MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6711c242230b0e6838533c8b15f8944904aecc62f5f6f2b567f13e48dc8ec8c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6711c242230b0e6838533c8b15f8944904aecc62f5f6f2b567f13e48dc8ec8c4
SHA3-384 hash: 389b88844219f475bc6e9496c47eb938ba8790a8af9b33eb43d26126e7e8203e65d63c170f44cfed0ba79004461ede48
SHA1 hash: 87785224dfc4d73c9530c1ef83b479139c15409d
MD5 hash: 41fecba7bc6cc431df85e0272102b8a3
humanhash: red-vermont-equal-sad
File name:transferencia.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:363'747 bytes
First seen:2025-03-18 07:58:16 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 768:C0g8QOgv4iEpxYj4EJe/RhAe/vEfr9f6BGpEgl6wH1xbs7BxD:x
Threatray 66 similar samples on MalwareBazaar
TLSH T12F74BFEB938DC1988D8DFA06F25EE3031C2D1D6DC4AB294B35BB10F9919B6C9D9950F0
Magika vba
Reporter lowmal3
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d940253962f1a6f4729607
Tags:
obfuscate remcos xtreme shell
Verdict:
Suspicious
Labled as:
VBS/Agent.BYY
Link:
https://www.hybrid-analysis.com/sample/6711c242230b0e6838533c8b15f8944904aecc62f5f6f2b567f13e48dc8ec8c4
Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1641396
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1641396 Sample: transferencia.vbs Startdate: 18/03/2025 Architecture: WINDOWS Score: 100 37 wormbit.ydns.eu 2->37 39 moredoul.ydns.eu 2->39 41 3 other IPs or domains 2->41 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 13 other signatures 2->55 9 wscript.exe 1 2->9         started        12 wscript.exe 2->12         started        signatures3 process4 signatures5 67 VBScript performs obfuscated calls to suspicious functions 9->67 69 Suspicious powershell command line found 9->69 71 Wscript starts Powershell (via cmd or directly) 9->71 73 2 other signatures 9->73 14 powershell.exe 14 16 9->14         started        process6 dnsIp7 45 wormbit.ydns.eu 45.154.98.113, 23101, 49690, 49691 LRH-ASNL Belgium 14->45 47 ip.1019.filemail.com 142.215.209.80, 443, 49689 HUMBER-COLLEGECA Canada 14->47 75 Writes to foreign memory regions 14->75 77 Injects a PE file into a foreign processes 14->77 18 aspnet_compiler.exe 7 17 14->18         started        23 cmd.exe 2 14->23         started        25 conhost.exe 14->25         started        signatures8 process9 dnsIp10 43 geoplugin.net 178.237.33.50, 49692, 80 ATOM86-ASATOM86NL Netherlands 18->43 31 C:\Users\user\...\ekpvoftmhsgptris.vbs, data 18->31 dropped 33 C:\ProgramData\remcos\logs.dat, data 18->33 dropped 57 Contains functionality to bypass UAC (CMSTPLUA) 18->57 59 Contains functionalty to change the wallpaper 18->59 61 Contains functionality to steal Chrome passwords or cookies 18->61 65 3 other signatures 18->65 27 wscript.exe 18->27         started        35 C:\ProgramData\elucidating.vbs, ASCII 23->35 dropped 63 Command shell drops VBS files 23->63 29 conhost.exe 23->29         started        file11 signatures12 process13
Score:
10%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/6711c242230b0e6838533c8b15f8944904aecc62f5f6f2b567f13e48dc8ec8c4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6711c242230b0e6838533c8b15f8944904aecc62f5f6f2b567f13e48dc8ec8c4/
Threat name:
Script-WScript.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-03-18 07:59:09 UTC
File Type:
Text (VBS)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m4i4eqrdbmhgqocthsfrl6eujeck5tdc6x3pfnlh6e7erxeozdca._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1062633c85423f873214e50175d44e3aa1a29f24e2abed589170ae69cf6f1138
RemcosRAT
2a7f932fb984d3485eb721810e58cf929a1d1fe719d3b29e15f4f7ef0d4ad8a9
RemcosRAT
322538eeb708f6f481acc7166a17737e161a11297149603095d0ef43ea255569
RemcosRAT
474f1c4b6cacca4f2c6acabdd80ea7a6b3df97e31f3086f0ca822834710536b2
RemcosRAT
48c692e973ecbbd4a4711a0c3cd08e732014fa7b05aaf68492aa40d73a5fe7ed
RemcosRAT
4c188a5d3208a2a49002ba3bc5325980e6852130209280486fce7a02a82fbced
RemcosRAT
6c13c32dc34af1720cbe4136dc97db38a69f301dac2f912e21cafaf4824f0250
RemcosRAT
6ef147fad49263cc33d1b2391e2647ca0aa81a28c3e4bb4d195493b6b713407d
RemcosRAT
error
RemcosRAT
+ 56 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:new defense_evasion discovery execution rat trojan
Link:
https://tria.ge/reports/250318-jve6ps1ky9/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Blocklisted process makes network request
Remcos
Remcos family
UAC bypass
Malware Config
C2 Extraction:
wormbit.ydns.eu:23101
realsw.mooo.com:23101
realws.ydns.eu:23101
realsw.strangled.net:23101
realsw.ydns.eu:23101
realsw.jumpingcrab.com:23101
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6711c242230b0e6838533c8b15f8944904aecc62f5f6f2b567f13e48dc8ec8c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Visual Basic Script (vbs) vbs 6711c242230b0e6838533c8b15f8944904aecc62f5f6f2b567f13e48dc8ec8c4

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments