MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a895ff58cb18d3a5fa3900d36f150c9a1bd213240f77ef8218fec015d6355825. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a895ff58cb18d3a5fa3900d36f150c9a1bd213240f77ef8218fec015d6355825
SHA3-384 hash: e4210f87208961bbd18a883d1feeb9f16da2ee2d53dfb818f30760b7be391367f6fe21bf3d21d763641b41b6bacb835a
SHA1 hash: 5a1c51ed1b65638f14e61e34e45be28837684707
MD5 hash: 737330ffdb9e1d98bac9d04a5ad5f31c
humanhash: enemy-yankee-venus-pasta
File name:eReceipt.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'134 bytes
First seen:2021-08-09 14:22:51 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:APQ1B0355DWjzeArpIqmnAMvAN5STD69P1EI3SDKV:gCjz5rK/AN5SPc1EI3D
Threatray 448 similar samples on MalwareBazaar
TLSH T1D2210028361BF1354945D2C65DFA8A24F7AB62ABC1A41885327CC19C50BF4ED29C7FCE
Reporter abuse_ch
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177615/
Detection(s):
SecuriteInfo.com.VB.Trojan.Valyria.5125.25941.18154.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/829711
Signature
Creates an undocumented autostart registry key
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Suspicious PowerShell Command Line
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a895ff58cb18d3a5fa3900d36f150c9a1bd213240f77ef8218fec015d6355825/
Threat name:
Script.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 14:23:05 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vck76wglddj2l6rzadjw6fimtin5eezeb5367aqy73ablvrvlasq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
13f297d03a1dea9495fbd57508fdf3bc1975954ed97338bb4d35adcd9e02536d
RemcosRAT
14448088ae4dd96af8de65e81abbfbdd5493f380e218f8389d2110d1cfbf8299
RemcosRAT
56a430a18e93eee6f709348fba459a6f639c032c7718806c01a6ba522dd704e6
RemcosRAT
87f4a4c323f26710b7acdc123173fa63f4ccb4f3c8239dfaa489ee69ab89f7cc
RemcosRAT
88614f9e923a5d979c64bee190f05f0932bc01f351ded417c59e1b2a92be560b
RemcosRAT
ab59fbf0ee10b8c5428479b1f5dfdb5cfc87dd40407b3742814ab34611f32b1d
RemcosRAT
eeeb29513e624adb88d3c2e9f89379361aa356001dc338cb6ec9034a48bdc2cd
RemcosRAT
f44394f10dd10600a8f25093e76fac442c594ea85debf6bfea0933766529f747
RemcosRAT
+ 438 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat suricata upx
Link:
https://tria.ge/reports/210809-wsk3wlc26e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Blocklisted process makes network request
UPX packed file
Remcos
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
Malware Config
Dropper Extraction:
http://udriveps.duckdns.org/dashboard/arch/sacre_bleu.txt
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a895ff58cb18/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a895ff58cb18d3a5fa3900d36f150c9a1bd213240f77ef8218fec015d6355825

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Visual Basic Script (vbs) vbs a895ff58cb18d3a5fa3900d36f150c9a1bd213240f77ef8218fec015d6355825

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/177615/

Comments