MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cf1fdb10c69abf321636907171418f4ca79917c2a280fb1d7216fcb99fd2339. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cf1fdb10c69abf321636907171418f4ca79917c2a280fb1d7216fcb99fd2339
SHA3-384 hash: 2eae43d118a76cb9c2e020d28bf0112abbfeef475709d250736056501bdc5fb80b54712d912e912170857c746393e6ae
SHA1 hash: 3aa9884c5877cd84a2a5695bb85d0c1d465762e5
MD5 hash: f3848b1d0ad73445ff208123c109b3a3
humanhash: burger-seventeen-twelve-connecticut
File name:MKBOY.ps1
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:69'134 bytes
First seen:2025-03-14 09:21:46 UTC
Last seen:2025-03-19 13:14:45 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 1536:nRqPkug6bnczC/2OuzoUZ69eAw4i+RGhCvn9iIHFEecSK:c1GEuEUZIw4i+RGhCv9iIHFEe8
TLSH T16A6382318914B82FCFEF2F47A5102FD33C78153BDE651018B98F19B95AA8238597AF24
Magika powershell
Reporter KatzenTech
Tags:176-65-144-3 ps1 RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d3f84d08116ce4257117be
Tags:
extens packed trojan
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
confuserex dropper obfuscated obfuscated packed packed
Link:
https://www.filescan.io/uploads/67d3f54101edd28374afb0a8/reports/249f3b4f-75f6-4d4b-a3e1-31b326cf86ba/overview
Verdict:
Malicious
Labled as:
Lazy.664762;Gen:Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/9cf1fdb10c69abf321636907171418f4ca79917c2a280fb1d7216fcb99fd2339
Result
Verdict:
MALICIOUS
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1638291
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionalty to change the wallpaper
Detected Remcos RAT
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Powershell drops PE file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1638291 Sample: MKBOY.ps1 Startdate: 14/03/2025 Architecture: WINDOWS Score: 100 36 geoplugin.net 2->36 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 11 other signatures 2->50 8 powershell.exe 16 2->8         started        12 svchost.exe 1 1 2->12         started        15 notepad.exe 5 2->15         started        signatures3 process4 dnsIp5 32 C:\Users\...\JXCJKXCJHKJHXCJHKXCXCJHK.exe, PE32 8->32 dropped 60 Found suspicious powershell code related to unpacking or dynamic code loading 8->60 62 Powershell drops PE file 8->62 17 JXCJKXCJHKJHXCJHKXCXCJHK.exe 15 4 8->17         started        22 conhost.exe 8->22         started        42 127.0.0.1 unknown unknown 12->42 file6 signatures7 process8 dnsIp9 34 176.65.144.3, 49683, 80 PALTEL-ASPALTELAutonomousSystemPS Germany 17->34 30 C:\Users\user\AppData\Local\Temp\RUNPEE.dll, PE32 17->30 dropped 52 Antivirus detection for dropped file 17->52 54 Multi AV Scanner detection for dropped file 17->54 56 Contains functionality to bypass UAC (CMSTPLUA) 17->56 58 3 other signatures 17->58 24 JXCJKXCJHKJHXCJHKXCXCJHK.exe 4 13 17->24         started        28 JXCJKXCJHKJHXCJHKXCXCJHK.exe 17->28         started        file10 signatures11 process12 dnsIp13 38 198.23.227.212, 32583, 49684 AS-COLOCROSSINGUS United States 24->38 40 geoplugin.net 178.237.33.50, 49685, 80 ATOM86-ASATOM86NL Netherlands 24->40 64 Detected Remcos RAT 24->64 signatures14
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/9cf1fdb10c69abf321636907171418f4ca79917c2a280fb1d7216fcb99fd2339
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9cf1fdb10c69abf321636907171418f4ca79917c2a280fb1d7216fcb99fd2339/
Threat name:
Script-PowerShell.Backdoor.Remcos
Create hunting rule
Status:
Suspicious
First seen:
2025-03-13 03:50:16 UTC
File Type:
Text
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tty73mimngv7gildnedrofay6tfhtel4fiua7moxefx4xgp5em4q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
error
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:yavakosa discovery execution rat upx
Link:
https://tria.ge/reports/250314-lby6ksxyfw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
UPX packed file
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Remcos
Remcos family
Malware Config
C2 Extraction:
198.23.227.212:32583
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9cf1fdb10c69abf321636907171418f4ca79917c2a280fb1d7216fcb99fd2339

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Remcos_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Remcos Payload
Rule name:SUSP_PS1_FromBase64String_Content_Indicator_RID3714
Create hunting rule
Author:Florian Roth
Description:Detects suspicious base64 encoded PowerShell expressions
Reference:https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_3
Create hunting rule
Author:Kevin Falcoz
Description:UPX 3.X
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

PowerShell (PS) ps1 9cf1fdb10c69abf321636907171418f4ca79917c2a280fb1d7216fcb99fd2339

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3474952/
  
Delivery method
Distributed via web download

Comments