MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0ac37aec0eef942e0ff9c35828584b8d887f951ec13afbd80cdc4ce23595ae4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0ac37aec0eef942e0ff9c35828584b8d887f951ec13afbd80cdc4ce23595ae4
SHA3-384 hash: e6053062fdd6ac4328a20f1ade67781012144d02ec8b5c2b475664c7387fe8ebf6904f61edfc15b4b75cc0406187acc5
SHA1 hash: 12521eca4ed1a2a18f5bda2c167947ac0afa1797
MD5 hash: b97f7809ec6dc6d0e5f4e0d444082c19
humanhash: bacon-mississippi-bravo-march
File name:Protected Client.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'548 bytes
First seen:2022-02-24 07:57:14 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:XOM/j1YzNmSpP2YG52I/9s7A/zrOnKV/+cxvL2vz+jELAKl8qqHytT:Xt4NmSp4oI1s7A/PgKlZ9L27+YLZlFqS
Threatray 1'024 similar samples on MalwareBazaar
TLSH T1AD51550F7463B53495273BA1EC0FA42ED8B0628771348464BF18A7C44D394ADEBCA9ED
Reporter abuse_ch
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/244128/
Detection(s):
SecuriteInfo.com.Script.SNH-genTrj.25269.24904.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/945461
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
DLL side loading technique detected
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Powershell drops PE file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
System process connects to network (likely due to code injection or exploit)
Very long command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 577938 Sample: Protected Client.vbs Startdate: 24/02/2022 Architecture: WINDOWS Score: 100 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 3 other signatures 2->76 7 wscript.exe 14 2->7         started        11 wscript.exe 2->11         started        13 wscript.exe 13 2->13         started        process3 dnsIp4 48 kastex.me 192.185.199.45, 443, 49744, 49756 UNIFIEDLAYER-AS-1US United States 7->48 78 System process connects to network (likely due to code injection or exploit) 7->78 80 Wscript starts Powershell (via cmd or directly) 7->80 82 Very long command line found 7->82 84 2 other signatures 7->84 15 powershell.exe 14 22 7->15         started        20 cmd.exe 3 7->20         started        50 192.168.2.1 unknown unknown 11->50 22 powershell.exe 11->22         started        24 powershell.exe 13->24         started        signatures5 process6 dnsIp7 54 kastex.me 15->54 44 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 15->44 dropped 60 Writes to foreign memory regions 15->60 62 DLL side loading technique detected 15->62 64 Injects a PE file into a foreign processes 15->64 66 Powershell drops PE file 15->66 26 RegAsm.exe 15->26         started        29 RegAsm.exe 2 2 15->29         started        32 conhost.exe 15->32         started        46 C:\Users\user\Music\Protected Client.vbs, ASCII 20->46 dropped 68 Command shell drops VBS files 20->68 34 conhost.exe 20->34         started        56 kastex.me 22->56 36 conhost.exe 22->36         started        38 RegAsm.exe 22->38         started        58 kastex.me 24->58 40 conhost.exe 24->40         started        42 RegAsm.exe 24->42         started        file8 signatures9 process10 dnsIp11 86 Contains functionality to steal Chrome passwords or cookies 26->86 88 Contains functionality to inject code into remote processes 26->88 90 Contains functionality to steal Firefox passwords or cookies 26->90 92 Delayed program exit found 26->92 52 notme.linkpc.net 194.5.98.127, 4376, 49768 DANILENKODE Netherlands 29->52 94 Installs a global keyboard hook 29->94 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0ac37aec0eef942e0ff9c35828584b8d887f951ec13afbd80cdc4ce23595ae4/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-02-24 07:58:11 UTC
File Type:
Text (VBS)
AV detection:
3 of 43 (6.98%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wcwdplwa534ufyh7tq2yfbmexdmip6kr5qj27pmazxcm4i2zllsa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
6a4b5aab71a352d6ae6140f99a28b0c38df78a8985b3383f1bc424ca74e046fe
RemcosRAT
7228634bbebee87d96a088337f7b0e59645e84561d1e658bc67ccf0fed6d6b80
RemcosRAT
7b5f70276fe64b0ec64ff186af6706b1dbbf2e2dc69e4b1546745b293121116f
RemcosRAT
a29b298d47a77ebcdd68e8ca81538d15ef1f53f0ef4ee6041603ef68987bc26b
RemcosRAT
b1c5e602c1646d6f3d05c37e301c7b808b21e3128fea2687821b1348f41a892d
RemcosRAT
ebf21217cedcf7f1809418985cb120b150b12d2ec955119c73f7c3170b5f2232
RemcosRAT
fddfa27a56eb44a653c6d5d7947d62415896a15da7cbd4cf8e7b72334e6f0833
RemcosRAT
+ 1'014 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:pop rat
Link:
https://tria.ge/reports/220224-jtt88sdfaq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
notme.linkpc.net:4376
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b0ac37aec0ee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b0ac37aec0eef942e0ff9c35828584b8d887f951ec13afbd80cdc4ce23595ae4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/244128/

Comments