MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aea9253a5f1a4e0f59325f84c015b3980a1573e1873643fce09e084a76e0047b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aea9253a5f1a4e0f59325f84c015b3980a1573e1873643fce09e084a76e0047b
SHA3-384 hash: eea0becdc29e8e9b65a775598653a314632e9c471feb1bda1c36a794c075d1fa4e22b7b662b676faeb72a679070b1784
SHA1 hash: 5539d4f53c0606ce688636221c440b4b53c23ed6
MD5 hash: c68d7836e2c6c8a7a4a633990cae450a
humanhash: burger-foxtrot-march-stream
File name:seemebestthingswhichevermadebybestthingsgodown.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:212'760 bytes
First seen:2024-11-13 08:06:20 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:43F97gqxE+VV7TEFVVHGRQKjfJIPEKswcE0EBeEVVjEKQ:43F15xTV7TwVHGRJjkhclBSVjvQ
Threatray 1'023 similar samples on MalwareBazaar
TLSH T1D7248189DE308CDCB7DD5E87B6FCBACA36BC270B87CA1E81414B3482D99935C61C4924
Magika javascript
Reporter abuse_ch
Tags:hta RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Obfus-95.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673518970552fd58596bb0a9
Tags:
remcos gumen
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/aea9253a5f1a4e0f59325f84c015b3980a1573e1873643fce09e084a76e0047b/results/dashboard
Payload URLs
URL
File name
http://192.3.220.29/66/seemybestgirlthinkingsheisahotchickbutfuvk.tIF
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/67345e28406b5152907f6c4f/reports/455fd247-c702-4fd3-950e-7bc61285b913/overview
Verdict:
Malicious
Labled as:
GT:JS.Acsogenixx.994
Link:
https://www.hybrid-analysis.com/sample/aea9253a5f1a4e0f59325f84c015b3980a1573e1873643fce09e084a76e0047b
Result
Threat name:
Cobalt Strike, Remcos, HTMLPhisher
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1554968
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Cobalt Strike Beacon
Detected Remcos RAT
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected HtmlPhish44
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1554968 Sample: seemebestthingswhichevermad... Startdate: 13/11/2024 Architecture: WINDOWS Score: 100 65 shlobo.duckdns.org 2->65 67 ip.1017.filemail.com 2->67 69 2 other IPs or domains 2->69 87 Suricata IDS alerts for network traffic 2->87 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 95 21 other signatures 2->95 13 mshta.exe 1 2->13         started        signatures3 93 Uses dynamic DNS services 65->93 process4 signatures5 119 Detected Cobalt Strike Beacon 13->119 121 Suspicious powershell command line found 13->121 123 PowerShell case anomaly found 13->123 16 powershell.exe 3 39 13->16         started        process6 dnsIp7 63 192.3.220.29, 49706, 55223, 80 AS-COLOCROSSINGUS United States 16->63 57 seemybestgirlthink...sahotchickbutfu.vbS, Unicode 16->57 dropped 59 C:\Users\user\AppData\...\3n5kvyio.cmdline, Unicode 16->59 dropped 79 Detected Cobalt Strike Beacon 16->79 81 Suspicious powershell command line found 16->81 83 Obfuscated command line found 16->83 85 Found suspicious powershell code related to unpacking or dynamic code loading 16->85 21 wscript.exe 1 16->21         started        24 powershell.exe 21 16->24         started        26 csc.exe 3 16->26         started        29 conhost.exe 16->29         started        file8 signatures9 process10 file11 97 Detected Cobalt Strike Beacon 21->97 99 Suspicious powershell command line found 21->99 101 Wscript starts Powershell (via cmd or directly) 21->101 105 3 other signatures 21->105 31 powershell.exe 7 21->31         started        103 Loading BitLocker PowerShell Module 24->103 61 C:\Users\user\AppData\Local\...\3n5kvyio.dll, PE32 26->61 dropped 34 cvtres.exe 1 26->34         started        signatures12 process13 signatures14 131 Detected Cobalt Strike Beacon 31->131 133 Suspicious powershell command line found 31->133 135 Obfuscated command line found 31->135 36 powershell.exe 15 16 31->36         started        40 conhost.exe 31->40         started        process15 dnsIp16 71 ip.1017.filemail.com 142.215.209.78, 443, 49707 HUMBER-COLLEGECA Canada 36->71 107 Writes to foreign memory regions 36->107 109 Injects a PE file into a foreign processes 36->109 42 CasPol.exe 36->42         started        signatures17 process18 dnsIp19 73 192.3.101.149, 55367, 55368, 6946 AS-COLOCROSSINGUS United States 42->73 75 shlobo.duckdns.org 192.169.69.26, 55224, 55225, 55226 WOWUS United States 42->75 77 geoplugin.net 178.237.33.50, 55369, 80 ATOM86-ASATOM86NL Netherlands 42->77 111 Contains functionality to bypass UAC (CMSTPLUA) 42->111 113 Detected Remcos RAT 42->113 115 Tries to steal Mail credentials (via file registry) 42->115 117 5 other signatures 42->117 46 CasPol.exe 42->46         started        49 CasPol.exe 42->49         started        51 CasPol.exe 42->51         started        53 MpCmdRun.exe 42->53         started        signatures20 process21 signatures22 125 Tries to steal Instant Messenger accounts or passwords 46->125 127 Tries to steal Mail credentials (via file / registry access) 46->127 129 Tries to harvest and steal browser information (history, passwords, etc) 49->129 55 conhost.exe 53->55         started        process23
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/aea9253a5f1a4e0f59325f84c015b3980a1573e1873643fce09e084a76e0047b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aea9253a5f1a4e0f59325f84c015b3980a1573e1873643fce09e084a76e0047b/
Threat name:
Win32.Trojan.Acsogenixx
Create hunting rule
Status:
Malicious
First seen:
2024-11-12 09:00:27 UTC
File Type:
Text
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v2uskos7djha6wjsl6cmafnttafbk47bq43eh7hatyeeu5xaar5q._file
Verdict:
malicious
Label(s):
nirsoft
Create hunting rule
admintool_mailpassview
Create hunting rule
remcos
Create hunting rule
Similar samples:
37749c2d24301276a9b1a9d1b39ab49c3037dd9ed6f1f90e895658a5d0ada16f
RemcosRAT
5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc
RemcosRAT
76c3b1e7151a1048d4a802f857c3efc2dde24a73698111bcc1dc9907faabc9b8
RemcosRAT
958e5d7947f48f2047ac3c595ee724a916c9969430731091ac1b9fcfaaf65d70
RemcosRAT
b30837eec650fd6729e076dc3c76c2fe324d1c380557dbdd3ba178daeb211377
RemcosRAT
b8f10c23448f6d30808e7e74322ebd4121cf2c589c86cc3b0b57df6c705a867e
RemcosRAT
d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230
RemcosRAT
d3a32f2258bd5eff952576259dd78a6e73f56d52d07783d4fbc3ffd966549950
RemcosRAT
de8a9c273adc8bd2c615a7e09c87cb8b9cfc38ef6317bfa435b4a3474f1b670f
RemcosRAT
error
RemcosRAT
+ 1'013 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost defense_evasion discovery execution rat
Link:
https://tria.ge/reports/241113-jzze5syblp/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Evasion via Device Credential Deployment
Remcos
Remcos family
Malware Config
C2 Extraction:
shlobo.duckdns.org:6946
Dropper Extraction:
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/aea9253a5f1a4e0f59325f84c015b3980a1573e1873643fce09e084a76e0047b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

HTML Application (hta) hta aea9253a5f1a4e0f59325f84c015b3980a1573e1873643fce09e084a76e0047b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3288779/
  
Delivery method
Distributed via web download

Comments