MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a764c6795dcb5630fd8509cef2b3d2797bddf1c88089f94e3969694f0d059e15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a764c6795dcb5630fd8509cef2b3d2797bddf1c88089f94e3969694f0d059e15
SHA3-384 hash: 1011ce7ea745c154b9a0dfc2799ef8396f76118be431c05a1ab067888a0061d17a015ca1121370dde7e762a7ad14534a
SHA1 hash: ce09ade5a3b35e4830ecac85e560e27ead65abcb
MD5 hash: 14e0040cc516276674e4294e31f0cfeb
humanhash: mirror-golf-carolina-william
File name:COSCO HBL Shipping Documents.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:5'978'386 bytes
First seen:2025-10-14 13:36:36 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:cvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvg:AVEgFjE5VwsBAnQmmmmmmmmmmmmmG
Threatray 1'589 similar samples on MalwareBazaar
TLSH T15E56C6AFC9B526ED7AC8013CF6377D3568573CA496BD69D230A34EEE1B459241C022F2
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika unknown
Reporter abuse_ch
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32714/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ee523004e22ce9acda00b9
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/68ee5290275d977204b67caf/reports/38030f60-0880-4ba8-9b43-fef432ce9940/overview
Verdict:
Malicious
Labled as:
GT:VB.Honolulu.1
Link:
https://www.hybrid-analysis.com/sample/a764c6795dcb5630fd8509cef2b3d2797bddf1c88089f94e3969694f0d059e15
Verdict:
Malicious
File Type:
unknown
First seen:
2025-10-14T03:46:00Z UTC
Last seen:
2025-10-15T22:49:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/a764c6795dcb5630fd8509cef2b3d2797bddf1c88089f94e3969694f0d059e15/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1794880
Signature
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1794880 Sample: COSCO HBL Shipping Documents.vbs Startdate: 14/10/2025 Architecture: WINDOWS Score: 100 26 pastebin.com 2->26 28 rentry.org 2->28 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Powershell download and execute 2->38 42 7 other signatures 2->42 9 wscript.exe 1 2->9         started        signatures3 40 Connects to a pastebin service (likely for C&C) 26->40 process4 signatures5 46 Suspicious powershell command line found 9->46 48 Wscript starts Powershell (via cmd or directly) 9->48 50 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->50 52 Suspicious execution chain found 9->52 12 powershell.exe 7 9->12         started        process6 signatures7 54 Suspicious powershell command line found 12->54 56 Encrypted powershell cmdline option found 12->56 58 Bypasses PowerShell execution policy 12->58 60 Found suspicious powershell code related to unpacking or dynamic code loading 12->60 15 powershell.exe 14 18 12->15         started        19 conhost.exe 12->19         started        process8 dnsIp9 30 rentry.org 164.132.58.105, 443, 49696 OVHFR France 15->30 32 pastebin.com 104.20.29.150, 443, 49695 CLOUDFLARENETUS United States 15->32 24 C:\Users\user\AppData\Local\Temp\nAvER.ps1, Unicode 15->24 dropped 21 powershell.exe 11 15->21         started        file10 process11 signatures12 44 Potential dropper URLs found in powershell memory 21->44
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/a764c6795dcb5630fd8509cef2b3d2797bddf1c88089f94e3969694f0d059e15
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a764c6795dcb5630fd8509cef2b3d2797bddf1c88089f94e3969694f0d059e15/
Threat name:
Win32.Trojan.Honolulu
Create hunting rule
Status:
Malicious
First seen:
2025-10-14 11:41:24 UTC
File Type:
Binary
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u5smm6k5znldb7mfbhhpfm6spf5534oiqce7strznfuu6diftykq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
029a67953833635a2dd1ce8b836d312737ad032b4068e5c7417192544f336c60
RemcosRAT
18b2c9711740a6bc733cd4b1000c563905eacc7c698e946f31c69cf90a0ab0bf
RemcosRAT
4245e415209b1f13c215b623c3ccf1020d1e01e7ac9084a2f20d7a1abf79834a
RemcosRAT
540ec378cbd516ca43ee050f1cde867abee50480e3b33bb216af9dd4b98cf1f4
RemcosRAT
6420f123d8cfbc66464721f3871561242a8b6db462b85ad3f444d8c938267c5e
RemcosRAT
b5d0552aa20ae4bec3f41829abfb9e3b797512bcc9cdb9e6454b63f6a6727cea
RemcosRAT
error
RemcosRAT
f9040a4e04ed7681ad1fbcd20d52f0b4393652ad64ba0006cb1b3968f0d5e851
RemcosRAT
+ 1'579 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution
Link:
https://tria.ge/reports/251014-qx66jaar4t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Badlisted process makes network request
Malware Config
Dropper Extraction:
https://pastebin.com/raw/jgKWLc0S
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/32714/

Comments