MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3a71e6ac378c9425869f8d4dc55ef5e0e58ccf60dc4ec6db33c3b21a92f4169. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3a71e6ac378c9425869f8d4dc55ef5e0e58ccf60dc4ec6db33c3b21a92f4169
SHA3-384 hash: a854ec87d86d9b67dadf2a76bc7e2a16d15fdc41f12546e0faed8ec3e5ed8399a4b7ac75c5fabb7f5956d873c2b6906f
SHA1 hash: 2e44eaa64e54682cb6c9267ed490efa13b115f61
MD5 hash: c3703151097d465870edc2c2adfb7576
humanhash: friend-charlie-ceiling-eight
File name:bestdreamchaningwithbetterpower.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'068 bytes
First seen:2025-06-28 15:31:24 UTC
Last seen:2025-09-10 13:04:50 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 24:hPg2Cw2dSATchn2zy7NDfl4Q3VtR9u9I/7VEUCE7MpNypwynFpMCO:tg2xqSfsy7ZqQFtTu9E7VEpE47aFiCO
Threatray 1'176 similar samples on MalwareBazaar
TLSH T184417A13CC44818C12B3A8B338DBC185F0F649E3C9A6AC25B94E98329F353CF96F9456
Magika vba
Reporter abuse_ch
Tags:hta LOSTINSPACE newstartnewjournyevamygirllovesalotwithm-duckdns-org RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.HTA.Agent-E.14468.22716.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68600b040fceda814b46984d
Tags:
obfuscate xtreme shell
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/b3a71e6ac378c9425869f8d4dc55ef5e0e58ccf60dc4ec6db33c3b21a92f4169/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
HTML/TrojanDropper.Agent
Link:
https://www.hybrid-analysis.com/sample/b3a71e6ac378c9425869f8d4dc55ef5e0e58ccf60dc4ec6db33c3b21a92f4169
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1724727
Signature
Command shell drops VBS files
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Sigma detected: Legitimate Application Dropped Script
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected VBS Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Score:
4%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/b3a71e6ac378c9425869f8d4dc55ef5e0e58ccf60dc4ec6db33c3b21a92f4169
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Html
Link:
https://app.malva.re/file/c3703151097d465870edc2c2adfb7576
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b3a71e6ac378c9425869f8d4dc55ef5e0e58ccf60dc4ec6db33c3b21a92f4169/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-06-27 13:22:51 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wotr42wdpdeuewdj7dknyvpplyhfrthwbxcoy3nthq5sdkjpifuq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
04f61412164731dda5c5efc5e6e9275f12f5ff174155dc415a4f86904f023d56
RemcosRAT
4ca09577ca7a54a21f0f823fffeac8b5dd3d10bb9e0df385e4cd8da670b0843a
RemcosRAT
51c00bd17f7b7f85f6ce57210b3bf157343f682754a6d344e84c1a2c789ead0c
RemcosRAT
5e2d7c81dae1f4bf1a7f5b65ee255363d1515c5a8fe01e56a181ce8810daa6c0
RemcosRAT
64d9f08a8e854b56fe3e3ccabe85e9c904f9aeb854b7459af4bc3b4930a69925
RemcosRAT
7833b0e09d016b1e58031179bf80260235c430a31fb109d8b97257057864764e
RemcosRAT
b69b9806518246a9db6ae7d892b6d20b3b2c3381851def105fc5bcb049e717fb
RemcosRAT
d2a87b1b1a1106b874e949e49a55e7e68202eaa84062c270bbf62481bb769a45
RemcosRAT
ddaeb61807b6f61a3819257e0ddf03a455a817b86778c2388bcb520d2d93f9e5
RemcosRAT
error
RemcosRAT
fedadf230b08a70fbe14c66d2ce63a455a72cb03c53e9dd9579a59a881561469
RemcosRAT
+ 1'166 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:evangle collection discovery execution rat
Link:
https://tria.ge/reports/250628-syv6rstmw7/
Behaviour
Delays execution with timeout.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
newstartnewjournyevamygirllovesalotwithm.duckdns.org:14646
Dropper Extraction:
http://87.106.188.21/xampp/cv/wp4096799-lost-in-space-wallpapers.jpg
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b3a71e6ac378c9425869f8d4dc55ef5e0e58ccf60dc4ec6db33c3b21a92f4169

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

HTML Application (hta) hta b3a71e6ac378c9425869f8d4dc55ef5e0e58ccf60dc4ec6db33c3b21a92f4169

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3571061/
  
Delivery method
Distributed via web download

Comments