MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5774db473258bf744264a3a02e01931fa02ecd19a26f0f9329bfa5ac89d08512. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5774db473258bf744264a3a02e01931fa02ecd19a26f0f9329bfa5ac89d08512
SHA3-384 hash: 87f25c1fbcfa3f091e6adfe5c9386d2eac23d05a242e8a42a543f9d3351e08dcd204fa53fe18195d8bf993af6e3be33a
SHA1 hash: 18545dbd755b169d693a42c7e0ab32f4fd81aeaf
MD5 hash: d784a93b62ff236f0090d49eee225f61
humanhash: california-massachusetts-asparagus-fruit
File name:creatingbestthingsforbetterfuture.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:14'077 bytes
First seen:2025-04-01 15:19:08 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 48:3StrVotriVRy1K+rUmn514Szy6oFAConovTboMrt2tgVJtSPG:AgrYmN514SyJF1onovTbDEGS+
TLSH T1795243203C50ED718B96926624CE9CE1890D4BCDF5B83537B9EC9E84070D79E8CC426B
Magika html
Reporter abuse_ch
Tags:hta RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Starter.408.7987.3140.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ec05a2855e5ec5240b9aa4
Tags:
n/a
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/5774db473258bf744264a3a02e01931fa02ecd19a26f0f9329bfa5ac89d08512/results/dashboard
Payload URLs
URL
File name
http://172.245.191.88/90/sihost.exe
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/67ec03fad07c4c37a25e274b/reports/7430a48c-fb38-4f34-85a3-dd1f4bdef51c/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/5774db473258bf744264a3a02e01931fa02ecd19a26f0f9329bfa5ac89d08512
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Cobalt Strike, Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1653877
Signature
Allocates many large memory junks
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Cobalt Strike Beacon
Drops PE files with a suspicious file extension
Found malware configuration
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Remcos
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Powershell decode and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1653877 Sample: creatingbestthingsforbetter... Startdate: 01/04/2025 Architecture: WINDOWS Score: 100 83 qwertyuioplkjhgfdsazxcvbnm.ydns.eu 2->83 85 geoplugin.net 2->85 103 Suricata IDS alerts for network traffic 2->103 105 Found malware configuration 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 17 other signatures 2->109 11 mshta.exe 1 2->11         started        14 rundll32.exe 3 2->14         started        16 rundll32.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 141 Suspicious command line found 11->141 143 PowerShell case anomaly found 11->143 21 cmd.exe 1 11->21         started        24 Djauszke.PIF 14->24         started        28 Djauszke.PIF 16->28         started        87 127.0.0.1 unknown unknown 18->87 30 Djauszke.PIF 18->30         started        32 Djauszke.PIF 18->32         started        signatures6 process7 dnsIp8 123 Detected Cobalt Strike Beacon 21->123 125 Suspicious powershell command line found 21->125 127 Uses schtasks.exe or at.exe to add and modify task schedules 21->127 129 PowerShell case anomaly found 21->129 34 powershell.exe 46 21->34         started        39 conhost.exe 21->39         started        91 qwertyuioplkjhgfdsazxcvbnm.ydns.eu 45.88.91.237, 20908, 49692, 49693 LVLT-10753US Bulgaria 24->91 93 geoplugin.net 178.237.33.50, 49694, 80 ATOM86-ASATOM86NL Netherlands 24->93 81 C:\ProgramData\remcos\logs.dat, data 24->81 dropped 131 Multi AV Scanner detection for dropped file 24->131 133 Contains functionalty to change the wallpaper 24->133 135 Writes to foreign memory regions 24->135 139 3 other signatures 24->139 41 recover.exe 24->41         started        43 recover.exe 24->43         started        45 recover.exe 24->45         started        47 recover.exe 24->47         started        137 Allocates many large memory junks 28->137 file9 signatures10 process11 dnsIp12 89 172.245.191.88, 49681, 80 AS-COLOCROSSINGUS United States 34->89 75 C:\Users\user\AppData\Roaming\sihost.exe, PE32 34->75 dropped 77 C:\Users\user\AppData\Local\...\sihost[1].exe, PE32 34->77 dropped 79 C:\Users\user\AppData\...\kzpeondg.cmdline, Unicode 34->79 dropped 111 Loading BitLocker PowerShell Module 34->111 113 Powershell drops PE file 34->113 49 sihost.exe 8 34->49         started        53 csc.exe 3 34->53         started        115 Tries to steal Instant Messenger accounts or passwords 41->115 117 Tries to steal Mail credentials (via file / registry access) 41->117 119 Tries to harvest and steal browser information (history, passwords, etc) 43->119 121 Tries to steal Mail credentials (via file registry) 45->121 file13 signatures14 process15 file16 71 C:\Users\user\Links\Djauszke.PIF, PE32 49->71 dropped 95 Multi AV Scanner detection for dropped file 49->95 97 Contains functionality to bypass UAC (CMSTPLUA) 49->97 99 Contains functionalty to change the wallpaper 49->99 101 6 other signatures 49->101 55 cmd.exe 1 49->55         started        57 cmd.exe 1 49->57         started        59 cmd.exe 1 49->59         started        73 C:\Users\user\AppData\Local\...\kzpeondg.dll, PE32 53->73 dropped 61 cvtres.exe 1 53->61         started        signatures17 process18 process19 63 conhost.exe 55->63         started        65 schtasks.exe 1 55->65         started        67 conhost.exe 57->67         started        69 conhost.exe 59->69         started       
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/5774db473258bf744264a3a02e01931fa02ecd19a26f0f9329bfa5ac89d08512
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5774db473258bf744264a3a02e01931fa02ecd19a26f0f9329bfa5ac89d08512/
Threat name:
Script-WScript.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-04-01 15:20:16 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k52nwrzslc7xiqteuoqc4amtd6qc5tizujxq7ezjx6s2zcoqquja._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
remcos
Create hunting rule
Similar samples:
error
RemcosRAT
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader collection defense_evasion discovery execution trojan
Link:
https://tria.ge/reports/250401-sp9b2atlw8/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Evasion via Device Credential Deployment
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Malware family:
WebBrowserPassView
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5774db473258/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/5774db473258bf744264a3a02e01931fa02ecd19a26f0f9329bfa5ac89d08512

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Remcos_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Remcos Payload
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Windows_Generic_Threat_d7b57912
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

HTML Application (hta) hta 5774db473258bf744264a3a02e01931fa02ecd19a26f0f9329bfa5ac89d08512

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3498219/
  
Delivery method
Distributed via web download

Comments