MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a22fb5a6beb7587e89ed509ba36d193070c2cb7ef5cc9cb2393823037265c39b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a22fb5a6beb7587e89ed509ba36d193070c2cb7ef5cc9cb2393823037265c39b
SHA3-384 hash: da9dda9ab19e151137a40117bb4755793d3e55e23275a1d732ac69cb07470e0e1a19c93123c62916db243aae0aa4b91d
SHA1 hash: dedcbb524e3fa621b716fbb4f4dea800e6279e1a
MD5 hash: d68363e3776ef2ea3277d9b24edd935b
humanhash: pluto-fix-bacon-jupiter
File name:DHLShippingInvoicesAwbBL000000000102220242247.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:517'176 bytes
First seen:2024-10-22 04:15:10 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:errrrrrrrrrrrrrrrr166666666666666666666666666666666666666666666z:O
Threatray 1'252 similar samples on MalwareBazaar
TLSH T1A6B49A0B66EF5508B1B76F586A7250780B677E5E99BCC69C01CCA41E0FE3A40C961BF3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika mp3
Reporter abuse_ch
Tags:RAT RemcosRAT vbs


Avatar
abuse_ch
RemcosRAT C2:
43.226.229.232:57484

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
43.226.229.232:57484 https://threatfox.abuse.ch/ioc/1338538/

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.4048.17729.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671727049e67c246820300c1
Tags:
Powershell Gumen Lien
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade powershell
Link:
https://www.filescan.io/uploads/67172705c7aed0374dac854c/reports/9c12eea1-70d0-4120-8897-77e9fb92abef/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a22fb5a6beb7587e89ed509ba36d193070c2cb7ef5cc9cb2393823037265c39b
Result
Verdict:
SUSPICIOUS
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.spre.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1539088
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Delayed program exit found
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Self deletion via cmd or bat file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Copy file to startup via Powershell
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1539088 Sample: DHLShippingInvoicesAwbBL000... Startdate: 22/10/2024 Architecture: WINDOWS Score: 100 90 pastebin.com 2->90 92 paste.ee 2->92 94 5 other IPs or domains 2->94 106 Multi AV Scanner detection for domain / URL 2->106 108 Suricata IDS alerts for network traffic 2->108 110 Found malware configuration 2->110 114 18 other signatures 2->114 11 wscript.exe 1 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 2 other processes 2->18 signatures3 112 Connects to a pastebin service (likely for C&C) 92->112 process4 signatures5 140 VBScript performs obfuscated calls to suspicious functions 11->140 142 Suspicious powershell command line found 11->142 144 Wscript starts Powershell (via cmd or directly) 11->144 146 2 other signatures 11->146 20 powershell.exe 7 11->20         started        23 powershell.exe 14->23         started        25 conhost.exe 14->25         started        27 powershell.exe 16->27         started        29 conhost.exe 16->29         started        31 powershell.exe 18->31         started        33 powershell.exe 18->33         started        35 conhost.exe 18->35         started        37 conhost.exe 18->37         started        process6 signatures7 116 Suspicious powershell command line found 20->116 118 Self deletion via cmd or bat file 20->118 120 Tries to download and execute files (via powershell) 20->120 126 3 other signatures 20->126 39 powershell.exe 14 19 20->39         started        44 conhost.exe 20->44         started        122 Writes to foreign memory regions 23->122 124 Injects a PE file into a foreign processes 23->124 46 conhost.exe 23->46         started        48 AddInProcess32.exe 23->48         started        50 AddInProcess32.exe 23->50         started        52 conhost.exe 27->52         started        54 AddInProcess32.exe 27->54         started        56 2 other processes 31->56 58 2 other processes 33->58 process8 dnsIp9 100 desckvbrat.com.br 191.252.83.213, 21, 49730, 49731 LocawebServicosdeInternetSABR Brazil 39->100 102 b2case.com 188.114.96.3, 443, 49732, 49734 CLOUDFLARENETUS European Union 39->102 88 C:\Users\user\AppData\Roaming\...\qkbrq.ps1, Unicode 39->88 dropped 136 Self deletion via cmd or bat file 39->136 138 Adds a directory exclusion to Windows Defender 39->138 60 powershell.exe 39->60         started        64 powershell.exe 1 11 39->64         started        66 powershell.exe 1 11 39->66         started        68 4 other processes 39->68 file10 signatures11 process12 dnsIp13 104 pastebin.com 104.20.4.235, 443, 49744, 49746 CLOUDFLARENETUS United States 60->104 148 Writes to foreign memory regions 60->148 150 Injects a PE file into a foreign processes 60->150 70 AddInProcess32.exe 60->70         started        152 Creates autostart registry keys with suspicious values (likely registry only malware) 64->152 154 Creates multiple autostart registry keys 64->154 156 Suspicious powershell command line found 68->156 158 Wscript starts Powershell (via cmd or directly) 68->158 160 Loading BitLocker PowerShell Module 68->160 75 WmiPrvSE.exe 68->75         started        signatures14 process15 dnsIp16 96 iwarsut775laudrye001.duckdns.org 43.226.229.232, 49745, 49747, 57484 SOFTLAYERUS Hong Kong 70->96 98 geoplugin.net 178.237.33.50, 49748, 80 ATOM86-ASATOM86NL Netherlands 70->98 86 C:\Users\user\AppData\Roaming\kanspt.dat, data 70->86 dropped 128 Contains functionality to bypass UAC (CMSTPLUA) 70->128 130 Tries to steal Mail credentials (via file registry) 70->130 132 Contains functionalty to change the wallpaper 70->132 134 6 other signatures 70->134 77 AddInProcess32.exe 70->77         started        80 AddInProcess32.exe 70->80         started        82 AddInProcess32.exe 70->82         started        84 AddInProcess32.exe 70->84         started        file17 signatures18 process19 signatures20 162 Tries to steal Instant Messenger accounts or passwords 77->162 164 Tries to steal Mail credentials (via file / registry access) 77->164 166 Tries to harvest and steal browser information (history, passwords, etc) 80->166
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/a22fb5a6beb7587e89ed509ba36d193070c2cb7ef5cc9cb2393823037265c39b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a22fb5a6beb7587e89ed509ba36d193070c2cb7ef5cc9cb2393823037265c39b/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uix3ljv6w5mh5cpnkcn2g3izgbymfs366xgjzmrzharqg4tfyonq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
admintool_mailpassview
Create hunting rule
nirsoft
Create hunting rule
Similar samples:
1414f1e42aa7b329d33ddbf9c64024eb822b1f61780bede84aa260724bd36b60
RemcosRAT
7aedd5e4277e592d13cb250945dac96a7b4877de807904f7caa9d8ffb14963a5
RemcosRAT
83fd4f6c8ca4ae094ea629eda985b11e495aa8f6c8421970ef8573a50808e344
RemcosRAT
8dd3a8d57533cddb053799ed6f14291ed97042e9209870f8daa0a8eeb9223d38
RemcosRAT
8fcca28a02a116ed9c02bfdcbe3bfb47206592110805aaeda4ad5c55aba82a74
RemcosRAT
9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8
RemcosRAT
b8f10c23448f6d30808e7e74322ebd4121cf2c589c86cc3b0b57df6c705a867e
RemcosRAT
c9c5b7bbbac48c507f825ef76acab3e999d89c15ebe265dfaffa7131fc405510
RemcosRAT
ce4ca0f82dffa3a7664b76552994b9d86c1f079ddda85989b18101a0298f89ae
RemcosRAT
d3a32f2258bd5eff952576259dd78a6e73f56d52d07783d4fbc3ffd966549950
RemcosRAT
error
RemcosRAT
+ 1'242 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution
Link:
https://tria.ge/reports/241022-evspksyfjq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://drive.google.com/uc?export=download&id=
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a22fb5a6beb7587e89ed509ba36d193070c2cb7ef5cc9cb2393823037265c39b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments