MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c0a20527c28b335cd1a681d41335171de3d17b967c84cf16aedd044c4638838. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c0a20527c28b335cd1a681d41335171de3d17b967c84cf16aedd044c4638838
SHA3-384 hash: a7c1ab500a469b11b4d63750aa4b82f85ed01f2d06af8870e41c7484de1b0b8c006ae4b1bf7a54a3623e991779a59e6c
SHA1 hash: e2f8f3385b1fc18b7006cef87736eee86e0218cc
MD5 hash: e5dec8c463870f72ec318ad1f48f344c
humanhash: single-virginia-hotel-alpha
File name:niceworkingskillgivenbetterwayofbetterthings.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:432'203 bytes
First seen:2025-01-23 20:31:40 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 768:tAnbjKx80AIu6GTs1A5fRgd4m2hX/kDr333K3TGG+jGx/waGIX/0GxL+jGxx1z0c:tu
TLSH T16E940517C78FE5387697AEBFE6ACA62602D3DC82F5D9404B06FC69C01AD1ADD785C840
Magika asp
Reporter abuse_ch
Tags:hta RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
PUA.Html.Trojan.Crypt-358
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6792a90fe708b6e7a3b08758
Tags:
obfuscate shell sage
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/6c0a20527c28b335cd1a681d41335171de3d17b967c84cf16aedd044c4638838/results/dashboard
Payload URLs
URL
File name
http://www.nbns.com
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6792a7483d654e5f56c7991f/reports/04f64840-b852-45bd-9fa2-6676b94aaf9e/overview
Verdict:
Malicious
Labled as:
VBS.Asthma.2.E8D47FB8
Link:
https://www.hybrid-analysis.com/sample/6c0a20527c28b335cd1a681d41335171de3d17b967c84cf16aedd044c4638838
Result
Verdict:
MALICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Cobalt Strike, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1598055
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Detected Cobalt Strike Beacon
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Register Wscript In Run Key
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected MassLogger RAT
Yara detected obfuscated html page
Yara detected Powershell decode and execute
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1598055 Sample: niceworkingskillgivenbetter... Startdate: 23/01/2025 Architecture: WINDOWS Score: 100 127 reallyfreegeoip.org 2->127 129 mail.privateemail.com 2->129 131 3 other IPs or domains 2->131 141 Sigma detected: Register Wscript In Run Key 2->141 143 Found malware configuration 2->143 145 Malicious sample detected (through community Yara rule) 2->145 149 20 other signatures 2->149 12 mshta.exe 1 2->12         started        15 wscript.exe 2->15         started        17 wscript.exe 2->17         started        19 7 other processes 2->19 signatures3 147 Tries to detect the country of the analysis system (by using the IP) 127->147 process4 signatures5 183 Suspicious command line found 12->183 185 PowerShell case anomaly found 12->185 21 cmd.exe 1 12->21         started        187 Wscript starts Powershell (via cmd or directly) 15->187 189 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->189 191 Suspicious execution chain found 15->191 24 cmd.exe 15->24         started        26 cmd.exe 17->26         started        28 cmd.exe 19->28         started        30 cmd.exe 19->30         started        32 cmd.exe 19->32         started        34 4 other processes 19->34 process6 signatures7 151 Detected Cobalt Strike Beacon 21->151 153 Suspicious powershell command line found 21->153 155 Wscript starts Powershell (via cmd or directly) 21->155 157 2 other signatures 21->157 36 powershell.exe 3 44 21->36         started        41 conhost.exe 21->41         started        43 cmd.exe 24->43         started        45 conhost.exe 24->45         started        47 2 other processes 26->47 49 2 other processes 28->49 51 2 other processes 30->51 53 2 other processes 32->53 55 8 other processes 34->55 process8 dnsIp9 133 192.210.215.7, 49704, 80 AS-COLOCROSSINGUS United States 36->133 107 nicebetterwayforev...ssingpowerofthe.vbS, ASCII 36->107 dropped 109 C:\Users\user\AppData\...\3iyjsjm3.cmdline, Unicode 36->109 dropped 159 Found suspicious powershell code related to unpacking or dynamic code loading 36->159 161 Loading BitLocker PowerShell Module 36->161 57 wscript.exe 2 36->57         started        61 csc.exe 3 36->61         started        163 Detected Cobalt Strike Beacon 43->163 165 Suspicious powershell command line found 43->165 167 Wscript starts Powershell (via cmd or directly) 43->167 63 powershell.exe 43->63         started        65 conhost.exe 43->65         started        67 2 other processes 47->67 69 2 other processes 49->69 71 2 other processes 51->71 73 2 other processes 53->73 75 8 other processes 55->75 file10 signatures11 process12 file13 115 C:\Users\user\AppData\Local\Temp\c.bat, ASCII 57->115 dropped 175 Wscript starts Powershell (via cmd or directly) 57->175 177 Windows Scripting host queries suspicious COM object (likely to drop second stage) 57->177 179 Suspicious execution chain found 57->179 77 cmd.exe 1 57->77         started        117 C:\Users\user\AppData\Local\...\3iyjsjm3.dll, PE32 61->117 dropped 79 cvtres.exe 1 61->79         started        119 C:\Users\user\...\WindowsUpdate_428.bat, ASCII 63->119 dropped 181 Creates multiple autostart registry keys 63->181 81 WerFault.exe 63->81         started        121 C:\Users\user\...\WindowsUpdate_513.bat, ASCII 67->121 dropped 83 WerFault.exe 67->83         started        123 C:\Users\user\...\WindowsUpdate_925.bat, ASCII 69->123 dropped 85 WerFault.exe 69->85         started        125 C:\Users\user\...\WindowsUpdate_735.bat, ASCII 71->125 dropped 87 WerFault.exe 71->87         started        89 WerFault.exe 73->89         started        91 WerFault.exe 75->91         started        93 WerFault.exe 75->93         started        signatures14 process15 process16 95 cmd.exe 2 77->95         started        98 conhost.exe 77->98         started        signatures17 193 Detected Cobalt Strike Beacon 95->193 195 Suspicious powershell command line found 95->195 197 Wscript starts Powershell (via cmd or directly) 95->197 100 powershell.exe 16 32 95->100         started        105 conhost.exe 95->105         started        process18 dnsIp19 135 checkip.dyndns.com 193.122.6.168, 49738, 55316, 55341 ORACLE-BMC-31898US United States 100->135 137 mail.privateemail.com 198.54.122.135, 55322, 55349, 55373 NAMECHEAP-NETUS United States 100->137 139 2 other IPs or domains 100->139 111 C:\Users\user\...\WindowsUpdate_499.vbs, ASCII 100->111 dropped 113 C:\Users\user\...\WindowsUpdate_499.bat, ASCII 100->113 dropped 169 Creates multiple autostart registry keys 100->169 171 Tries to harvest and steal browser information (history, passwords, etc) 100->171 173 Loading BitLocker PowerShell Module 100->173 file20 signatures21
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/6c0a20527c28b335cd1a681d41335171de3d17b967c84cf16aedd044c4638838
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c0a20527c28b335cd1a681d41335171de3d17b967c84cf16aedd044c4638838/
Threat name:
Script-WScript.Trojan.Asthma
Create hunting rule
Status:
Malicious
First seen:
2025-01-23 14:49:28 UTC
File Type:
Text (JavaScript)
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nqfcaut4fcztlti2naoucm2rohpd2f5zm7eez4lk5xiejrddra4a._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection defense_evasion discovery evasion execution persistence phishing trojan
Link:
https://tria.ge/reports/250123-za9sksskhy/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Evasion via Device Credential Deployment
Modifies Windows Defender DisableAntiSpyware settings
UAC bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6c0a20527c28b335cd1a681d41335171de3d17b967c84cf16aedd044c4638838

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

HTML Application (hta) hta 6c0a20527c28b335cd1a681d41335171de3d17b967c84cf16aedd044c4638838

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3411731/
  
Delivery method
Distributed via web download

Comments