MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64f8d40a94818b9385624dc6237edee725cc7edf78c09da9fd60454a7b1e2cdc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64f8d40a94818b9385624dc6237edee725cc7edf78c09da9fd60454a7b1e2cdc
SHA3-384 hash: de6c8ec2c586afbc7e26cbfe216469ffd2ce71c9e13f2c0572215b458f782f5b45f7680437623a4750d1fc3f1e8ed73c
SHA1 hash: f284046c61b75fd44bf55661701c5e15b97efb28
MD5 hash: 8b5f64100174bb8bafd5ad78d6f2b277
humanhash: freddie-arizona-shade-april
File name:Main_Order.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:963 bytes
First seen:2025-03-30 18:31:29 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:CqakQ+oW0KHFZJVDBF76LKhPjkcwFqrmTKC:hD0sFZJHFG+pY3/
Threatray 769 similar samples on MalwareBazaar
TLSH T1FA11EDAFDC2BC2811DB11955D6AC8A28EE6392072226C429796CDC0B9B301BDD1755A7
Magika vba
Reporter abuse_ch
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e99095cfd0a37f830a5673
Tags:
dropper shell spawn
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper masquerade obfuscated packed powershell
Link:
https://www.filescan.io/uploads/67e98e2ff274bf2d8e294c0c/reports/c6dc2e44-1c4d-4beb-9061-1b0fa7038f31/overview
Verdict:
Malicious
Labled as:
XPL.ADODB.Generic
Link:
https://www.hybrid-analysis.com/sample/64f8d40a94818b9385624dc6237edee725cc7edf78c09da9fd60454a7b1e2cdc
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1652285
Signature
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Detected Remcos RAT
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Potential malicious VBS script found (has network functionality)
Powershell drops PE file
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1652285 Sample: Main_Order.vbs Startdate: 30/03/2025 Architecture: WINDOWS Score: 100 71 sinoveo.com 2->71 81 Suricata IDS alerts for network traffic 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 13 other signatures 2->87 12 wscript.exe 15 2->12         started        17 process.exe 2->17         started        19 gFnEPEuEhX.exe 3 2->19         started        signatures3 process4 dnsIp5 73 sinoveo.com 192.121.162.80, 49695, 80 NFORCENL Sweden 12->73 63 C:\Users\user\...\DownloadedScript.ps1, ASCII 12->63 dropped 101 System process connects to network (likely due to code injection or exploit) 12->101 103 VBScript performs obfuscated calls to suspicious functions 12->103 105 Wscript starts Powershell (via cmd or directly) 12->105 109 3 other signatures 12->109 21 powershell.exe 13 12->21         started        107 Injects a PE file into a foreign processes 17->107 25 process.exe 17->25         started        27 schtasks.exe 17->27         started        file6 signatures7 process8 file9 59 C:\Users\user\AppData\Local\...\tmp3A0C.exe, PE32 21->59 dropped 89 Found suspicious powershell code related to unpacking or dynamic code loading 21->89 91 Powershell drops PE file 21->91 29 tmp3A0C.exe 6 21->29         started        33 conhost.exe 21->33         started        93 Detected Remcos RAT 25->93 35 conhost.exe 27->35         started        signatures10 process11 file12 65 C:\Users\user\AppData\Local\...\tmp8B39.tmp, XML 29->65 dropped 67 C:\Users\user\AppData\...\gFnEPEuEhX.exe, PE32 29->67 dropped 111 Contains functionality to bypass UAC (CMSTPLUA) 29->111 113 Contains functionalty to change the wallpaper 29->113 115 Contains functionality to steal Chrome passwords or cookies 29->115 117 3 other signatures 29->117 37 tmp3A0C.exe 2 3 29->37         started        41 schtasks.exe 1 29->41         started        signatures13 process14 file15 61 C:\ProgramData\Tencent\process.exe, PE32 37->61 dropped 95 Detected Remcos RAT 37->95 97 Creates autostart registry keys with suspicious names 37->97 43 process.exe 5 37->43         started        46 conhost.exe 41->46         started        signatures16 process17 signatures18 99 Injects a PE file into a foreign processes 43->99 48 process.exe 43->48         started        53 schtasks.exe 1 43->53         started        process19 dnsIp20 69 103.28.89.34, 10101 AMARUTU-TECHNOLOGYNL Malaysia 48->69 57 C:\ProgramData\remcos\logs.dat, data 48->57 dropped 75 Detected Remcos RAT 48->75 77 Tries to harvest and steal browser information (history, passwords, etc) 48->77 79 Installs a global keyboard hook 48->79 55 conhost.exe 53->55         started        file21 signatures22 process23
Score:
69%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/64f8d40a94818b9385624dc6237edee725cc7edf78c09da9fd60454a7b1e2cdc
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/64f8d40a94818b9385624dc6237edee725cc7edf78c09da9fd60454a7b1e2cdc/
Threat name:
Script-WScript.Backdoor.Remcos
Create hunting rule
Status:
Suspicious
First seen:
2025-03-30 16:30:49 UTC
File Type:
Text (VBS)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mt4nicuuqgfzhblcjxdcg7w644s4y7w7pdaj3kp5mbcuu6y6ftoa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
038677a185ea0f86acc0ebdc57c493a7062638ea3856d2175e28e3cc28be271f
RemcosRAT
1792b62467af9326272e0190ddd1e22c6217f23637ab47b9fbe0098ca3800c6d
RemcosRAT
293a0c10be849644ec095d7e436a50df007d2bdd13be2af96092dc0ba35f940c
RemcosRAT
30637194a7056733700f36087eac01a1d08e64c38121ed67f632adffb8655785
RemcosRAT
4078adf62c07585b15a332154580255ea508ba5f23ad43ce7af8d2f07d132d7e
RemcosRAT
error
RemcosRAT
+ 759 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:thales 10101 discovery execution persistence rat
Link:
https://tria.ge/reports/250330-w6n9zatycx/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Remcos
Remcos family
Malware Config
C2 Extraction:
103.28.89.34:10101
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64f8d40a94818b9385624dc6237edee725cc7edf78c09da9fd60454a7b1e2cdc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments