MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a14fcc6851b168544feec2b3889ccff2bf11306f4d420731b471b249a16af089. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


N-W0rm


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a14fcc6851b168544feec2b3889ccff2bf11306f4d420731b471b249a16af089
SHA3-384 hash: c3c6ae51efa868221bd1bd9e7dab2e848285a964234d1ee73c8a52b926738a17a168630422f8e5c00173f4286723739c
SHA1 hash: 52962106f3619283a741129e0cee4423f07fb9ec
MD5 hash: 43ccaa017a432012f15e6f330c19ef90
humanhash: music-wolfram-six-mirror
File name:Protected.vbs
Download: download sample
Signature N-W0rm
Create hunting rule
File size:2'382 bytes
First seen:2022-02-14 16:14:33 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:uFKUijzKNmQuC9XdU3IGmvEA+XjOgxR0RQ0Qw8j+LL7b1UKn:8TNmQuCbU3IGmvEACDq8vSLL1tn
Threatray 944 similar samples on MalwareBazaar
TLSH T19E41519E3567F47DC5164DB6EC4B9C3E55B2124BA2B8C240BB0CCBC84C346ACAB89D4D
Reporter abuse_ch
Tags:N-W0rm vbs


Avatar
abuse_ch
N-W0rm payload URLs:
http://kastex.me/bkp/cnn1.jpg
https://www.srbizasrbe.org/ssl/cnn.jpg

Intelligence

File Origin
# of uploads :
1
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241436/
Detection(s):
SecuriteInfo.com.Trojan.VBS.SAgent.gen.21138.12363.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/939526
Signature
Antivirus detection for URL or domain
Command shell drops VBS files
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Very long command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 572002 Sample: Protected.vbs Startdate: 14/02/2022 Architecture: WINDOWS Score: 100 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 Yara detected Remcos RAT 2->76 78 4 other signatures 2->78 10 wscript.exe 14 2->10         started        14 wscript.exe 2->14         started        16 wscript.exe 13 2->16         started        18 2 other processes 2->18 process3 dnsIp4 68 kastex.me 192.185.199.45, 49745, 49746, 49751 UNIFIEDLAYER-AS-1US United States 10->68 94 System process connects to network (likely due to code injection or exploit) 10->94 96 Wscript starts Powershell (via cmd or directly) 10->96 98 Very long command line found 10->98 100 2 other signatures 10->100 20 powershell.exe 14 20 10->20         started        24 cmd.exe 3 10->24         started        70 192.168.2.1 unknown unknown 14->70 27 powershell.exe 14->27         started        29 powershell.exe 16->29         started        31 conhost.exe 18->31         started        signatures5 process6 dnsIp7 60 srbizasrbe.org 37.48.104.198, 443, 49747, 49748 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 20->60 62 www.srbizasrbe.org 20->62 88 Writes to foreign memory regions 20->88 90 Injects a PE file into a foreign processes 20->90 33 RegAsm.exe 4 4 20->33         started        37 conhost.exe 20->37         started        58 C:\Users\user\Music\Protected.vbs, ASCII 24->58 dropped 92 Command shell drops VBS files 24->92 39 conhost.exe 24->39         started        64 www.srbizasrbe.org 27->64 41 conhost.exe 27->41         started        66 www.srbizasrbe.org 29->66 43 conhost.exe 29->43         started        file8 signatures9 process10 file11 54 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 33->54 dropped 56 C:\Users\user\AppData\Local\...\install.vbs, data 33->56 dropped 80 Contains functionality to steal Chrome passwords or cookies 33->80 82 Contains functionality to inject code into remote processes 33->82 84 Contains functionality to steal Firefox passwords or cookies 33->84 86 Delayed program exit found 33->86 45 wscript.exe 1 33->45         started        signatures12 process13 signatures14 102 Wscript starts Powershell (via cmd or directly) 45->102 48 cmd.exe 1 45->48         started        process15 process16 50 remcos.exe 2 48->50         started        52 conhost.exe 48->52         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a14fcc6851b168544feec2b3889ccff2bf11306f4d420731b471b249a16af089/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ufh4y2crwfufit7oykzyrhgp6k7rcmdpjvbaomnuogzetilk6ceq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
09b75cdc3edcad3cc8b1729683a1132506e851c9d7a1d864fc842284822d1ba5
N-W0rm
18f51c19c22914e634d9cfcd86018e676e91d1c4a9293c247a3c9da84dce3f60
N-W0rm
1fbca7154111316e9d34ac02beb2377d20ca8426cc83669c89313a4a83358503
N-W0rm
7a25e7868a967540a3dc4c8fa89f07444c4b714c4d2f3add235a7f0c33099c57
N-W0rm
80b5832b3cfb5142bfa2d3a34c0c8e5b77ec519aee7d6e0361b750df17057d7c
N-W0rm
8865c82943ba3a6479fca40222a730e22e3d1cd279c6c6e0915c5c47f893636a
N-W0rm
b53db8cda884be522adeb2f293a41fa80fa2522b3c2eedb1ed20841c5a41d716
N-W0rm
f31c3f1bc2ca3732cd557ec416ca54562daaf704f2d5b44e9b7d92d22168ac9e
N-W0rm
+ 934 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220214-tp9s8saaf5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Checks computer location settings
Blocklisted process makes network request
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a14fcc6851b1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a14fcc6851b168544feec2b3889ccff2bf11306f4d420731b471b249a16af089

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/host/www.srbizasrbe.org/
Cape
Cape
https://www.capesandbox.com/analysis/241436/

Comments