MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6df479c8789824106084deb65d731b8a4185a5ba4cbbf8c136cfef29c01f8c78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6df479c8789824106084deb65d731b8a4185a5ba4cbbf8c136cfef29c01f8c78
SHA3-384 hash: 46fdd4eba38f7e601a32995a71d1194ca85da4925d8471c1298f9ef253775f5939cb8633a7b6f84a86ac609c19ee2f2a
SHA1 hash: 2a7592d1789cc1fef2c92ebd6fa485050d6df2d8
MD5 hash: b143042e5f14e958432db47d03ca2270
humanhash: yankee-diet-beryllium-berlin
File name:Protected Client.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'481 bytes
First seen:2022-03-15 14:21:27 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:pCNE1GQ0TwuKDbUEr0SRmbJT/1rSoI0huFjNTyGIQP8fC0BdO:UWaE9cJb1rSoIdFjNZ9r
Threatray 2'635 similar samples on MalwareBazaar
TLSH T164510C4A749F782452322EB2BCAF085ED2334787E03546927E09DB9ACE7145CD38986D
Reporter abuse_ch
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/250910/
Detection(s):
SecuriteInfo.com.VBS.Agent.iz.1662.30443.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6230a122dfdfa8501ca44101/reports/d82baa9c-71c7-4eee-9e4d-b09073bd22fe/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/957080
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops PE files to the startup folder
Drops VBS files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 589614 Sample: Protected Client.vbs Startdate: 15/03/2022 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 3 other signatures 2->51 7 wscript.exe 14 2->7         started        11 wscript.exe 13 2->11         started        process3 dnsIp4 37 meonhanong.com 103.90.233.184, 49764, 49773, 49774 WEBPANDA-AS-VNCongtyTNHHWebPandaVN Viet Nam 7->37 63 System process connects to network (likely due to code injection or exploit) 7->63 65 Wscript starts Powershell (via cmd or directly) 7->65 67 Very long command line found 7->67 13 powershell.exe 14 19 7->13         started        17 cmd.exe 1 7->17         started        19 powershell.exe 11->19         started        signatures5 process6 dnsIp7 41 meonhanong.com 13->41 69 Writes to foreign memory regions 13->69 71 Injects a PE file into a foreign processes 13->71 21 calc.exe 13->21         started        24 calc.exe 2 2 13->24         started        27 conhost.exe 13->27         started        73 Drops VBS files to the startup folder 17->73 75 Drops PE files to the startup folder 17->75 29 conhost.exe 17->29         started        43 meonhanong.com 19->43 31 conhost.exe 19->31         started        33 calc.exe 19->33         started        35 calc.exe 19->35         started        signatures8 process9 dnsIp10 53 System process connects to network (likely due to code injection or exploit) 21->53 55 Contains functionalty to change the wallpaper 21->55 57 Contains functionality to steal Chrome passwords or cookies 21->57 61 3 other signatures 21->61 39 xoo.ddns.net 185.244.31.156, 4376, 49784 UKSERVERS-ASUKDedicatedServersHostingandCo-Location Netherlands 24->39 59 Installs a global keyboard hook 24->59 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6df479c8789824106084deb65d731b8a4185a5ba4cbbf8c136cfef29c01f8c78/
Threat name:
Win32.Downloader.Nemucod
Create hunting rule
Status:
Malicious
First seen:
2022-03-15 15:26:42 UTC
AV detection:
8 of 27 (29.63%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nx2htsdytasbayee323f24y3rjayljn2js57rqjwz7xstqa7rr4a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
6ea16cb1cf48e7eaec58a6f2aa22119b3753adff7782d5ce96282ba99e6ffa42
RemcosRAT
7ef0d658364d22fe0bad6552f114fb4c07046497f06fe6ca0094c5863955e27d
RemcosRAT
a02d52f23eb9e8a857c9ed01d81e6220e787a1e2838d42c2734e99bc73cff250
RemcosRAT
a1b385afa0592f1fc9e0eaacd751beb5e15ff4151f2ac98e0166f29955690b9c
RemcosRAT
ebf21217cedcf7f1809418985cb120b150b12d2ec955119c73f7c3170b5f2232
RemcosRAT
f4b96c1a853a6bdc9a811511c4338262e8a33311d21cea5690c74daa1d2dae32
RemcosRAT
+ 2'625 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:nato rat
Link:
https://tria.ge/reports/220315-rpks1aahdl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
xoo.ddns.net:4376
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6df479c87898/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6df479c8789824106084deb65d731b8a4185a5ba4cbbf8c136cfef29c01f8c78

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/250910/

Comments