MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41590f3a8ba3c910f11fd5fa095856d5bc556f20fa4fd6d269aa1be4e08b4c64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	41590f3a8ba3c910f11fd5fa095856d5bc556f20fa4fd6d269aa1be4e08b4c64
SHA3-384 hash:	030dcbb32d3bb249d95139c3c6a2d38c2b4ca97607a05b0ac93a31bede778a21fd1b91fe23f099d0c6a1061eb68873cb
SHA1 hash:	0b7bb7af96d842cfbb7a89793a4292fec4289a8c
MD5 hash:	bcc1d6a3c9aeec994cd31f86ada37ae6
humanhash:	tennis-beer-blossom-magazine
File name:	secondaryTask.vbs
Download:	download sample
Signature	RemcosRAT Alert Create hunting rule
File size:	512 bytes
First seen:	2025-01-30 20:06:24 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	6:HrJXFxFyM4JveUMHMmFGWqojNqMkDMbXYiRnUxqD3FJ6LNKKwxoIe9Us:LJVGJ0FbGMfbXYiRUxqD3FJXKqs
TLSH	T107F0ABA88C3E87B0ADD887E683EA548A5BDC046024A44C4901E7914CE61A731270A0A2
Magika	vba
Reporter	aachum
Tags:	HIjackLoader RemcosRAT vbs

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

193

Origin country :

ES

Vendor Threat Intelligence

CyberFortress Clean

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=679bdbee6d96a8d7e4cd3a4e

Tags:

n/a

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

cmd evasive lolbin remote

Link:

https://www.filescan.io/uploads/679bdbe6a2886cdc5ac70a4f/reports/5e846b1d-d517-46ff-8b41-0060d1cea50b/overview

Hybrid Analysis Unknown

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/41590f3a8ba3c910f11fd5fa095856d5bc556f20fa4fd6d269aa1be4e08b4c64

InQuest UNKNOWN

Result

Verdict:

UNKNOWN

Joe Sandbox malicious

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1603341

Signature

Joe Sandbox ML detected suspicious sample

Sigma detected: WScript or CScript Dropper

VBScript performs obfuscated calls to suspicious functions

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Benign

Score:

0%

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/41590f3a8ba3c910f11fd5fa095856d5bc556f20fa4fd6d269aa1be4e08b4c64

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/41590f3a8ba3c910f11fd5fa095856d5bc556f20fa4fd6d269aa1be4e08b4c64/

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ifmq6ouluperb4i72x5aswcw2w6fk3za7jh5nutjvin6jyeljrsa._file

Hatching Triage remcos

Result

Malware family:

remcos

Alert

Create hunting rule

Score:

  10/10

Tags:

family:hijackloader family:remcos botnet:v2 discovery loader rat

Link:

https://tria.ge/reports/250130-yvyqda1pbs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Blocklisted process makes network request

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Use of msiexec (install) with remote resource

Detects HijackLoader (aka IDAT Loader)

HijackLoader

Hijackloader family

Remcos

Remcos family

Malware Config

C2 Extraction:

185.157.162.126:1995

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Remcos

Threat name:

Remcos

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/41590f3a8ba3c910f11fd5fa095856d5bc556f20fa4fd6d269aa1be4e08b4c64