MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3dab14859030e20708a39df701feb49b3b33097a3b1178d1801be40746c43232. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3dab14859030e20708a39df701feb49b3b33097a3b1178d1801be40746c43232
SHA3-384 hash: 8236dc2e3d4777aaad1afddcd20306fae751c6b2e6ca7fcbf2c528fa7f9b537b1bb2934ff1756954b0b16e1e2cc4a360
SHA1 hash: 6bcd13d4f0e0ebf49b1107cd120368230effd547
MD5 hash: 9f71dfb4c82b046b86940ff82f86cadf
humanhash: fanta-bakerloo-wisconsin-wyoming
File name:9f71dfb4c82b046b86940ff82f86cadf.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:118'086 bytes
First seen:2024-09-25 07:03:48 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 48:7oa+apd7Ah23jBZ9mqYZ9NqZ4v0te2RVC1c8oawopyZAqXl9RXGbZ9nZ9GZkBUyN:Ea+M77929kRVTTwcnlXu9Z9K9s8AT
Threatray 4'470 similar samples on MalwareBazaar
TLSH T123B3EDA1CE758DCCF7FC9D83B9FD69C936AC174B9B4A1F42424B3A84E89135C90C1425
Magika txt
Reporter abuse_ch
Tags:hta RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.30636.18009.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f3b5ee8aca58c2b2c73557
Tags:
Discovery Execution Exploit Generic Infostealer Network Stealth Trojan Remcos Gumen
Result
Verdict:
Malicious
File Type:
HTA File - Malicious Base64 Payload
Link:
https://app.docguard.net/3dab14859030e20708a39df701feb49b3b33097a3b1178d1801be40746c43232/results/dashboard
Payload URLs
URL
File name
http://107.175.113.252/171/audiodg.exe
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Unknown
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/66f3b5ec28a6e83e14167ba4/reports/765dd9b5-fb60-435e-b4bc-754cb6be6a66/overview
Verdict:
Malicious
Labled as:
VBS.Asthma.2.6A1D2183
Link:
https://www.hybrid-analysis.com/sample/3dab14859030e20708a39df701feb49b3b33097a3b1178d1801be40746c43232
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
Cobalt Strike, Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1517944
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Cobalt Strike Beacon
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Powershell decode and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1517944 Sample: C8G355qROx.hta Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 84 hiddenrmcnew.duckdns.org 2->84 86 geoplugin.net 2->86 94 Suricata IDS alerts for network traffic 2->94 96 Found malware configuration 2->96 98 Malicious sample detected (through community Yara rule) 2->98 102 19 other signatures 2->102 11 mshta.exe 1 2->11         started        14 wUtVQHiucCbXP.exe 2->14         started        16 svchost.exe 1 1 2->16         started        signatures3 100 Uses dynamic DNS services 84->100 process4 dnsIp5 132 Suspicious command line found 11->132 134 PowerShell case anomaly found 11->134 19 cmd.exe 1 11->19         started        136 Multi AV Scanner detection for dropped file 14->136 138 Contains functionality to bypass UAC (CMSTPLUA) 14->138 140 Contains functionalty to change the wallpaper 14->140 142 6 other signatures 14->142 22 wUtVQHiucCbXP.exe 14->22         started        24 schtasks.exe 14->24         started        82 127.0.0.1 unknown unknown 16->82 signatures6 process7 signatures8 104 Detected Cobalt Strike Beacon 19->104 106 Suspicious powershell command line found 19->106 108 PowerShell case anomaly found 19->108 26 powershell.exe 43 19->26         started        31 conhost.exe 19->31         started        110 Detected Remcos RAT 22->110 33 conhost.exe 24->33         started        process9 dnsIp10 92 107.175.113.252, 49706, 80 AS-COLOCROSSINGUS United States 26->92 76 C:\Users\user\AppData\Roaming\audiodg.exe, PE32 26->76 dropped 78 C:\Users\user\AppData\...\audiodg[1].exe, PE32 26->78 dropped 80 C:\Users\user\AppData\...\tm4senzb.cmdline, Unicode 26->80 dropped 144 Loading BitLocker PowerShell Module 26->144 146 Powershell drops PE file 26->146 35 audiodg.exe 6 26->35         started        39 csc.exe 3 26->39         started        file11 signatures12 process13 file14 70 C:\Users\user\AppData\...\wUtVQHiucCbXP.exe, PE32 35->70 dropped 72 C:\Users\user\AppData\Local\...\tmp74CE.tmp, XML 35->72 dropped 112 Multi AV Scanner detection for dropped file 35->112 114 Detected Cobalt Strike Beacon 35->114 116 Tries to steal Mail credentials (via file registry) 35->116 118 3 other signatures 35->118 41 audiodg.exe 35->41         started        45 powershell.exe 35->45         started        47 powershell.exe 23 35->47         started        49 schtasks.exe 35->49         started        74 C:\Users\user\AppData\Local\...\tm4senzb.dll, PE32 39->74 dropped 51 cvtres.exe 1 39->51         started        signatures15 process16 dnsIp17 88 hiddenrmcnew.duckdns.org 204.10.160.136, 49710, 49711, 7839 UNREAL-SERVERSUS Canada 41->88 90 geoplugin.net 178.237.33.50, 49712, 80 ATOM86-ASATOM86NL Netherlands 41->90 126 Detected Remcos RAT 41->126 128 Maps a DLL or memory area into another process 41->128 53 audiodg.exe 41->53         started        56 audiodg.exe 41->56         started        58 audiodg.exe 41->58         started        68 2 other processes 41->68 130 Loading BitLocker PowerShell Module 45->130 60 conhost.exe 45->60         started        62 WmiPrvSE.exe 45->62         started        64 conhost.exe 47->64         started        66 conhost.exe 49->66         started        signatures18 process19 signatures20 120 Tries to steal Instant Messenger accounts or passwords 53->120 122 Tries to steal Mail credentials (via file / registry access) 53->122 124 Tries to harvest and steal browser information (history, passwords, etc) 56->124
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3dab14859030e20708a39df701feb49b3b33097a3b1178d1801be40746c43232/
Threat name:
Script-WScript.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-09-24 11:11:14 UTC
File Type:
Text
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hwvrjbmqgdraocfdtx3qd7vutm5tgcl2hmixrumadpsaorwegiza._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
66c41f2310824c8b5b2365a2283d28c5b47d2a829afa45a1b00b710259d9622d
RemcosRAT
bf959c8b9bbb333f1ba32b7b6100d6c799cf6d21411914ac288bf9971b3ada13
RemcosRAT
e69cbec2c6a28dca27558736ea04f1b998ed42c2e70cf2934b12330df04bf3be
RemcosRAT
ecad62ef8415885ac40c6e3889e323293599d9ed531fe62d77e1488c925650d5
RemcosRAT
+ 4'460 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection defense_evasion discovery execution rat spyware stealer
Link:
https://tria.ge/reports/240925-hvx6vavcjg/
Behaviour
Modifies Internet Explorer settings
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Evasion via Device Credential Deployment
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Malware Config
C2 Extraction:
hiddenrmcnew.duckdns.org:7839
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3dab14859030/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3dab14859030e20708a39df701feb49b3b33097a3b1178d1801be40746c43232

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

HTML Application (hta) hta 3dab14859030e20708a39df701feb49b3b33097a3b1178d1801be40746c43232

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3190154/
  
Delivery method
Distributed via web download

Comments