MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d99a854713aa68aafd4d6bc5d3b37677e1f1bdd65b0fc8ac459100541ee0415. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d99a854713aa68aafd4d6bc5d3b37677e1f1bdd65b0fc8ac459100541ee0415
SHA3-384 hash: 67724543ffe3fec511a8fff6bb4cc98e6ed3ba0a4ba88df8e7194ffb5f576ef7048075a929e49e1e43ca63e26a531872
SHA1 hash: f2c2b19829f479bc33efe055d57cbfd87e0cd848
MD5 hash: 970776939a8518cf1c0612435a1ba9f4
humanhash: mobile-coffee-alpha-early
File name:RFQ-10202114365.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:4'103 bytes
First seen:2021-10-19 08:31:18 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:8VRGeHBjBjBjBjBjBjBjBjBjBjBjBjBjBvBjBjBjBjBjBjBjBjBjBjBjBjBjBjqP:MRG8YLTvnF
Threatray 1'641 similar samples on MalwareBazaar
TLSH T1F881BE0B33B26F1BB5F38396C2956ADC49173062122251EFDB172215CF842F32E7539A
Reporter abuse_ch
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198427/
Detection(s):
SecuriteInfo.com.Win32.Outbreak.9597.16031.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/616e8288a9d585e6d52d5da6/reports/3d00e7bc-21fc-4743-9ea5-e813e176b3e4/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/872952
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an undocumented autostart registry key
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Sigma detected: Suspicious PowerShell Command Line
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 505376 Sample: RFQ-10202114365.vbs Startdate: 19/10/2021 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Detected Remcos RAT 2->41 43 4 other signatures 2->43 7 wscript.exe 1 2->7         started        process3 signatures4 45 VBScript performs obfuscated calls to suspicious functions 7->45 47 Wscript starts Powershell (via cmd or directly) 7->47 49 Obfuscated command line found 7->49 51 Very long command line found 7->51 10 powershell.exe 14 32 7->10         started        process5 dnsIp6 23 b.catgirlsare.sexy 104.21.233.130, 443, 49750, 49754 CLOUDFLARENETUS United States 10->23 25 192.168.2.1 unknown unknown 10->25 21 PowerShell_transcr....20211019104524.txt, UTF-8 10->21 dropped 53 Creates an undocumented autostart registry key 10->53 55 Writes to foreign memory regions 10->55 57 Injects a PE file into a foreign processes 10->57 15 aspnet_compiler.exe 10->15         started        19 conhost.exe 10->19         started        file7 signatures8 process9 dnsIp10 27 Officialsw.chickenkiller.com 136.144.41.71, 2310, 49791 WORLDSTREAMNL Netherlands 15->27 29 Contains functionality to steal Chrome passwords or cookies 15->29 31 Contains functionality to inject code into remote processes 15->31 33 Contains functionality to steal Firefox passwords or cookies 15->33 35 2 other signatures 15->35 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d99a854713aa68aafd4d6bc5d3b37677e1f1bdd65b0fc8ac459100541ee0415/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-10-19 08:32:09 UTC
AV detection:
2 of 45 (4.44%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rwm2qvdrhktivl6u226f2ozxm57b6g65mwypzcweleiakqpoaqkq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
138fa2cd5e89767fd71e4e32719550f54910e3ecc3f81fea5341321cc1b5d429
RemcosRAT
502f18997fa73c5af97c3f8f3cd7a8a12d7d648642bd238b4eb15c0457e879a1
RemcosRAT
5d94b24f251b4fd9b9a59a3d60b86512528add9c95a880d8e32e76b1f54b8eea
RemcosRAT
7bdc1c4d7eb4471e5dcf71713b266066df99928f7be8732bfb36fe153f0f5e80
RemcosRAT
8f1eefd14608fae865576d9f7a24be116eb9d8dcebf89c954e2e645b06174c4e
RemcosRAT
ba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914
RemcosRAT
cbe42b277b9e2d8ad915917a6c9a6cca9858efb70c342462a0a6701b39dda1fc
RemcosRAT
cd43f136f1d3221cd64fc792a37744dfa9656a9ea5889e52929275c05eb4e33b
RemcosRAT
da71644ee66cad527be192aefdfb9e5c70f0977d111d95e3591c8221aca1ccfc
RemcosRAT
ed78db064dfb4ae791498b2d08410a69bdad684ff709319d179c2383dd8e2f1c
RemcosRAT
+ 1'631 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:asia rat
Link:
https://tria.ge/reports/211019-kfa4wafdg5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
Officialsw.chickenkiller.com:2310
official.ydns.eu:2310
hurricane.ydns.eu:2310
Dropper Extraction:
https://b.catgirlsare.sexy/o19_rSgYdrE2.txt
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8d99a854713a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d99a854713aa68aafd4d6bc5d3b37677e1f1bdd65b0fc8ac459100541ee0415

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/198427/

Comments