MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af9eb52fefdaea155d5129eea96e10a4b99a5538a4ea0f3c9d5c2a926d3d968e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af9eb52fefdaea155d5129eea96e10a4b99a5538a4ea0f3c9d5c2a926d3d968e
SHA3-384 hash: 5ca72e4e5f8d7ab98e682291f8d431f8d6a2e1cdd2c44642eb2bcb9a503565bf540aec726d0064d98d90a8bf701fac83
SHA1 hash: cee798f3659d48d0856642a39565b2ad09038533
MD5 hash: 80c3a4c5c220adce769d0e8c2dff063d
humanhash: idaho-red-diet-delaware
File name:80c3a4c5c220adce769d0e8c2dff063d.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:117'552 bytes
First seen:2024-08-22 05:59:38 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 48:7oa+apd7Ah23jfBzepPYyHArGBzepPYyHArFeNG4CsHGDjpyUsg7kfOjJCFZkzaj:Ea+M7IYPYx4SDtig7UOVyYC8AT
TLSH T118B3A9A1EE308CCCFBDC4AA3B6FC69CC321C976B97062E66416B3952DC2530C91D1665
Reporter abuse_ch
Tags:hta RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Heur.Asthma.2.761E23E4.Gen.17594.14986.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c6d3e6b2a4681a7296756e
Tags:
Execution Exploit Generic Network Stealth W97m
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/af9eb52fefdaea155d5129eea96e10a4b99a5538a4ea0f3c9d5c2a926d3d968e/results/dashboard
Payload URLs
URL
File name
http://192.3.193.155/M1908T/csrss.exe
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/66c6d3e6aa12eb10615f65e9/reports/1c407ee4-1239-446e-96ad-b1d63a850745/overview
Verdict:
Malicious
Labled as:
VBS.Asthma.2.761E23E4
Link:
https://www.hybrid-analysis.com/sample/af9eb52fefdaea155d5129eea96e10a4b99a5538a4ea0f3c9d5c2a926d3d968e
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Cobalt Strike
Create hunting rule
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1497204
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Detected Cobalt Strike Beacon
Loading BitLocker PowerShell Module
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1497204 Sample: eGe0lkpnYx.hta Startdate: 22/08/2024 Architecture: WINDOWS Score: 100 35 Multi AV Scanner detection for domain / URL 2->35 37 Antivirus detection for URL or domain 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 4 other signatures 2->41 9 mshta.exe 1 2->9         started        process3 signatures4 43 Suspicious command line found 9->43 45 PowerShell case anomaly found 9->45 12 cmd.exe 1 9->12         started        process5 signatures6 47 Detected Cobalt Strike Beacon 12->47 49 Suspicious powershell command line found 12->49 51 PowerShell case anomaly found 12->51 15 powershell.exe 42 12->15         started        20 conhost.exe 12->20         started        process7 dnsIp8 31 192.3.193.155, 49711, 80 AS-COLOCROSSINGUS United States 15->31 27 C:\Users\user\AppData\...\4ebnccia.cmdline, Unicode 15->27 dropped 33 Loading BitLocker PowerShell Module 15->33 22 csc.exe 3 15->22         started        file9 signatures10 process11 file12 29 C:\Users\user\AppData\Local\...\4ebnccia.dll, PE32 22->29 dropped 25 cvtres.exe 1 22->25         started        process13
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/af9eb52fefdaea155d5129eea96e10a4b99a5538a4ea0f3c9d5c2a926d3d968e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af9eb52fefdaea155d5129eea96e10a4b99a5538a4ea0f3c9d5c2a926d3d968e/
Threat name:
Document-HTML.Trojan.Remcos
Create hunting rule
Status:
Suspicious
First seen:
2024-08-20 06:14:09 UTC
File Type:
Text
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v6plkl7p3lvbkxkrfhxks3qqus4zuvjyutva6pe5lqvje3j5s2ha._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/240822-gqb75ssaqd/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Blocklisted process makes network request
Evasion via Device Credential Deployment
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/af9eb52fefda/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/af9eb52fefdaea155d5129eea96e10a4b99a5538a4ea0f3c9d5c2a926d3d968e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

HTML Application (hta) hta af9eb52fefdaea155d5129eea96e10a4b99a5538a4ea0f3c9d5c2a926d3d968e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3119851/
  
Delivery method
Distributed via web download

Comments