MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a549ff6df2c758aaf25162d062493daaa8360f831e64a1505ce05f33d5d57d7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a549ff6df2c758aaf25162d062493daaa8360f831e64a1505ce05f33d5d57d7f
SHA3-384 hash: 2e7f7a398e3c0f08339f5731b66fb8fe3ca789b7781b8871529367c334271b68293c847d8bc4ee58471f92bddaf84605
SHA1 hash: 8f5563ae70b12e870481df16dae82466418258ae
MD5 hash: fa64c8d30fd19ecd3875d7a1d2c2285d
humanhash: river-pasta-network-spring
File name:Document 234352313893.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'588 bytes
First seen:2022-03-03 09:35:06 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:HgO2+8NmBCfaQmx2ICcIAlig1uo/e/A7naNG0QG1AyzqqpykVEjGP0BdO:HgO2+8NmBCSQmAIVIA9uo/e/A7nYASkC
Threatray 1'044 similar samples on MalwareBazaar
TLSH T1DD510E0E3003B06E79326EE2FC0B546D95716756E37980A07A0CD7D50E3666CEF82D9D
Reporter abuse_ch
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/246881/
Detection(s):
SecuriteInfo.com.TrojanDownloader.Win32.Nemucodml.10539.30440.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/950225
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
DLL side loading technique detected
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Very long command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 582716 Sample: Document 234352313893.vbs Startdate: 03/03/2022 Architecture: WINDOWS Score: 100 63 Multi AV Scanner detection for domain / URL 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 7 other signatures 2->69 8 wscript.exe 14 2->8         started        12 wscript.exe 2->12         started        14 wscript.exe 13 2->14         started        process3 dnsIp4 57 kastex.me 192.185.199.45, 443, 49731, 49767 UNIFIEDLAYER-AS-1US United States 8->57 81 System process connects to network (likely due to code injection or exploit) 8->81 83 Wscript starts Powershell (via cmd or directly) 8->83 85 Very long command line found 8->85 87 2 other signatures 8->87 16 powershell.exe 14 22 8->16         started        21 cmd.exe 3 8->21         started        23 powershell.exe 12->23         started        59 192.168.2.1 unknown unknown 14->59 25 powershell.exe 14->25         started        signatures5 process6 dnsIp7 55 meonhanong.com 103.90.233.184, 443, 49758, 49786 WEBPANDA-AS-VNCongtyTNHHWebPandaVN Viet Nam 16->55 49 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 16->49 dropped 71 Writes to foreign memory regions 16->71 73 DLL side loading technique detected 16->73 75 Injects a PE file into a foreign processes 16->75 77 Powershell drops PE file 16->77 27 RegAsm.exe 2 2 16->27         started        31 conhost.exe 16->31         started        51 Document 234352313...vbs:Zone.Identifier, ASCII 21->51 dropped 53 C:\Users\user\...\Document 234352313893.vbs, ASCII 21->53 dropped 79 Command shell drops VBS files 21->79 33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 RegAsm.exe 23->37         started        39 conhost.exe 25->39         started        41 RegAsm.exe 25->41         started        file8 signatures9 process10 dnsIp11 61 alliedtrade54321.ddns.net 185.29.9.48, 49788, 49800, 49803 DATACLUB-SE European Union 27->61 89 Contains functionality to steal Chrome passwords or cookies 27->89 91 Contains functionality to inject code into remote processes 27->91 93 Contains functionality to steal Firefox passwords or cookies 27->93 95 2 other signatures 27->95 43 RegAsm.exe 27->43         started        45 RegAsm.exe 27->45         started        47 RegAsm.exe 27->47         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a549ff6df2c758aaf25162d062493daaa8360f831e64a1505ce05f33d5d57d7f/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-03-03 09:36:08 UTC
File Type:
Text (VBS)
AV detection:
10 of 42 (23.81%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uve763psy5mkv4srmligesj5vkudmd4ddzskcuc44bpthvovpv7q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
38c2822b3929fe567273c89ddbdc3fb49a750199cd795f36ad6dc29bb614e4c6
RemcosRAT
6a4b5aab71a352d6ae6140f99a28b0c38df78a8985b3383f1bc424ca74e046fe
RemcosRAT
7b5f70276fe64b0ec64ff186af6706b1dbbf2e2dc69e4b1546745b293121116f
RemcosRAT
b0ac37aec0eef942e0ff9c35828584b8d887f951ec13afbd80cdc4ce23595ae4
RemcosRAT
c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738
RemcosRAT
eb1d29174d0a65b4ff95f172d35532666fed7cd6659ec77591240777b5b76452
RemcosRAT
ebf21217cedcf7f1809418985cb120b150b12d2ec955119c73f7c3170b5f2232
RemcosRAT
+ 1'034 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:march rat
Link:
https://tria.ge/reports/220303-lkxn4scaen/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
alliedtrade54321.ddns.net:8578
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a549ff6df2c758aaf25162d062493daaa8360f831e64a1505ce05f33d5d57d7f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/246881/

Comments