MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49597a41b73ab177c673f54c3625563e94ffb9e1a389e0b4bd8f184195b437d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49597a41b73ab177c673f54c3625563e94ffb9e1a389e0b4bd8f184195b437d2
SHA3-384 hash: aaad90ba176cf9246b1af8e186532bf6240174de757c8952f35f82e9b2abddaf63f3d19822222bc43f64efe488011d7f
SHA1 hash: b431ad019c0a45553955f48907f875e4b43513d8
MD5 hash: 874ebb6c6bd200e4dec0bfa8115635c4
humanhash: hydrogen-lemon-fourteen-pip
File name:Doc NBD250415-1 DOC BLCKCOSHA3102349UW.VBS
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'376 bytes
First seen:2025-05-23 08:26:21 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:RA8jq2jqxjqLjqljq4jqujq3+ojq0jq0jq4jqKjqjjqjjq4jqNjqvjq0jq5jq2jI:RA8jq2jqxjqLjqljq4jqujq3bjq0jq0t
Threatray 996 similar samples on MalwareBazaar
TLSH T18141A8C470C19E8E41A87785961823DC7469FA9105D82C065CD9CBF67F3861D42DAFBF
Magika vba
Reporter abuse_ch
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.20956.29000.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6830325644c3881e854c4a1d
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/68303134e336a33801dd14f5/reports/bb2d402d-d867-44b2-9631-244e7e159a07/overview
Verdict:
Malicious
Labled as:
HEUR_TrojanDownloader_Script_Generic
Link:
https://www.hybrid-analysis.com/sample/49597a41b73ab177c673f54c3625563e94ffb9e1a389e0b4bd8f184195b437d2
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1697586
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1697586 Sample: Doc NBD250415-1 DOC BLCKCOS... Startdate: 23/05/2025 Architecture: WINDOWS Score: 100 24 vpnsplashstech.duckdns.org 2->24 26 paste.ee 2->26 28 ia600705.us.archive.org 2->28 38 Suricata IDS alerts for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 48 14 other signatures 2->48 8 wscript.exe 1 2->8         started        12 svchost.exe 1 1 2->12         started        signatures3 44 Uses dynamic DNS services 24->44 46 Connects to a pastebin service (likely for C&C) 26->46 process4 dnsIp5 32 paste.ee 23.186.113.60, 443, 49687, 49688 KLAYER-GLOBALNL Reserved 8->32 58 System process connects to network (likely due to code injection or exploit) 8->58 60 VBScript performs obfuscated calls to suspicious functions 8->60 62 Suspicious powershell command line found 8->62 64 3 other signatures 8->64 14 powershell.exe 14 15 8->14         started        34 127.0.0.1 unknown unknown 12->34 signatures6 process7 dnsIp8 36 ia600705.us.archive.org 207.241.227.165, 443, 49689 INTERNET-ARCHIVEUS United States 14->36 66 Writes to foreign memory regions 14->66 68 Suspicious execution chain found 14->68 70 Injects a PE file into a foreign processes 14->70 18 RegAsm.exe 4 14->18         started        22 conhost.exe 14->22         started        signatures9 process10 dnsIp11 30 vpnsplashstech.duckdns.org 103.237.86.82, 49692, 49698, 49699 BGNR-AP2BainandCompanySG unknown 18->30 50 Contains functionality to bypass UAC (CMSTPLUA) 18->50 52 Detected Remcos RAT 18->52 54 Contains functionalty to change the wallpaper 18->54 56 3 other signatures 18->56 signatures12
Score:
6%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/49597a41b73ab177c673f54c3625563e94ffb9e1a389e0b4bd8f184195b437d2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49597a41b73ab177c673f54c3625563e94ffb9e1a389e0b4bd8f184195b437d2/
Threat name:
Script-WScript.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-05-22 06:40:37 UTC
File Type:
Binary
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jfmxuqnxhkyxprtt6vgdmjkwh2kp7opbuoe6bnf5r4medfnug7ja._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4e6721af692e7b971238e4fa55b201006cc77e0e72923d74c44e9746f577f4fb
RemcosRAT
7487788fcc5c4477ae8eb50da0babfb0b4bbd12a1bcb640da4d10c19d73ec8d4
RemcosRAT
903ee65f5cca5ef223d0a0f3f40fca223e5f07318826b68f7ab14d7dc1ec2f1d
RemcosRAT
b202388fc74fa1cbbbd75f498fbd1a0f44a13494d021840fc897690792795d7a
RemcosRAT
c46bd6ca1f8653808b1e9a7401893565645c09dec6c8aa2096a3cf602a54d46e
RemcosRAT
d5b052192eb6a3d0a85a9bb2a0ffc4b3fea6aaa3c11ad171d473d61de271d8f6
RemcosRAT
e33f75b43fb02cb692c326138d36287e0b08a781d35a1332cd5dcfaefcaf4eca
RemcosRAT
error
RemcosRAT
f798febd86f015683f00964366f5ed93fef5c5918970a6f1bbdf91e74f6c4741
RemcosRAT
fac461b593b89f4a155ec787787aa354975bb6d90d0d9d937254d8fa98c06155
RemcosRAT
+ 986 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:exploit discovery execution rat
Link:
https://tria.ge/reports/250523-kb3nbsbn5s/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Remcos
Remcos family
Malware Config
C2 Extraction:
vpnsplashstech.duckdns.org:53038
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.28
Link:
https://yomi.yoroi.company/submissions/49597a41b73ab177c673f54c3625563e94ffb9e1a389e0b4bd8f184195b437d2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments