MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5272338400b23202fdfbcf0f9120792124c35c3e8bc730ace12d5f9b2b42ebe7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5272338400b23202fdfbcf0f9120792124c35c3e8bc730ace12d5f9b2b42ebe7
SHA3-384 hash: 433a673816ec56210770f1d0d8422e764c58fa0136f7d18b8be40f7ab8354b8e3830e323724d61bf6d2337ce4571af47
SHA1 hash: aaf1fcdfa59be2397da6eb82e580b1912e7a2a12
MD5 hash: 17779031465f431f4f77f557365e6d15
humanhash: beryllium-dakota-golf-july
File name:bestwaytocreatebetterthingsevermadeforme.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:17'353 bytes
First seen:2025-03-20 10:22:27 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 48:3PCPo+TVmBA+TrYrx/O5wvgtwYhrGVJxNmLXl+TafPG:/CPoYm2LrVO5wvguocJxNmLXlhf+
TLSH T1F0724F895EA4BD39C35680B87BCD9CC47C0D5F2E8672290238ED46ED9704B5884D93EB
Magika txt
Reporter abuse_ch
Tags:hta RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67dbeca29388e75d078ee034
Tags:
obfuscate remcos shell sage
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/5272338400b23202fdfbcf0f9120792124c35c3e8bc730ace12d5f9b2b42ebe7/results/dashboard
Payload URLs
URL
File name
http://198.12.81.109/xampp/kbze/sweetgoodlifestartedwithsweetness.gIF
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/67dbecac1dd35ee4a0e948bc/reports/872ba4f1-476e-48e7-86d0-24816f133f4b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/5272338400b23202fdfbcf0f9120792124c35c3e8bc730ace12d5f9b2b42ebe7
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Cobalt Strike
Create hunting rule
Detection:
malicious
Classification:
expl.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1644105
Signature
Detected Cobalt Strike Beacon
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1644105 Sample: bestwaytocreatebetterthings... Startdate: 20/03/2025 Architecture: WINDOWS Score: 92 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected Powershell decode and execute 2->37 39 Sigma detected: Suspicious MSHTA Child Process 2->39 41 2 other signatures 2->41 9 mshta.exe 1 2->9         started        process3 signatures4 43 Suspicious command line found 9->43 45 PowerShell case anomaly found 9->45 12 cmd.exe 1 9->12         started        process5 signatures6 47 Detected Cobalt Strike Beacon 12->47 49 Suspicious powershell command line found 12->49 51 PowerShell case anomaly found 12->51 15 powershell.exe 42 12->15         started        20 conhost.exe 12->20         started        process7 dnsIp8 31 198.12.81.109, 49717, 80 AS-COLOCROSSINGUS United States 15->31 27 C:\Users\user\AppData\...\ansib04l.cmdline, Unicode 15->27 dropped 33 Loading BitLocker PowerShell Module 15->33 22 csc.exe 3 15->22         started        file9 signatures10 process11 file12 29 C:\Users\user\AppData\Local\...\ansib04l.dll, PE32 22->29 dropped 25 cvtres.exe 1 22->25         started        process13
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/5272338400b23202fdfbcf0f9120792124c35c3e8bc730ace12d5f9b2b42ebe7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5272338400b23202fdfbcf0f9120792124c35c3e8bc730ace12d5f9b2b42ebe7/
Threat name:
Script-WScript.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-02-27 06:49:23 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
13 of 37 (35.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kjzdhbaawizaf7p3z4hzcidzeesmgxb6rpdtblhbfvpzwk2c5ptq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/250320-mezf7azyet/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Blocklisted process makes network request
Evasion via Device Credential Deployment
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5272338400b23202fdfbcf0f9120792124c35c3e8bc730ace12d5f9b2b42ebe7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

HTML Application (hta) hta 5272338400b23202fdfbcf0f9120792124c35c3e8bc730ace12d5f9b2b42ebe7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3483485/
  
Delivery method
Distributed via web download

Comments