MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 9d723e0a80c89b6da6e4c9aa6028ee70cce510dc0fb2fac794b155a56c6f6339. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RemcosRAT
Vendor detections: 8
| SHA256 hash: | 9d723e0a80c89b6da6e4c9aa6028ee70cce510dc0fb2fac794b155a56c6f6339 |
|---|---|
| SHA3-384 hash: | fc33cae7d68a58b21b0d09aad931e3aaf4a32eb8730b22ec3a20a69de1dc40fbd249913609b800b19d82e72ee30c1dc6 |
| SHA1 hash: | 9712c0993fb96f0316879313afd021e138e4fcf0 |
| MD5 hash: | 7a9101362181ebdc808744d3c23f2ec3 |
| humanhash: | ink-winter-ink-mirror |
| File name: | Report-Slip.vbs |
| Download: | download sample |
| Signature | RemcosRAT |
| File size: | 1'627 bytes |
| First seen: | 2021-06-29 06:50:05 UTC |
| Last seen: | Never |
| File type: |  vbs |
| MIME type: | text/plain |
| ssdeep | 24:APuQJk8szpwqJWW/5trEr2keh3kU5gkG2AhqPAtThAgdvs6D9:l1yw15twyZh3kU5gkGZttAgd00 |
| Threatray | 283 similar samples on MalwareBazaar |
| TLSH | 44318734541DBE8A793AB3F207904CF62EEE4C7F29A931502682C9363A761D8179C46F |
| Reporter |  abuse_ch |
| Tags: | RAT RemcosRAT vbs |
Intelligence
File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Detection(s):
Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an undocumented autostart registry key
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MSILLoadEncryptedAssembly
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Threat name:
Script-WScript.Downloader.SLoad
Status:
Malicious
First seen:
2021-06-29 05:05:35 UTC
AV detection:
4 of 46 (8.70%)
Threat level:
3/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
remcos
Similar samples:
+ 273 additional samples on MalwareBazaar
Result
Malware family:
remcos
Score:
10/10
Tags:
family:remcos botnet:remotehost rat
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
185.19.85.168:8888
Dropper Extraction:
https://ia601500.us.archive.org/23/items/all-lvaci/ALL_lvaci.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | ach_RemcosRAT |
|---|---|
| Author: | abuse.ch |
| Rule name: | Chrome_stealer_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Chrome in files like avemaria |
| Rule name: | Email_stealer_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Email in files like avemaria |
| Rule name: | INDICATOR_EXE_Packed_MPress |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables built or packed with MPress PE compressor |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many email and collaboration clients. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer |
|---|---|
| Author: | ditekSHen |
| Description: | detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
| Rule name: | Keylog_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Contains Keylog |
| Rule name: | remcos_rat |
|---|---|
| Author: | jeFF0Falltrades |
| Rule name: | REMCOS_RAT_variants |
|---|
| Rule name: | suspicious_packer_section |
|---|---|
| Author: | @j0sm1 |
| Description: | The packer/protector section names/keywords |
| Reference: | http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ |
| Rule name: | with_sqlite |
|---|---|
| Author: | Julian J. Gonzalez <info@seguridadparatodos.es> |
| Description: | Rule to detect the presence of SQLite data in raw image |
| Reference: | http://www.st2labs.com |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.