MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7795f522a55ae41cb43c380f7bb4150a2170b9fca1e8b98070ee32934f32fb1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7795f522a55ae41cb43c380f7bb4150a2170b9fca1e8b98070ee32934f32fb1a
SHA3-384 hash: b23eae4d7204754f3fc9a716d5465daf8781da2e4defda4b495a0070e64b6b371aac9c383f882d4496c3e641bf6106a3
SHA1 hash: 98fa5eca5a16266471c1b5056d03846f3c9c6f50
MD5 hash: e0ed0c9ca4b1c665c4e3bf59264437a7
humanhash: delta-kansas-indigo-oklahoma
File name:lukas.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:684'740 bytes
First seen:2023-06-20 08:18:22 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:FQvgYcpa5U+ogsUJW4Wrle/PhG+/kery+bGMvbEQEkqkM5Lyi9LYHIdtUogy6Gi0:QgYcpl+og0S7TbEQEkqkMWsgw9ZqeH
Threatray 2'099 similar samples on MalwareBazaar
TLSH T1D8E44E197E9F40FCE13ABD5A5BECAA9C0F5FB305453EA1092148454B4B87DC28E91FA3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter lowmal3
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/400924/
Detection(s):
SecuriteInfo.com.VB.Trojan.Valyria.8282.20403.29840.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/649160f78d2002f9452b1682/reports/af39a407-51da-40df-916f-ac4179477abe/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/7795f522a55ae41cb43c380f7bb4150a2170b9fca1e8b98070ee32934f32fb1a
Result
Verdict:
MALICIOUS
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1258028
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suspicious powershell command line found
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 891048 Sample: lukas.vbs Startdate: 20/06/2023 Architecture: WINDOWS Score: 100 35 Multi AV Scanner detection for domain / URL 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 8 other signatures 2->41 7 wscript.exe 1 2->7         started        process3 signatures4 43 VBScript performs obfuscated calls to suspicious functions 7->43 45 Suspicious powershell command line found 7->45 47 Wscript starts Powershell (via cmd or directly) 7->47 49 Very long command line found 7->49 10 powershell.exe 14 7 7->10         started        13 cmd.exe 1 7->13         started        process5 signatures6 51 Writes to foreign memory regions 10->51 53 Injects a PE file into a foreign processes 10->53 15 RegAsm.exe 10->15         started        18 RegAsm.exe 3 14 10->18         started        21 conhost.exe 10->21         started        55 Wscript starts Powershell (via cmd or directly) 13->55 57 Uses ping.exe to sleep 13->57 59 Uses ping.exe to check the status of other devices and networks 13->59 23 powershell.exe 7 13->23         started        25 PING.EXE 1 13->25         started        27 conhost.exe 13->27         started        process7 dnsIp8 61 Contains functionality to bypass UAC (CMSTPLUA) 15->61 63 Contains functionality to steal Chrome passwords or cookies 15->63 65 Contains functionality to modify clipboard data 15->65 71 2 other signatures 15->71 29 colukas37.ddns.net 194.180.48.191, 2111, 49713 LVLT-10753US Germany 18->29 31 geoplugin.net 178.237.33.50, 49714, 80 ATOM86-ASATOM86NL Netherlands 18->31 67 Installs a global keyboard hook 18->67 69 Found suspicious powershell code related to unpacking or dynamic code loading 23->69 33 127.0.0.1 unknown unknown 25->33 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7795f522a55ae41cb43c380f7bb4150a2170b9fca1e8b98070ee32934f32fb1a/
Threat name:
Win32.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2023-06-20 08:19:06 UTC
File Type:
Text (VBS)
AV detection:
7 of 37 (18.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o6k7kivfllsbznb4hahxxnavbiqxbop4uhultadq5yzjgtzs7mna._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1297278ef746096841eeadfbd09a124e044a52bee1be093b4484f95af475c2b3
RemcosRAT
19d950b878e737ae460d86a723a31b651d9130001b9f1b24b178affa9ceff606
RemcosRAT
42e3b6a30881e20d63817f8fbbfb754c2c0027fcebfe962efc1042b4a87602ad
RemcosRAT
55b379ec8cd752f104605bdbd88048c1c3b49c328b393ba496494a118ef5ae16
RemcosRAT
67c7c5ec03b9334d1a132f2b0fd7ddc99515ccdb2372aa3b16463ea34d09f060
RemcosRAT
9483e96760c36e3321a8ccba6968aa4c1707f0cf91fd48fbb7d8afca6006e91e
RemcosRAT
b41e4528449d3fa1730eca98df0dc9fd9e3683ccfaedf1d72ee2af2899f18db8
RemcosRAT
e5ecc9b504121707ebc8782b5a81546ee41e7141d5554271030111c51cc2501f
RemcosRAT
e970fdbbcd35127388ad909820df33fbe5d0a7bd4b52ccde011c5782edfe03fc
RemcosRAT
+ 2'089 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:lukas-host collection rat spyware stealer
Link:
https://tria.ge/reports/230620-j7t6dsca91/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Blocklisted process makes network request
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
colukas37.ddns.net:2111
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7795f522a55a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/7795f522a55ae41cb43c380f7bb4150a2170b9fca1e8b98070ee32934f32fb1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Visual Basic Script (vbs) vbs 7795f522a55ae41cb43c380f7bb4150a2170b9fca1e8b98070ee32934f32fb1a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/400924/

Comments