MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7123256ecff0daa41a49448c5fd399c35b02ea28bdf8f129c0ff4145a0a04a3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7123256ecff0daa41a49448c5fd399c35b02ea28bdf8f129c0ff4145a0a04a3c
SHA3-384 hash: 3e2951854ce6d60fbfe07391c4391d352dafeb0e3b3dbed3ebcc784b975181e676b0641242dc8d5e82464c3c06f72671
SHA1 hash: 2a5da97c42e28d1ce6ac8556af7b54b56d27371c
MD5 hash: eb3cd9eea1799cb4ddee9cc5ba89f58c
humanhash: hamper-fourteen-apart-fourteen
File name:电汇 23,480.25 美元.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:435'460 bytes
First seen:2026-06-22 15:15:06 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12288:9mfm9sh8u+OSJ8J8Cxh+VXQfAb70ZG9VFQDxXPyqhvwubfJ:cCQ8DTCZwuF
Threatray 163 similar samples on MalwareBazaar
TLSH T19594E838A9EA502B71B3EE55CAD4F797E95FB663370E5819109303CA4613943EDC223E
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter abuse_ch
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
26
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71579/
Detection(s):
SecuriteInfo.com.VBS.Agent-107.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3952231548daf709f8e54a
Tags:
obfuscate stration shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
aes base64 base64 conhost crypto obfuscated powershell
Link:
https://www.filescan.io/uploads/6a3951d490632a45f7333d64/reports/6d73928f-b8e1-4064-b178-4b36d1b57fcf/overview
Verdict:
Malicious
Labled as:
VBS/Obfuscated.EG trojan
Link:
https://www.hybrid-analysis.com/sample/7123256ecff0daa41a49448c5fd399c35b02ea28bdf8f129c0ff4145a0a04a3c
Verdict:
Malicious
File Type:
vbs
First seen:
2026-06-21T21:30:00Z UTC
Last seen:
2026-06-22T11:15:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/7123256ecff0daa41a49448c5fd399c35b02ea28bdf8f129c0ff4145a0a04a3c/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1932085
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Internet Explorer form passwords
Contains functionalty to change the wallpaper
Creates an undocumented autostart registry key
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell scriptblock execution from environment variable
Sigma detected: Remcos
Sigma detected: Suspect Svchost Activity
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1932085 Sample: #U7535#U6c47 23,480.25 #U7f... Startdate: 22/06/2026 Architecture: WINDOWS Score: 100 39 screwvacumm.com 2->39 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for dropped file 2->49 51 9 other signatures 2->51 9 wscript.exe 1 2->9         started        12 svchost.exe 1 1 2->12         started        signatures3 process4 dnsIp5 67 VBScript performs obfuscated calls to suspicious functions 9->67 69 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->69 71 Suspicious execution chain found 9->71 73 2 other signatures 9->73 15 conhost.exe 9->15         started        43 127.0.0.1 unknown unknown 12->43 signatures6 process7 process8 17 powershell.exe 15 18 15->17         started        dnsIp9 37 screwvacumm.com 148.163.124.13, 443, 49688, 49689 IOFLOOD-InputOutputFloodLLCUS United States 17->37 27 C:\Users\user\...\v1628.vbs:Zone.Identifier, ASCII 17->27 dropped 29 C:\Users\user\AppData\Local\v742\v1628.vbs, Unicode 17->29 dropped 53 Creates an undocumented autostart registry key 17->53 55 Writes to foreign memory regions 17->55 57 Injects a PE file into a foreign processes 17->57 22 svchost.exe 4 3 17->22         started        file10 signatures11 process12 dnsIp13 41 216.250.253.127, 2404, 49690, 49691 MAJESTIC-HOSTING-01-MajesticHostingSolutionsLLCUS United States 22->41 31 C:\Users\user\AppData\...\Login Data.tmp, SQLite 22->31 dropped 33 C:\Users\user\AppData\...\Login Data.tmp, SQLite 22->33 dropped 35 C:\Users\user\...\Login Data For Account.tmp, SQLite 22->35 dropped 59 System process connects to network (likely due to code injection or exploit) 22->59 61 Contains functionality to bypass UAC (CMSTPLUA) 22->61 63 Detected Remcos RAT 22->63 65 5 other signatures 22->65 file14 signatures15
Score:
95%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7123256ecff0daa41a49448c5fd399c35b02ea28bdf8f129c0ff4145a0a04a3c
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7123256ecff0daa41a49448c5fd399c35b02ea28bdf8f129c0ff4145a0a04a3c/
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-22 02:50:29 UTC
File Type:
Text (VBS)
AV detection:
3 of 36 (8.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oersk3wp6dnkigsjisgf7u4zynnqf2rixx4pckoa75aulifaji6a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
5076ae6b62c03eef7752e9bc8159fab299d9318b7c7dd1284d551332e9b12c38
RemcosRAT
61c857e42f076450574d7e708cf9ca8104c25ad32606317afdbaa33c1b49fb1e
RemcosRAT
65be1a2c9c01702ceef1fc9f63845983054b415d7c5385e72c80bc9c8657668a
RemcosRAT
6851692e3b8006c3810b7fe6aace46230a15bc1f6ae33bfb6ce516df676a7bb9
RemcosRAT
8c4c624560184a6b580370527f4e8a3918e3db7162862f68c424ae8b80240a35
RemcosRAT
c32f241ad7caea783e5222e8bf4e556e52433e6944a111026d35cd17e50530b1
RemcosRAT
c52315c118626b36dd8225235b0d62afe6a75565eab7cdc498b13e513d664666
RemcosRAT
e589a971af7b6aac65f79518a17b3f2923c8588c251af17b2727c8fcb52fac64
RemcosRAT
error
RemcosRAT
+ 153 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:client collection execution persistence rat
Link:
https://tria.ge/reports/260622-snwpjsdx9j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Registers new Windows logon scripts automatically executed at logon.
Badlisted process makes network request
Downloads MZ/PE file
Family: Remcos
Malware Config
C2 Extraction:
216.250.253.127:2404
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7123256ecff0daa41a49448c5fd399c35b02ea28bdf8f129c0ff4145a0a04a3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/71579/

Comments