MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64a04162d4e39030d2bcf514422cac3b97c52fc5f5560389ebba76dc069fe126. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64a04162d4e39030d2bcf514422cac3b97c52fc5f5560389ebba76dc069fe126
SHA3-384 hash: 0b0c1816aa4e29a2ab589ee7d62b112ff1e11b2f49d2fa6e4f783da449e60c3376332a90411e569bc450d09f0b12c72a
SHA1 hash: abb6b50f27d0830aa932a21c038a132bc3a34242
MD5 hash: 287ddf351810cc030f2eca5307052023
humanhash: kentucky-lamp-monkey-orange
File name:creatingbestthingsforhisbeststepstotakehim.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'927 bytes
First seen:2025-03-26 13:12:32 UTC
Last seen:2025-03-27 05:41:02 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 24:hPgWw2dSATn6w6kCh4HsxXe9aFrd7QgdKjUKhsNNYKWYK70YK/lYKYN5YK5xXYKj:tgNqS2buZxO9aFcjdhozO8DY9J+BSFCO
Threatray 796 similar samples on MalwareBazaar
TLSH T10D4139277841806C05B315A9A8FAB009F5E905E3D5176C2230CDA93B9F3E7EFC49D18D
Magika vba
Reporter abuse_ch
Tags:hta RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.GT.VB.SmlRvrHtSnd.1.DBCF1AB3.19671.26883.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e3fd70cb6d38a89f3e5b9d
Tags:
xtreme shell sage
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/64a04162d4e39030d2bcf514422cac3b97c52fc5f5560389ebba76dc069fe126/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd evasive lolbin timeout wscript
Link:
https://www.filescan.io/uploads/67e3fd72f274bf2d8e232d5e/reports/2466fba4-b826-4634-9cd8-9a71bae7dd92/overview
Verdict:
Malicious
Labled as:
GT:VB.SmlRvrHtSnd.1
Link:
https://www.hybrid-analysis.com/sample/64a04162d4e39030d2bcf514422cac3b97c52fc5f5560389ebba76dc069fe126
Result
Verdict:
MALICIOUS
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.spre.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1649128
Signature
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Connects to a pastebin service (likely for C&C)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Legitimate Application Dropped Script
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected VBS Downloader Generic
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649128 Sample: creatingbestthingsforhisbes... Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 63 hftook7lmaroutsg2.duckdns.org 2->63 65 hftook7lmaroutsg1.duckdns.org 2->65 67 2 other IPs or domains 2->67 79 Suricata IDS alerts for network traffic 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 87 18 other signatures 2->87 11 mshta.exe 2 2->11         started        14 svchost.exe 1 1 2->14         started        signatures3 85 Uses dynamic DNS services 65->85 process4 dnsIp5 55 C:\Windows\Temp\anonymiser.bat, DOS 11->55 dropped 17 cmd.exe 2 11->17         started        75 127.0.0.1 unknown unknown 14->75 file6 process7 file8 51 C:\Windows\Temp\Sheena.vbs, ASCII 17->51 dropped 77 Command shell drops VBS files 17->77 21 wscript.exe 14 17->21         started        25 conhost.exe 17->25         started        27 timeout.exe 1 17->27         started        signatures9 process10 dnsIp11 69 paste.ee 23.186.113.60, 443, 49692 KLAYER-GLOBALNL Reserved 21->69 103 System process connects to network (likely due to code injection or exploit) 21->103 105 Suspicious powershell command line found 21->105 107 Wscript starts Powershell (via cmd or directly) 21->107 109 2 other signatures 21->109 29 powershell.exe 15 15 21->29         started        signatures12 process13 dnsIp14 71 217.154.55.185, 49693, 80 KCOM-SPNService-ProviderNetworkex-MistralGB United Kingdom 29->71 73 172.245.123.32, 49694, 80 AS-COLOCROSSINGUS United States 29->73 119 Writes to foreign memory regions 29->119 121 Injects a PE file into a foreign processes 29->121 33 CasPol.exe 4 14 29->33         started        38 CasPol.exe 29->38         started        40 svchost.exe 29->40         started        42 conhost.exe 29->42         started        signatures15 process16 dnsIp17 57 hftook7lmaroutsg1.duckdns.org 192.169.69.26, 3980, 3981, 49695 WOWUS United States 33->57 59 hftook7lmaroutsg2.duckdns.org 176.65.144.247, 3980, 49697, 49698 PALTEL-ASPALTELAutonomousSystemPS Germany 33->59 61 geoplugin.net 178.237.33.50, 49699, 80 ATOM86-ASATOM86NL Netherlands 33->61 53 C:\Users\user\AppData\...\jasgbtisot.dat, data 33->53 dropped 89 Writes to foreign memory regions 33->89 91 Maps a DLL or memory area into another process 33->91 93 Installs a global keyboard hook 33->93 44 recover.exe 14 33->44         started        47 recover.exe 1 33->47         started        49 recover.exe 1 33->49         started        95 Contains functionality to bypass UAC (CMSTPLUA) 38->95 97 Contains functionalty to change the wallpaper 38->97 99 Contains functionality to steal Chrome passwords or cookies 38->99 101 3 other signatures 38->101 file18 signatures19 process20 signatures21 111 Tries to steal Mail credentials (via file registry) 44->111 113 Tries to harvest and steal browser information (history, passwords, etc) 44->113 115 Tries to steal Instant Messenger accounts or passwords 47->115 117 Tries to steal Mail credentials (via file / registry access) 49->117
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/64a04162d4e39030d2bcf514422cac3b97c52fc5f5560389ebba76dc069fe126
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64a04162d4e39030d2bcf514422cac3b97c52fc5f5560389ebba76dc069fe126/
Threat name:
Script-WScript.Trojan.SmlRvrHtSnd
Create hunting rule
Status:
Malicious
First seen:
2025-03-26 13:13:17 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=msqecywu4oidbuv46ukeelfmhol4kl6f6vlahcplxj3nybu74eta._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
124b893db4e3bc683c296095df39918daa94808e0b4043686d8f380a30c38cc8
RemcosRAT
75fed14fd61067a1c0c2a10d0eefcc349308e1f4a1993a075a9f0c768affab13
RemcosRAT
78cc96452121dc657a87c79561272f3669f781d24265a7a2ab853a5670fff80d
RemcosRAT
7f7860172d4e076099724e55875a797b9206365a4e6f52cf93f57371fd7fcc82
RemcosRAT
c0297a465ab62db781cd06295004e14eac2d87905b5015b1cc02b446a34bf042
RemcosRAT
d3626bd96d6a11668a6864a514fa77ebb3372a5f88069b4aba668b773e3d6946
RemcosRAT
error
RemcosRAT
fa1c16a3024d35ebc4f6996d1791ead89a08dae2ebd87e39c9997c04613c4645
RemcosRAT
fa61518375428781260a99edf971bcc98b70df3e7c5d2887367393f4e206f30d
RemcosRAT
+ 786 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:last collection discovery execution rat
Link:
https://tria.ge/reports/250326-qf8m2av1ev/
Behaviour
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Blocklisted process makes network request
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
hftook7lmaroutsg1.duckdns.org:3980
hftook7lmaroutsg1.duckdns.org:3981
hftook7lmaroutsg2.duckdns.org:3980
hftook7lmaroutsg3.duckdns.org:3980
hftook7lmaroutsg4.duckdns.org:3980
hftook7lmaroutsg5.duckdns.org:3980
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/64a04162d4e3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/64a04162d4e39030d2bcf514422cac3b97c52fc5f5560389ebba76dc069fe126

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

HTML Application (hta) hta 64a04162d4e39030d2bcf514422cac3b97c52fc5f5560389ebba76dc069fe126

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3491212/
  
Delivery method
Distributed via web download

Comments