MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42b3442bc675f7ff95d660935ea8756710fea99551b1d614f2e8b7db739d72a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42b3442bc675f7ff95d660935ea8756710fea99551b1d614f2e8b7db739d72a0
SHA3-384 hash: 4a5dbf4a3a7ce86e08cb08176cfeb6d808346d46dfaba5d88404a35469ff98ef5a762c0e53e8f413b89619e374f310c7
SHA1 hash: 7e2c1b3241c142946709366d053a0a458dcb6b3f
MD5 hash: 9fb8a902f8fed32164687eacbc011faa
humanhash: charlie-glucose-virginia-florida
File name:greatturningpointofentirelifegivenmebestthingsforgetbacktome.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:258'618 bytes
First seen:2025-01-28 08:28:12 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 768:PD2dFEfY7Xw8LcGdgtF/UT1JrXkUBDbzuJqAakf4vlOGd5cqjk1FJZuO+yIF9OQ5:NzNtyht97
Threatray 922 similar samples on MalwareBazaar
TLSH T11944CF15FE30A45FFDD89CFFBA08C74892C1788CA79215CAF05D3946A2A69F562E0335
Magika javascript
Reporter lontze7
Tags:hta RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PUA.JS.Obfus-2525.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6798967929ae628cf42a3719
Tags:
obfuscate shell sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/6798955239aa2bdf29b32320/reports/2701fcbe-a648-4bcd-ad51-4b9866a516d7/overview
Verdict:
Malicious
Labled as:
Trojan.Script.Heuristic
Link:
https://www.hybrid-analysis.com/sample/42b3442bc675f7ff95d660935ea8756710fea99551b1d614f2e8b7db739d72a0
Result
Verdict:
MALICIOUS
Result
Threat name:
BlackHacker JS Obfuscator, Cobalt Strike
Create hunting rule
Detection:
malicious
Classification:
rans.spre.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1601045
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Cobalt Strike Beacon
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected BlackHacker JS Obfuscator
Yara detected Generic Downloader
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1601045 Sample: greatturningpointofentireli... Startdate: 28/01/2025 Architecture: WINDOWS Score: 100 69 newbigupdateforme.duckdns.org 2->69 71 resc.cloudinary.com.cdn.cloudflare.net 2->71 73 2 other IPs or domains 2->73 91 Suricata IDS alerts for network traffic 2->91 93 Found malware configuration 2->93 95 Malicious sample detected (through community Yara rule) 2->95 99 18 other signatures 2->99 12 mshta.exe 1 2->12         started        15 wscript.exe 1 2->15         started        signatures3 97 Uses dynamic DNS services 69->97 process4 signatures5 115 Suspicious command line found 12->115 117 PowerShell case anomaly found 12->117 17 cmd.exe 1 12->17         started        119 Detected Cobalt Strike Beacon 15->119 121 Suspicious powershell command line found 15->121 123 Wscript starts Powershell (via cmd or directly) 15->123 125 2 other signatures 15->125 20 powershell.exe 15->20         started        process6 signatures7 83 Detected Cobalt Strike Beacon 17->83 85 Suspicious powershell command line found 17->85 87 Wscript starts Powershell (via cmd or directly) 17->87 89 2 other signatures 17->89 22 powershell.exe 42 17->22         started        27 conhost.exe 17->27         started        29 conhost.exe 20->29         started        process8 dnsIp9 77 135.125.246.54, 49731, 49733, 80 AVAYAUS United States 22->77 63 nicetogetmebestthi...ngsigotfromever.vbs, Unicode 22->63 dropped 65 C:\Users\user\AppData\...\oz0syuuf.cmdline, Unicode 22->65 dropped 111 Potential malicious VBS script found (suspicious strings) 22->111 113 Loading BitLocker PowerShell Module 22->113 31 wscript.exe 2 22->31         started        34 csc.exe 3 22->34         started        file10 signatures11 process12 file13 137 Detected Cobalt Strike Beacon 31->137 139 Suspicious powershell command line found 31->139 141 Wscript starts Powershell (via cmd or directly) 31->141 143 2 other signatures 31->143 37 powershell.exe 15 16 31->37         started        61 C:\Users\user\AppData\Local\...\oz0syuuf.dll, PE32 34->61 dropped 41 cvtres.exe 1 34->41         started        signatures14 process15 dnsIp16 75 resc.cloudinary.com.cdn.cloudflare.net 104.17.202.1, 443, 49732, 49739 CLOUDFLARENETUS United States 37->75 107 Writes to foreign memory regions 37->107 109 Injects a PE file into a foreign processes 37->109 43 CasPol.exe 37->43         started        47 cmd.exe 2 37->47         started        50 conhost.exe 37->50         started        signatures17 process18 dnsIp19 79 newbigupdateforme.duckdns.org 192.3.232.40, 14646, 49734, 49735 AS-COLOCROSSINGUS United States 43->79 81 geoplugin.net 178.237.33.50, 49736, 80 ATOM86-ASATOM86NL Netherlands 43->81 127 Contains functionality to bypass UAC (CMSTPLUA) 43->127 129 Detected Remcos RAT 43->129 131 Tries to steal Mail credentials (via file registry) 43->131 135 7 other signatures 43->135 52 CasPol.exe 43->52         started        55 CasPol.exe 43->55         started        57 CasPol.exe 43->57         started        67 C:\ProgramData\torrontes.vbs, Unicode 47->67 dropped 133 Command shell drops VBS files 47->133 59 conhost.exe 47->59         started        file20 signatures21 process22 signatures23 101 Tries to steal Instant Messenger accounts or passwords 52->101 103 Tries to steal Mail credentials (via file / registry access) 52->103 105 Tries to harvest and steal browser information (history, passwords, etc) 55->105
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/42b3442bc675f7ff95d660935ea8756710fea99551b1d614f2e8b7db739d72a0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42b3442bc675f7ff95d660935ea8756710fea99551b1d614f2e8b7db739d72a0/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ikzuik6gox377fowmcjv5kdvm4ip5kmvkgy5mfhs5c35w445okqa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
nirsoft
Create hunting rule
admintool_mailpassview
Create hunting rule
Similar samples:
1a8c4a357230c2b388cb9cc9171ab0bcc37a194fdf99e69e6a42d8e1a3d2652b
RemcosRAT
2a7f932fb984d3485eb721810e58cf929a1d1fe719d3b29e15f4f7ef0d4ad8a9
RemcosRAT
32f32787e8bbc5276d6f9d1d1d8b0f5f762b33df9abf8a820f34d6e702603b99
RemcosRAT
37749c2d24301276a9b1a9d1b39ab49c3037dd9ed6f1f90e895658a5d0ada16f
RemcosRAT
9b9059af739b167db6afce5129997e489dbb7baa3af27c8da5a68d564c2ed84e
RemcosRAT
ad4a934328e699a5065c7c55ab3399d74134b5e97401175948b5296faf98d2a8
RemcosRAT
aea9253a5f1a4e0f59325f84c015b3980a1573e1873643fce09e084a76e0047b
RemcosRAT
b25e19cd5dc45047c4ad68fbe940dd1f923800201666adf9164ec5fe5d74f6e4
RemcosRAT
error
RemcosRAT
fc357d0488d2be1a5a49893d842e24d303250346dad592f6b1c8a9511edc15d2
RemcosRAT
+ 912 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:zynova collection defense_evasion discovery execution rat
Link:
https://tria.ge/reports/250128-kdjy1atkhq/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Blocklisted process makes network request
Evasion via Device Credential Deployment
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
newbigupdateforme.duckdns.org:14646
Malware family:
DnlibLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/42b3442bc675/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/42b3442bc675f7ff95d660935ea8756710fea99551b1d614f2e8b7db739d72a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_obfuscated_JS_obfuscatorio
Create hunting rule
Author:@imp0rtp3
Description:Detect JS obfuscation done by the js obfuscator (often malicious)
Reference:https://obfuscator.io

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

HTML Application (hta) hta 42b3442bc675f7ff95d660935ea8756710fea99551b1d614f2e8b7db739d72a0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3417209/

Comments