MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9483e96760c36e3321a8ccba6968aa4c1707f0cf91fd48fbb7d8afca6006e91e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9483e96760c36e3321a8ccba6968aa4c1707f0cf91fd48fbb7d8afca6006e91e
SHA3-384 hash: 6a39fea272f54f8bf013f2f456e35add07910912283fc5b5684b6a7fe5f0ee1153e9980f40cfd9429eeb2beb3ac8ff07
SHA1 hash: 554363ba858d87eb268fcab8b9fd24b4eabfed99
MD5 hash: 9c8e8620335c7907b76eefcb25e5d1c0
humanhash: island-blue-virginia-nine
File name:JKTR002238591_ppwk.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:669'222 bytes
First seen:2023-06-19 15:39:53 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:aQvgYcpa5U+ogsUJW4Wrle/PhG+/kery+bGWh4y1+M0F+MS+hnk/QtlMMESOgjAt:9gYcpl+og0S711+M0WQE/GZqem
Threatray 1'638 similar samples on MalwareBazaar
TLSH T192E44F6056EE110CF6E2B7871AE83CD6CE0B72169D3A91EBA54847170F67F427D22732
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter James_inthe_box
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/400597/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67545289.6738.3656.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/649076d2b54043e1264dc11b/reports/7dd864b2-ddbe-4363-a700-fc67379ff115/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9483e96760c36e3321a8ccba6968aa4c1707f0cf91fd48fbb7d8afca6006e91e
Result
Verdict:
MALICIOUS
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257533
Signature
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 890550 Sample: JKTR002238591_ppwk.vbs Startdate: 19/06/2023 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 9 other signatures 2->58 8 wscript.exe 1 2->8         started        process3 signatures4 70 VBScript performs obfuscated calls to suspicious functions 8->70 72 Suspicious powershell command line found 8->72 74 Wscript starts Powershell (via cmd or directly) 8->74 76 Very long command line found 8->76 11 powershell.exe 14 7 8->11         started        15 cmd.exe 1 8->15         started        process5 dnsIp6 50 paste.ee 188.114.96.7, 443, 49714 CLOUDFLARENETUS European Union 11->50 78 Writes to foreign memory regions 11->78 80 Injects a PE file into a foreign processes 11->80 17 RegAsm.exe 3 15 11->17         started        22 conhost.exe 11->22         started        82 Wscript starts Powershell (via cmd or directly) 15->82 84 Uses ping.exe to sleep 15->84 86 Uses ping.exe to check the status of other devices and networks 15->86 24 powershell.exe 7 15->24         started        26 PING.EXE 1 15->26         started        28 conhost.exe 15->28         started        signatures7 process8 dnsIp9 42 kl8nn6dcsfg69bn20h.duckdns.org 103.212.81.158, 3846, 49715, 49716 KANTIPUR-AS-APKantipurPublicationPvtLtdNP Bangladesh 17->42 44 geoplugin.net 178.237.33.50, 49718, 80 ATOM86-ASATOM86NL Netherlands 17->44 40 C:\ProgramData\remcos\logs.dat, data 17->40 dropped 60 Contains functionality to bypass UAC (CMSTPLUA) 17->60 62 Contains functionality to steal Chrome passwords or cookies 17->62 64 Contains functionality to inject code into remote processes 17->64 68 6 other signatures 17->68 30 RegAsm.exe 1 17->30         started        33 RegAsm.exe 1 17->33         started        35 RegAsm.exe 17->35         started        37 32 other processes 17->37 66 Found suspicious powershell code related to unpacking or dynamic code loading 24->66 46 127.0.0.1 unknown unknown 26->46 file10 signatures11 process12 dnsIp13 88 Tries to steal Instant Messenger accounts or passwords 30->88 90 Tries to steal Mail credentials (via file / registry access) 30->90 48 192.168.2.1 unknown unknown 37->48 92 Tries to harvest and steal browser information (history, passwords, etc) 37->92 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9483e96760c36e3321a8ccba6968aa4c1707f0cf91fd48fbb7d8afca6006e91e/
Threat name:
Script-WScript.Trojan.Minerva
Create hunting rule
Status:
Malicious
First seen:
2023-06-16 06:35:01 UTC
File Type:
Text (VBS)
AV detection:
10 of 37 (27.03%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ssb6sz3aynxdginizs5gs2fkjqlqp4gpsh6ur65x3cx4uyag5epa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1c4c51643818307480c2436301dab98c4794812abb3e94df7b133450411b66e1
RemcosRAT
2cf1525cdb58ec9e5d47e5c66619b9cf2966155ece68a66e9bf935369971ccdc
RemcosRAT
78b009999d967e2d3eeb4a10ce91c84048dc566d2a74d8e223a6a5b15db5839b
RemcosRAT
80443f2c84c8a76f98bbfe9e84cfe4a006b2b77b99eb94b0aa3b070197bb58d7
RemcosRAT
99d28200203baac82a7253419526711f38d7ecb1a6098f243c8656adc72ef6d8
RemcosRAT
a1a14de41157c29cdc370987d9e11971d7493d4d809ff5d9b27259f3d30d8ddf
RemcosRAT
a54b78279717d2eb6b13e183e0f69e89a023a8b945dfe47e29819f526037548b
RemcosRAT
e876ad440761c60b772b110b7e6f08c4e156ebdb17d78c55aa4594edc65ff78a
RemcosRAT
ec0a3b7d3636b52ae025418ec21669e06c30f58930f11303571a2af6993ef365
RemcosRAT
+ 1'628 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection rat spyware stealer
Link:
https://tria.ge/reports/230619-s364tsfh9v/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Blocklisted process makes network request
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
kl8nn6dcsfg69bn20h.duckdns.org:3846
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9483e96760c3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/9483e96760c36e3321a8ccba6968aa4c1707f0cf91fd48fbb7d8afca6006e91e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/400597/

Comments