MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6744b66a3d8307ce51ec575669dfb2d0f11e00a36bb1e8c930db3a74c0cb4b89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6744b66a3d8307ce51ec575669dfb2d0f11e00a36bb1e8c930db3a74c0cb4b89
SHA3-384 hash: be54215c36ffdd10ddb8b03427c93cf669b311757c483e0b1da903c429bda87cbee84ada1fd698404b2abb5fb47ad17b
SHA1 hash: 60c84b5ef526199893c4eeb60163a587d7cf6fae
MD5 hash: 13a2203631e87e633957f8c9e5eb092f
humanhash: mexico-item-quiet-juliet
File name:Payment_Advice,pdf.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'407 bytes
First seen:2025-04-09 06:42:44 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:m7k4dvE7k4d5D6oFGdDOWwa6jo7apaonrqknCSTPuS07k4db7k4d3VREwFgWS7k8:+b8bffa6jo7apaoroSTPuSUb/bubN7
Threatray 772 similar samples on MalwareBazaar
TLSH T1A121E06CB9B4B440E3E73084804D14D7A2FA112EF015C22A293C366739677FAA5B9287
Magika vba
Reporter abuse_ch
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f61e0b71beff15dccd9c62
Tags:
remcos cryxos
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade opendir opendir powershell
Link:
https://www.filescan.io/uploads/67f617062d430c849e0e95aa/reports/d7a2c2be-04e7-42f5-ad40-f5ce8bb5fc04/overview
Verdict:
Malicious
Labled as:
VBS/Obfuscated.AO trojan
Link:
https://www.hybrid-analysis.com/sample/6744b66a3d8307ce51ec575669dfb2d0f11e00a36bb1e8c930db3a74c0cb4b89
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1660418
Signature
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1660418 Sample: Payment_Advice,pdf.vbs Startdate: 09/04/2025 Architecture: WINDOWS Score: 100 27 paste.ee 2->27 29 sbvroar.ydns.eu 2->29 35 Antivirus detection for URL or domain 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Sample has a suspicious name (potential lure to open the executable) 2->39 43 6 other signatures 2->43 9 wscript.exe 1 2->9         started        signatures3 41 Connects to a pastebin service (likely for C&C) 27->41 process4 signatures5 49 VBScript performs obfuscated calls to suspicious functions 9->49 51 Suspicious powershell command line found 9->51 53 Wscript starts Powershell (via cmd or directly) 9->53 55 4 other signatures 9->55 12 powershell.exe 7 9->12         started        process6 signatures7 57 Suspicious powershell command line found 12->57 59 Encrypted powershell cmdline option found 12->59 15 powershell.exe 17 19 12->15         started        19 conhost.exe 12->19         started        process8 dnsIp9 33 sbvroar.ydns.eu 89.34.230.126, 49692, 80 TENNET-ASRO Romania 15->33 25 C:\ProgramData\conyger.js, Unicode 15->25 dropped 21 wscript.exe 1 12 15->21         started        file10 process11 dnsIp12 31 paste.ee 23.186.113.60, 443, 49693 KLAYER-GLOBALNL Reserved 21->31 45 System process connects to network (likely due to code injection or exploit) 21->45 47 Windows Scripting host queries suspicious COM object (likely to drop second stage) 21->47 signatures13
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/6744b66a3d8307ce51ec575669dfb2d0f11e00a36bb1e8c930db3a74c0cb4b89
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6744b66a3d8307ce51ec575669dfb2d0f11e00a36bb1e8c930db3a74c0cb4b89/
Threat name:
Script-WScript.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2025-04-08 23:42:22 UTC
File Type:
Text (VBS)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m5clm2r5qmd44upmk5lgtx5s2dyr4afdnoy6rsjq3m5hjqgljoeq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0c25fdd6e72006a4896e82aef58f05e9177a07d75aeff4eeb85dd7138ffb52f6
RemcosRAT
3da71626391cd7e012a6a4075a4463e56af3eeb383ea990bd3b745235ce1ce3a
RemcosRAT
426e44e4c59eab5caeb33b5f0ab569c54fcba00a88def98a0ffacc0eedc59ad5
RemcosRAT
9690ebb923acd798749d7bc2d1cee17d7c1899cf696558e440ecd2482907fddc
RemcosRAT
cbb80b28d18b74f2e7c7cc25613250d84aa207b0b717262477584b5619a5ca12
RemcosRAT
d3f2fca06a2c1fa4292808c0531ed438b774ce0a0e77071af7a739325c448e2b
RemcosRAT
de9dcf9f6ee4f1dd3a6ce3793a6da1e2393535e2ffb9dc8ad46972272a0b4ab1
RemcosRAT
e7e78105c3946eb6ec2297a39ece3865c41f918d75d2a428ef53ef98ba0ad300
RemcosRAT
error
RemcosRAT
fd3141f160c3e5782f6d2ce06b10f90af52dd438856295a925820ee0dfe23a96
RemcosRAT
+ 762 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:new discovery execution rat
Link:
https://tria.ge/reports/250409-hg2bcastds/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Remcos
Remcos family
Malware Config
C2 Extraction:
remsw.ydns.eu:23101
001remsw.ydns.eu:23101
rem002sw.ydns.eu:23101
dip.realmensw.com:23101
sw004rem.ydns.eu:23101
rem001sw.ydns.eu:23101
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments