MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36e0589d6c7fe2ba454673e8ad1becbd09d60838d80f95ba4f7c4cbfa635816c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36e0589d6c7fe2ba454673e8ad1becbd09d60838d80f95ba4f7c4cbfa635816c
SHA3-384 hash: c274aff9dd9a929a30a016e01f90061723a1796a280d044a4ccc5da42cc3eefe6a8cc5f0f09a85b33aa6693f5da017ae
SHA1 hash: 2f6a2f36ffe1e070cf0592492a2365c137ff754a
MD5 hash: efb65d67dc764eb12f65fc12dd8eb542
humanhash: hamper-magazine-blossom-sad
File name:greatnicegirlbackontheearthwithgoodnews.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:39'853 bytes
First seen:2025-04-08 10:36:55 UTC
Last seen:2025-04-08 23:31:02 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 192:/MTb900M5pTbSD0M53v38PxTrG/qTbjTbXL8Ck0M5sETbd:0b9MxbU3vcTrG/GbPbb8CcsUbd
Threatray 1'113 similar samples on MalwareBazaar
TLSH T1850347EAD7AABC96CC43BA2EF5386715015D082ECCB5C9C4F641700A98E4759B4E4ECF
Magika txt
Reporter abuse_ch
Tags:hta RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f4fd9ea695a0cd1facc993
Tags:
obfuscate cryxos shell sage
Result
Verdict:
Clean
File Type:
HTA File
Link:
https://app.docguard.net/36e0589d6c7fe2ba454673e8ad1becbd09d60838d80f95ba4f7c4cbfa635816c/results/dashboard
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/67f4fc522d430c849e0cc59c/reports/bd350ac3-db2f-4942-9ad6-8fa896bebdca/overview
Verdict:
Malicious
Labled as:
VBS.Asthma.2.BAD8643E
Link:
https://www.hybrid-analysis.com/sample/36e0589d6c7fe2ba454673e8ad1becbd09d60838d80f95ba4f7c4cbfa635816c
Result
Threat name:
Cobalt Strike, Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1659282
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Cobalt Strike Beacon
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1659282 Sample: greatnicegirlbackontheearth... Startdate: 08/04/2025 Architecture: WINDOWS Score: 100 61 thenewbettercomabcktimecamefornewlifesta.duckdns.org 2->61 63 paste.ee 2->63 65 4 other IPs or domains 2->65 79 Suricata IDS alerts for network traffic 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 89 19 other signatures 2->89 12 mshta.exe 1 2->12         started        signatures3 85 Uses dynamic DNS services 61->85 87 Connects to a pastebin service (likely for C&C) 63->87 process4 signatures5 109 Suspicious command line found 12->109 111 PowerShell case anomaly found 12->111 15 cmd.exe 1 12->15         started        process6 signatures7 119 Detected Cobalt Strike Beacon 15->119 121 Suspicious powershell command line found 15->121 123 Wscript starts Powershell (via cmd or directly) 15->123 125 PowerShell case anomaly found 15->125 18 powershell.exe 3 43 15->18         started        23 conhost.exe 15->23         started        process8 dnsIp9 67 192.3.23.235, 49687, 49696, 80 AS-COLOCROSSINGUS United States 18->67 53 C:\Users\...\newthingsonhereforgetrockgain.js, Unicode 18->53 dropped 55 C:\Users\user\AppData\...\qr4almpm.cmdline, Unicode 18->55 dropped 91 Loading BitLocker PowerShell Module 18->91 25 wscript.exe 1 14 18->25         started        29 csc.exe 3 18->29         started        file10 signatures11 process12 dnsIp13 73 paste.ee 23.186.113.60, 443, 49688 KLAYER-GLOBALNL Reserved 25->73 101 System process connects to network (likely due to code injection or exploit) 25->101 103 Detected Cobalt Strike Beacon 25->103 105 Suspicious powershell command line found 25->105 107 3 other signatures 25->107 32 powershell.exe 15 16 25->32         started        57 C:\Users\user\AppData\Local\...\qr4almpm.dll, PE32 29->57 dropped 36 cvtres.exe 1 29->36         started        file14 signatures15 process16 dnsIp17 59 109.248.144.184, 49694, 80 DATACLUB-SE Russian Federation 32->59 75 Writes to foreign memory regions 32->75 77 Injects a PE file into a foreign processes 32->77 38 MSBuild.exe 4 13 32->38         started        42 conhost.exe 32->42         started        signatures18 process19 dnsIp20 69 thenewbettercomabcktimecamefornewlifesta.duckdns.org 192.3.23.241, 14645, 49697, 49699 AS-COLOCROSSINGUS United States 38->69 71 geoplugin.net 178.237.33.50, 49698, 80 ATOM86-ASATOM86NL Netherlands 38->71 93 Contains functionality to bypass UAC (CMSTPLUA) 38->93 95 Detected Remcos RAT 38->95 97 Tries to steal Mail credentials (via file registry) 38->97 99 7 other signatures 38->99 44 MSBuild.exe 38->44         started        47 MSBuild.exe 38->47         started        49 MSBuild.exe 14 38->49         started        51 3 other processes 38->51 signatures21 process22 signatures23 113 Tries to steal Instant Messenger accounts or passwords 44->113 115 Tries to steal Mail credentials (via file / registry access) 44->115 117 Tries to harvest and steal browser information (history, passwords, etc) 47->117
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/36e0589d6c7fe2ba454673e8ad1becbd09d60838d80f95ba4f7c4cbfa635816c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36e0589d6c7fe2ba454673e8ad1becbd09d60838d80f95ba4f7c4cbfa635816c/
Threat name:
Script-WScript.Trojan.Asthma
Create hunting rule
Status:
Malicious
First seen:
2025-04-08 05:57:55 UTC
File Type:
Text (JavaScript)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g3qfrhlmp7rlurkgopuk2g7mxue5mcby3ahzlospprgl7jrvqfwa._file
Verdict:
malicious
Label(s):
nirsoft
Create hunting rule
remcos
Create hunting rule
admintool_mailpassview
Create hunting rule
Similar samples:
11d67ce2068437cce35f0b601119ebd071921f536daa8a5afff7c4d03ff1a4bc
RemcosRAT
48e090a34f01f05468dbf823d7dce5978a303642aab719f21d6ca7bc530fdfd3
RemcosRAT
51a915c8b96fdba9947eb213342bae13ec23863f80cc0926c75a8546d1183eb6
RemcosRAT
68e0a761d3751db051d39824a011f467b2a9549ed2a50d4c090131536f4f192c
RemcosRAT
74b5890f41f51c96efa8cdeb693fd95ad15e5dc523e7d75e2e101d7cf8b0a36e
RemcosRAT
76a9a68e8da599c81f44d2a43fb4fe5e5e4d2e6c5881ccf775ecd665c16939d8
RemcosRAT
8ba912704a7e4f686d5f29c0277b52fbfdeb1d1708bab9c6d0e06eb48f8dc539
RemcosRAT
c80ad2f3f977fca5d2b2a6c9d7b6a50c2648d030b6b37a93f5b9c5be025f9972
RemcosRAT
error
RemcosRAT
f0dd72c45946626cebbce21d47e79ba0cd8f15cf57cb5ae61d6ebdcb0b272ade
RemcosRAT
+ 1'103 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:whitedevil07 collection defense_evasion discovery execution rat
Link:
https://tria.ge/reports/250408-mnxzqatkw2/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Blocklisted process makes network request
Evasion via Device Credential Deployment
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
thenewbettercomabcktimecamefornewlifesta.duckdns.org:14645
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/36e0589d6c7fe2ba454673e8ad1becbd09d60838d80f95ba4f7c4cbfa635816c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

HTML Application (hta) hta 36e0589d6c7fe2ba454673e8ad1becbd09d60838d80f95ba4f7c4cbfa635816c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3504264/
  
Delivery method
Distributed via web download

Comments