MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81a08b163648f4a09fbba230dc34b1b2c7e7e979fedc23c6bf89af0f39f32cff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81a08b163648f4a09fbba230dc34b1b2c7e7e979fedc23c6bf89af0f39f32cff
SHA3-384 hash: 68e1d60fbaa4d19f2f0a74294efb81fac98530f9c0d41dd5a6f96828429b8edf0a06ddde38d708895d3af7788d16be40
SHA1 hash: 90a8e33fb0e2a51d2b8b53909af21533a30b8671
MD5 hash: 696c6d4d2794915c6c5194b17f055928
humanhash: music-high-lemon-mobile
File name:og3.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'034 bytes
First seen:2022-05-04 11:29:56 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:reNFIGdOlqrnyiJSc9Pk1eB47JVN50XWBjOvPaG:reNacTrnLVa7JjqPaG
Threatray 1'255 similar samples on MalwareBazaar
TLSH T14B41FDAE72476870591348F3FE2F50AE68719283D13960C0BA18FFC11C392B9935A97F
Reporter malwarelabnet
Tags:remcos RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/268610/
Detection(s):
SecuriteInfo.com.VBS.Trojan.Agent.46382.5131.8377.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/627263f762b1ae4451d5e314/reports/a30c8036-d781-43ba-b39c-d2035965b13e/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/987690
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
DLL side loading technique detected
Drops PE files to the startup folder
Drops VBS files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Powershell drops PE file
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 620186 Sample: og3.vbs Startdate: 04/05/2022 Architecture: WINDOWS Score: 100 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 4 other signatures 2->71 7 wscript.exe 1 2->7         started        10 wscript.exe 1 2->10         started        12 iexplore.exe 2 83 2->12         started        14 iexplore.exe 1 54 2->14         started        process3 signatures4 73 Wscript starts Powershell (via cmd or directly) 7->73 75 Very long command line found 7->75 16 powershell.exe 14 21 7->16         started        20 powershell.exe 12 7->20         started        22 powershell.exe 10->22         started        24 iexplore.exe 32 12->24         started        27 iexplore.exe 14->27         started        process5 dnsIp6 47 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 16->47 dropped 53 Writes to foreign memory regions 16->53 55 DLL side loading technique detected 16->55 57 Injects a PE file into a foreign processes 16->57 59 Powershell drops PE file 16->59 29 RegAsm.exe 16->29         started        32 RegAsm.exe 16->32         started        35 conhost.exe 16->35         started        61 Drops VBS files to the startup folder 20->61 63 Drops PE files to the startup folder 20->63 37 conhost.exe 20->37         started        39 BackgroundTransferHost.exe 22->39         started        41 conhost.exe 22->41         started        43 RegAsm.exe 22->43         started        45 RegAsm.exe 22->45         started        51 107.172.100.226, 49715, 49716, 49737 AS-COLOCROSSINGUS United States 24->51 file7 signatures8 process9 dnsIp10 77 Contains functionality to steal Chrome passwords or cookies 29->77 79 Contains functionality to inject code into remote processes 29->79 81 Contains functionality to steal Firefox passwords or cookies 29->81 83 Delayed program exit found 29->83 49 judyhus19.dvrlists.com 185.19.85.175, 49757, 5050 DATAWIRE-ASCH Switzerland 32->49 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81a08b163648f4a09fbba230dc34b1b2c7e7e979fedc23c6bf89af0f39f32cff/
Threat name:
Script-WScript.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-05-04 11:30:06 UTC
File Type:
Text (VBS)
AV detection:
8 of 25 (32.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1ccf09551ed031fa0755e2d2c22e05f8136cce389c5b6585d3f3395041637389
RemcosRAT
354a9becf30c58e1bf9bc4756fd08efc296c6f3009352b84e8073bb638533f3f
RemcosRAT
625f25dedd3f7e114dc89cff907dfec350df5cbb4efa09942f2b5ed9950c1216
RemcosRAT
6ea504859dafb477ac16b815e303fc121472298e1cbde707bf292b3432ec20e1
RemcosRAT
7b0093ab95f1f77158ba4493cde35d433e2ffde2bbe45bb4568982447046e333
RemcosRAT
9c9243f11dd44d1f1ac97716014be57244dca97a514e73d5f13da03392cba358
RemcosRAT
b8df890fac057175f86dc5f301f1e1f6d45b2a1b36598934c3fc0144cf433137
RemcosRAT
c52d747cc20d321a0185798c328468b564f9c5a213270ad07861fa7cc147fdda
RemcosRAT
e2957cb5fb3bc6646533495ea0e907b852d768839e39cd49f362b2cb1ab53df9
RemcosRAT
+ 1'245 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:aprilz rat
Link:
https://tria.ge/reports/220504-nl5gfsgchq/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
judyhus19.dvrlists.com:5050
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/81a08b163648/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81a08b163648f4a09fbba230dc34b1b2c7e7e979fedc23c6bf89af0f39f32cff

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/268610/

Comments