MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 652f9425904c1411899bffd5d6396a611b4b74a901e0b3481a808da904c76ccb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 652f9425904c1411899bffd5d6396a611b4b74a901e0b3481a808da904c76ccb
SHA3-384 hash: 6de0146949b882c12c3872246242603e03bef839d469f1a4d7993644a828f3af85f70b520c2256bef99d7381061156c8
SHA1 hash: e31a2953086a9dfc7345310a65eb75ae04599cc9
MD5 hash: ff3aec15db8bc75f3cbc5d0e88283c9e
humanhash: carpet-tennis-nebraska-ten
File name:iiii Drawings_Tender No. UAE-UCPC-4389761110-2025.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'493 bytes
First seen:2025-04-28 08:55:04 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:RAsDuUklwEJI9h/xlDmhhFXAAF68h2j22ARAB8EjIChqApVrWlMWjUKAQpB3ThGg:RAPlwaI9BrChhFXAAF68h2j22ARAB8Ek
Threatray 1'040 similar samples on MalwareBazaar
TLSH T168516C6D081BF3DA07FC269C0F9FE944104FD925B2C74DA673B145EA74B9294262B849
Magika vba
Reporter smica83
Tags:paste-TsKngy4Q RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4702/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680f4512c8b2e86d0ac3afa8
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/680f426f218c4a98ade4ed3f/reports/ec5b37ff-5ba9-4416-8424-3eb5df71402c/overview
Verdict:
Suspicious
Labled as:
Trojan.Script.Donoff
Link:
https://www.hybrid-analysis.com/sample/652f9425904c1411899bffd5d6396a611b4b74a901e0b3481a808da904c76ccb
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1676118
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1676118 Sample: iiii Drawings_Tender No. UA... Startdate: 28/04/2025 Architecture: WINDOWS Score: 100 36 globalmail.dynuddns.net 2->36 38 paste.ee 2->38 40 6 other IPs or domains 2->40 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 68 14 other signatures 2->68 9 wscript.exe 1 2->9         started        signatures3 64 Uses dynamic DNS services 36->64 66 Connects to a pastebin service (likely for C&C) 38->66 process4 dnsIp5 42 paste.ee 23.186.113.60, 443, 49684, 49685 KLAYER-GLOBALNL Reserved 9->42 78 System process connects to network (likely due to code injection or exploit) 9->78 80 VBScript performs obfuscated calls to suspicious functions 9->80 82 Suspicious powershell command line found 9->82 84 3 other signatures 9->84 13 powershell.exe 14 15 9->13         started        signatures6 process7 dnsIp8 44 archive.org 207.241.224.2, 443, 49689 INTERNET-ARCHIVEUS United States 13->44 46 ia601700.us.archive.org 207.241.227.90, 443, 49690 INTERNET-ARCHIVEUS United States 13->46 48 webmail.aruba.it 62.149.158.90, 443, 49691 ARUBA-ASNIT Italy 13->48 86 Writes to foreign memory regions 13->86 88 Injects a PE file into a foreign processes 13->88 17 MSBuild.exe 4 13 13->17         started        21 conhost.exe 13->21         started        signatures9 process10 dnsIp11 32 globalmail.dynuddns.net 103.198.26.208, 12167, 49692, 49693 NXGNET-AS-APNextgenNetworksAU unknown 17->32 34 geoplugin.net 178.237.33.50, 49694, 80 ATOM86-ASATOM86NL Netherlands 17->34 50 Contains functionality to bypass UAC (CMSTPLUA) 17->50 52 Detected Remcos RAT 17->52 54 Contains functionalty to change the wallpaper 17->54 56 6 other signatures 17->56 23 recover.exe 1 17->23         started        26 recover.exe 1 17->26         started        28 recover.exe 2 17->28         started        30 recover.exe 17->30         started        signatures12 process13 signatures14 70 Tries to steal Instant Messenger accounts or passwords 23->70 72 Tries to steal Mail credentials (via file / registry access) 23->72 74 Tries to harvest and steal browser information (history, passwords, etc) 26->74 76 Tries to steal Mail credentials (via file registry) 30->76
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/652f9425904c1411899bffd5d6396a611b4b74a901e0b3481a808da904c76ccb/
Threat name:
Script-WScript.Backdoor.Remcos
Create hunting rule
Status:
Suspicious
First seen:
2025-04-28 08:27:47 UTC
File Type:
Binary
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=muxzijmqjqkbdcm377k5molkmenuw5fjahqlgsa2qcg2sbghntfq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
admintool_mailpassview
Create hunting rule
admintool_iepassview
Create hunting rule
Similar samples:
074efb70a49088638d0e62cc3637a75627afe9286c3f2d024e78ea9f247582fe
RemcosRAT
196b3a5cb409ba285267fba44efa46d8557f36cc33efd6a206eca5683417f5fa
RemcosRAT
54f051c914c3e499fcfb3b6adb7e4aa142f9d17804b8121d325b973da806e795
RemcosRAT
55303d0457e7c41acc899e1c188e954e7d074ece5d93e071f4e861e355810953
RemcosRAT
8e7e6ed8638ee1a261b2ce3badcaae3d9a00573d2c3612883e10787c58eec5e3
RemcosRAT
a80147c2853fdb7b2c7b2b8d6e0ed9cce5c3f17ccfbeacba71fa26d4956978f5
RemcosRAT
cc985a14a3106fa6cd7d46894e6e986a6e47c8f3a11f50c080cf85dc050d00c0
RemcosRAT
df4bce7a8c51de8213f720d59a5d07b54b954f65d468475a7af4cfabb5c85854
RemcosRAT
e713e31d4edb7cd8f10ef3be6948015ea17f4969d0800c5c3149e8e53a0c2284
RemcosRAT
error
RemcosRAT
f15b81d00d3d99f387f0a55d7ef0d59326b35eeb9987c15574db35fa81f26e93
RemcosRAT
+ 1'030 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:global market ii discovery execution rat
Link:
https://tria.ge/reports/250428-kvh32asmv7/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Remcos
Remcos family
Malware Config
C2 Extraction:
globalmail.dynuddns.net:12167
postmasterrelayserver.duckdns.org:23951
mailhost.mysynology.net:56796
honeypotresearchteam.duckdns.org:46796
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.28
Link:
https://yomi.yoroi.company/submissions/652f9425904c1411899bffd5d6396a611b4b74a901e0b3481a808da904c76ccb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/4702/

Comments