MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 770b35baa103302f231c6be89e96d55294801a04aee02693842aa745f6dce621. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 770b35baa103302f231c6be89e96d55294801a04aee02693842aa745f6dce621
SHA3-384 hash: 8f7542bc39dc743f50f1395b698859a2e236e8053c974c1a6d3461908405f84de328c9b0542c6b0dd01ce9e7f59bfc66
SHA1 hash: 3e84cef173d3cfa53118296fabcf67e6df743685
MD5 hash: e77f7666461b722975f41e98698cc607
humanhash: foxtrot-diet-washington-october
File name:task.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:48'150 bytes
First seen:2025-08-27 06:41:52 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 768:0ia4lhwVGG8TnF8Y53rgFSD9PB3UY8BMDyEMTT37nqSJ6/9gnFpLkOt:0iBG8TnFR3FPYBMWEMf37nFJ6/9gnF5R
Threatray 1'422 similar samples on MalwareBazaar
TLSH T190235F96B76B1E1E4881359E15B296422C6CC36477A3B137F91E4CCD34C6F88F4A398B
Magika vba
Reporter abuse_ch
Tags:RAT RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23769/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68aea8eaeb163e0ec182d256
Tags:
obfuscate xtreme spawn
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/68aea9054a87ed79676d6ef9/reports/db98c5a4-7d24-4181-b817-c0287bfa01d8/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/770b35baa103302f231c6be89e96d55294801a04aee02693842aa745f6dce621
Verdict:
Unknown
File Type:
Link:
https://opentip.kaspersky.com/770b35baa103302f231c6be89e96d55294801a04aee02693842aa745f6dce621/results?tab=lookup
Result
Threat name:
Remcos, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1765947
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates processes via WMI
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1765947 Sample: task.vbs Startdate: 27/08/2025 Architecture: WINDOWS Score: 100 33 domaninspalillos.duckdns.org 2->33 35 gestionycobranzas.com 2->35 37 bg.microsoft.map.fastly.net 2->37 51 Suricata IDS alerts for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 59 15 other signatures 2->59 9 wscript.exe 2->9         started        12 svchost.exe 1 1 2->12         started        signatures3 57 Uses dynamic DNS services 33->57 process4 dnsIp5 67 Suspicious powershell command line found 9->67 69 Wscript starts Powershell (via cmd or directly) 9->69 71 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->71 73 2 other signatures 9->73 15 powershell.exe 14 15 9->15         started        41 127.0.0.1 unknown unknown 12->41 signatures6 process7 dnsIp8 43 gestionycobranzas.com 178.16.54.253, 49681, 80 DUSNET-ASDE Germany 15->43 45 Writes to foreign memory regions 15->45 47 Suspicious execution chain found 15->47 49 Injects a PE file into a foreign processes 15->49 19 RegAsm.exe 2 15->19         started        22 conhost.exe 15->22         started        24 sppsvc.exe 15->24         started        signatures9 process10 signatures11 61 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->61 63 Writes to foreign memory regions 19->63 65 Injects a PE file into a foreign processes 19->65 26 MSBuild.exe 4 2 19->26         started        process12 dnsIp13 39 domaninspalillos.duckdns.org 179.13.0.138, 2415 ColombiaMovilCO Colombia 26->39 31 C:\ProgramData\remcos\logs.dat, data 26->31 dropped 75 Contains functionality to bypass UAC (CMSTPLUA) 26->75 77 Detected Remcos RAT 26->77 79 Contains functionalty to change the wallpaper 26->79 81 4 other signatures 26->81 file14 signatures15
Score:
4%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/770b35baa103302f231c6be89e96d55294801a04aee02693842aa745f6dce621
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/770b35baa103302f231c6be89e96d55294801a04aee02693842aa745f6dce621/
Threat name:
Script-WScript.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2025-08-27 01:16:02 UTC
File Type:
Text (VBS)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o4ftlovbamyc6iy4npuj5fwvkkkiagqev3qcne4efktul5w44yqq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1311aed7b08093746c808edea41d40fb2e8547a1bd86a2516cf7bf4f1f2075fd
RemcosRAT
1bac3ca72f25881a8e0a8ba5a9708a69f100c08c07f050a9922751183c481918
RemcosRAT
3021e7589fef17cce2d2dac8424ecc68a61d84cf25762c4caad209aa0a51e68a
RemcosRAT
7300bb9b7e8f35cc510011449846f4afb36fda088d661f4cd755ce470638c488
RemcosRAT
9f146cf7dbef2543742cf970ce79bf792211b2ffec0426600bab4e556874125b
RemcosRAT
a3a0b78d605313910e3ec9ba9c0c90bc454977f08354185973c0475afb88c842
RemcosRAT
de2924e0b41f3ead65900156974f3048ad41886489c95e01064b5b0885781ecd
RemcosRAT
error
RemcosRAT
ff6ba4489c2fe94e5ed49e2bbb411abbb6677f73b56df746ffb36c6c0ea6b81f
RemcosRAT
+ 1'412 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:dex2 defense_evasion discovery execution rat
Link:
https://tria.ge/reports/250827-hg1ptaxkx4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Modifies trusted root certificate store through registry
Remcos
Remcos family
Process spawned unexpected child process
Malware Config
C2 Extraction:
domaninspalillos.duckdns.org:2415
Dropper Extraction:
http://gestionycobranzas.com/1/ws.png
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/770b35baa103302f231c6be89e96d55294801a04aee02693842aa745f6dce621

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Visual Basic Script (vbs) vbs 770b35baa103302f231c6be89e96d55294801a04aee02693842aa745f6dce621

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3609414/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/23769/

Comments