MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77c1d0751cebaa15074b84ae860ac17111b966e50b647a6d2677fa9a6b341040. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77c1d0751cebaa15074b84ae860ac17111b966e50b647a6d2677fa9a6b341040
SHA3-384 hash: 6c94a30fa1cbc76bf2e9cfcec2d5c203429655b4eb733cbc670ea234c22c34ab648cbb97cb08b778f9e163d4afca70ab
SHA1 hash: bf6f796c95802283b8acb7f2d27b524efecb3682
MD5 hash: 6ac932e3d03370628042d5d672843160
humanhash: hawaii-harry-georgia-emma
File name:31agosto.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:112'499 bytes
First seen:2025-12-05 18:18:55 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:Oerg4OA6pWaXv352V5NFXJBPZxYmwDRVqx8FXJBqGtiKGOi6z6ahzWaq7hYmwWQn:SCX0+f6aL/OehUSiAHOVVU5XW5x1BRD
TLSH T103B3DAAAD431A1C11B07FF385E165EA0405124A88D221E7D1AFDC3AF982397ECDF975E
Magika vba
Reporter abuse_ch
Tags:RAT RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
19
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42687/
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6933222731688d480ab31ae8
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 fingerprint obfuscated obfuscated overlay powershell
Link:
https://www.filescan.io/uploads/69332227ff25e40750d51231/reports/f9dc3b31-4925-498f-94ab-95f06e859e86/overview
Verdict:
Malicious
Labled as:
VBS/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/77c1d0751cebaa15074b84ae860ac17111b966e50b647a6d2677fa9a6b341040
Result
Gathering data
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1827558
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Creates processes via WMI
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected MSILDownloaderGeneric
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1827558 Sample: 31agosto.vbs Startdate: 05/12/2025 Architecture: WINDOWS Score: 100 21 purerat32.duckdns.org 2->21 23 esvpotfvg0.ufs.sh 2->23 25 2 other IPs or domains 2->25 41 Suricata IDS alerts for network traffic 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Yara detected PureLog Stealer 2->45 49 10 other signatures 2->49 8 wscript.exe 2->8         started        signatures3 47 Uses dynamic DNS services 21->47 process4 signatures5 51 Suspicious powershell command line found 8->51 53 Wscript starts Powershell (via cmd or directly) 8->53 55 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->55 57 2 other signatures 8->57 11 powershell.exe 14 15 8->11         started        process6 dnsIp7 27 esvpotfvg0.ufs.sh 172.67.184.177, 443, 49719 CLOUDFLARENETUS United States 11->27 29 pngup.com 149.56.126.37, 443, 49718 OVHFR Canada 11->29 59 Found many strings related to Crypto-Wallets (likely being stolen) 11->59 61 Writes to foreign memory regions 11->61 63 Injects a PE file into a foreign processes 11->63 15 aspnet_regsql.exe 2 2 11->15         started        19 conhost.exe 11->19         started        signatures8 process9 dnsIp10 31 purerat32.duckdns.org 181.235.10.171, 2023, 49726, 49728 COLOMBIATELECOMUNICACIONESSAESPCO Colombia 15->31 33 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 15->33 35 Found many strings related to Crypto-Wallets (likely being stolen) 15->35 37 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->37 39 4 other signatures 15->39 signatures11
Score:
58%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/77c1d0751cebaa15074b84ae860ac17111b966e50b647a6d2677fa9a6b341040
Verdict:
Malware
YARA:
1 match(es)
Tags:
OlePrn.DSPrintQueue.1 Scripting.FileSystemObject VBScript
Link:
https://app.malva.re/file/6ac932e3d03370628042d5d672843160
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77c1d0751cebaa15074b84ae860ac17111b966e50b647a6d2677fa9a6b341040/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o7a5a5i45ovbkb2lqsximcwboei3szxfbnshu3jgo75ju2zucbaa._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution
Link:
https://tria.ge/reports/251205-wyc7qswrat/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Malware Config
Dropper Extraction:
https://pngup.com/VmOv/MSI_PRO_with_b64.png
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Visual Basic Script (vbs) vbs 77c1d0751cebaa15074b84ae860ac17111b966e50b647a6d2677fa9a6b341040

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3696625/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3723442/
  
URLhaus
https://urlhaus.abuse.ch/url/3721272/
  
URLhaus
https://urlhaus.abuse.ch/url/3720971/
  
URLhaus
https://urlhaus.abuse.ch/url/3651443/
  
URLhaus
https://urlhaus.abuse.ch/url/3684488/
  
URLhaus
https://urlhaus.abuse.ch/url/3723453/
  
URLhaus
https://urlhaus.abuse.ch/url/3723459/
  
URLhaus
https://urlhaus.abuse.ch/url/3720981/
  
URLhaus
https://urlhaus.abuse.ch/url/3619990/
  
URLhaus
https://urlhaus.abuse.ch/url/3626699/
  
URLhaus
https://urlhaus.abuse.ch/url/3724301/
  
URLhaus
https://urlhaus.abuse.ch/url/3692778/
Cape
Cape
https://www.capesandbox.com/analysis/42687/
  
URLhaus
https://urlhaus.abuse.ch/url/3720969/
  
URLhaus
https://urlhaus.abuse.ch/url/3720957/
  
URLhaus
https://urlhaus.abuse.ch/url/3720982/

Comments