MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a50c056a96999f841ea1ef7bb6674da47579f5cafe02e295c75e980b36219a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a50c056a96999f841ea1ef7bb6674da47579f5cafe02e295c75e980b36219a9
SHA3-384 hash: f8faa1314248313a6a7c4f7c78f585851d5c5ffc25d66fb86a4345d673932bd708b13dc9dc4055af7d1c60359f0773f6
SHA1 hash: cdfdd0fcec5dadacd248dce62b7dab57dc56d2aa
MD5 hash: fc11ac8ba36dfa7e896dd65f9dbb5eb0
humanhash: yellow-delaware-nine-carolina
File name:Doc. no. MTSMEXP-30012021.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:24'885 bytes
First seen:2021-10-04 06:06:10 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:9n9pXuQJzRlzh/J1eSO4SHSRS6USuSCSMzP2KDchVMb7FQgcC:17zlzf1ezP2KYe
Threatray 684 similar samples on MalwareBazaar
TLSH T1FAB26820E4434DB707DB9E694EC2A3625AF603CA545A054FB748BFBC008ABCA6DC51F7
Reporter cocaman
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194427/
Detection(s):
SecuriteInfo.com.ISB.Downloadergen48.10341.4170.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/615c2fb2e3d213d202b77438/reports/ac06bdc7-2278-447c-b02d-ac7c64db728b/overview
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863655
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an undocumented autostart registry key
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Sigma detected: CrackMapExec PowerShell Obfuscation
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Obfuscated Powershell
Yara detected Powershell download and execute
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 496083 Sample: Doc. no. MTSMEXP-30012021.vbs Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Detected Remcos RAT 2->33 35 5 other signatures 2->35 7 wscript.exe 1 2->7         started        process3 signatures4 37 VBScript performs obfuscated calls to suspicious functions 7->37 39 Wscript starts Powershell (via cmd or directly) 7->39 41 Very long command line found 7->41 10 powershell.exe 14 30 7->10         started        process5 dnsIp6 27 Officialsw.chickenkiller.com 212.192.246.191, 2310, 49751, 49758 RHC-HOSTINGGB Russian Federation 10->27 23 C:\Users\Public\Run\Run.BAT, ASCII 10->23 dropped 43 Creates an undocumented autostart registry key 10->43 45 Writes to foreign memory regions 10->45 47 Injects a PE file into a foreign processes 10->47 15 aspnet_compiler.exe 10->15         started        18 aspnet_compiler.exe 10->18         started        21 conhost.exe 10->21         started        file7 signatures8 process9 dnsIp10 49 Contains functionality to steal Chrome passwords or cookies 15->49 51 Contains functionality to inject code into remote processes 15->51 53 Contains functionality to steal Firefox passwords or cookies 15->53 55 Delayed program exit found 15->55 25 Officialsw.chickenkiller.com 18->25 57 Installs a global keyboard hook 18->57 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a50c056a96999f841ea1ef7bb6674da47579f5cafe02e295c75e980b36219a9/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tjimavvjngm7qqpkd333wztu3jdvph24v7qc4kk4oxuybm3cdguq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
5000f900d0d52fb1b6634d0437711ab10c9184d080c852f17b2fb114a35446a8
RemcosRAT
772a319b31a1922eadd022f30aa60680e911f758d4c81c4dbf16614cf7791f0a
RemcosRAT
77ce24c903d75a340e3d5664091c7b72a2529640931e662b80b8dc3fb9226929
RemcosRAT
8378cff1c00e9259db81de361f9e5ebfc5eb1e932c0d21c5b003360c46a7eb43
RemcosRAT
860e16c192167d5dd823b8e533858cdada7aa9b3173254f2f57031af68b84e0c
RemcosRAT
87284733f84447db5f12697e7ce2fb44671cbf404e040cf85085b223eab02b95
RemcosRAT
993528adce97be31c6c1e1c01f4877f229b10e8f06b87d8cbcc2f95b46866872
RemcosRAT
a3faa214333ce59ed895410e011c4cbd44fe51b26ed5bf2a0ed54e225616f893
RemcosRAT
af9fa73ff6907f77d55aac6376f3f2e73160fc97afec3656e77da8d5e0a6a488
RemcosRAT
bfd45ef21e21655c921b457242c1d4e05a1e979d0051a4195192d8e17b7bed38
RemcosRAT
+ 674 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:arab rat
Link:
https://tria.ge/reports/211004-gvcdpsgadm/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
Officialsw.chickenkiller.com:2310
official.ydns.eu:2310
hurricane.ydns.eu:2310
Dropper Extraction:
http://212.192.246.191/bypass_D_46576879786874q7557756q86e.txt
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9a50c056a969/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9a50c056a96999f841ea1ef7bb6674da47579f5cafe02e295c75e980b36219a9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 647fa66c2cef019a16ae46d3648949b6777fb2f03ceeff8494ae76e65b34f187

RemcosRAT

Visual Basic Script (vbs) vbs 9a50c056a96999f841ea1ef7bb6674da47579f5cafe02e295c75e980b36219a9

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 647fa66c2cef019a16ae46d3648949b6777fb2f03ceeff8494ae76e65b34f187
Cape
Cape
https://www.capesandbox.com/analysis/194427/

Comments