MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 724b6b5e627086ff22b9f2d2c045faa880dea62f513a694058b452aa1b6cad6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 724b6b5e627086ff22b9f2d2c045faa880dea62f513a694058b452aa1b6cad6f
SHA3-384 hash: 2452d0a707b869bbfaa9ff8552bfc6bae2b01e37626d6eb3859021bf807aae676f7d08f1fb9e6fa0ef86ad40c30846c6
SHA1 hash: 54930d7e98aa81a0c55a07257a1838fff0ee90f3
MD5 hash: 5c254d66437ffbfe4146ae22a516451f
humanhash: island-juliet-muppet-october
File name:Payment Update 0310fz.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'275 bytes
First seen:2022-03-10 10:11:47 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:8VpEDkzsIvvQ6vSM6uo/e/HuLTiPIQ8U0BdO:w8kQILto/e/OLGhr
Threatray 1'471 similar samples on MalwareBazaar
TLSH T1EB41D09E794BA924A1317E72DC8B085CE2761292E26553923A0CC7D9CF3A16CDAC6C1D
Reporter abuse_ch
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/249086/
Detection(s):
SecuriteInfo.com.VBS.Agent.iz.31242.16128.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6229cf000cd58dbd92758017/reports/70a4189a-205f-4786-a09e-dfda2c43b3a1/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/954078
Signature
Antivirus detection for URL or domain
Drops PE files to the startup folder
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Very long command line found
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 586555 Sample: Payment Update 0310fz.vbs Startdate: 10/03/2022 Architecture: WINDOWS Score: 76 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 7 wscript.exe 14 2->7         started        11 wscript.exe 13 2->11         started        process3 dnsIp4 33 www.meonhanong.com 103.90.233.184, 443, 49780, 49791 WEBPANDA-AS-VNCongtyTNHHWebPandaVN Viet Nam 7->33 39 System process connects to network (likely due to code injection or exploit) 7->39 41 Wscript starts Powershell (via cmd or directly) 7->41 43 Very long command line found 7->43 13 cmd.exe 1 7->13         started        16 powershell.exe 14 19 7->16         started        19 powershell.exe 11->19         started        signatures5 process6 dnsIp7 45 Drops PE files to the startup folder 13->45 21 conhost.exe 13->21         started        27 www.meonhanong.com 16->27 29 192.168.2.1 unknown unknown 16->29 23 conhost.exe 16->23         started        31 www.meonhanong.com 19->31 25 conhost.exe 19->25         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/724b6b5e627086ff22b9f2d2c045faa880dea62f513a694058b452aa1b6cad6f/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-03-10 10:12:33 UTC
File Type:
Text (VBS)
AV detection:
4 of 42 (9.52%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ojfwwxtcocdp6ivz6ljmarp2vcan5jrpke5gsqcywrjkug3mvvxq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
09b75cdc3edcad3cc8b1729683a1132506e851c9d7a1d864fc842284822d1ba5
RemcosRAT
38c2822b3929fe567273c89ddbdc3fb49a750199cd795f36ad6dc29bb614e4c6
RemcosRAT
a02d52f23eb9e8a857c9ed01d81e6220e787a1e2838d42c2734e99bc73cff250
RemcosRAT
b0ac37aec0eef942e0ff9c35828584b8d887f951ec13afbd80cdc4ce23595ae4
RemcosRAT
b53db8cda884be522adeb2f293a41fa80fa2522b3c2eedb1ed20841c5a41d716
RemcosRAT
c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738
RemcosRAT
e12fdcfde01952915157328b7afec8830f172814db0ce8d8658d427088b728d0
RemcosRAT
eb1d29174d0a65b4ff95f172d35532666fed7cd6659ec77591240777b5b76452
RemcosRAT
ebf21217cedcf7f1809418985cb120b150b12d2ec955119c73f7c3170b5f2232
RemcosRAT
+ 1'461 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220310-l8kz8ahfbq/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/724b6b5e6270/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/724b6b5e627086ff22b9f2d2c045faa880dea62f513a694058b452aa1b6cad6f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/249086/

Comments