e4cb394a7ef046bedc82d817a460829a67d
RemcosRAT
3d5a231fedd35ec2898fd4826c47e40839661f0814d9a0072d8bcb9e0391979d
RemcosRAT
77391aadbf70e59c1b92170606445049b8664a2335913d3d58a647f73810bcd2
RemcosRAT
8850c10c46383bafebe6053d7cbaca3625b5ab73c9b267edd574c90aaaa7bed6
RemcosRAT
908c852e62f3c069dfbfd4ee9459bab100e23f84edba24a8d2b5fc863eb649f8
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:pa kay evasion persistence rat
Link:
https://tria.ge/reports/240202-zbveaahbem/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Remcos
Malware Config
C2 Extraction:
igw.myfirewall.org:2404
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.83
Link:
https://yomi.yoroi.company/submissions/36b3b7fcbc48c6dbf0c3d1692e8f0f0296072f5d0d840ab69d4d95539493af98

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Visual Basic Script (vbs) vbs 36b3b7fcbc48c6dbf0c3d1692e8f0f0296072f5d0d840ab69d4d95539493af98

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/474243/

Comments