MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3e1a441845d5db54c8b20222f61259157d96a5c681ca893640d737b546e5420. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	b3e1a441845d5db54c8b20222f61259157d96a5c681ca893640d737b546e5420
SHA3-384 hash:	e776b2576a35e18cb4f0a8dbbe5f9d67f1e7242a9d8914af571d3bf0b062d84c118579c6413c31ec7fdc9bfe70960933
SHA1 hash:	58c64c7b6c9bf265ecb03303ff79c845637ab690
MD5 hash:	b5e360bf48a072a8fd3d9d80ffcb4151
humanhash:	massachusetts-enemy-winter-dakota
File name:	SOA -R700087220.vbs
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	59'988 bytes
First seen:	2025-08-26 14:34:56 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	1536:fuHuU5+t4M/E8u6z8McVoqkAeuh5C6Vim1hiIacJmX1Bh5higvIKsXu54guD8CIA:zo8u6z8McVoqkAeuh5C6Vim1hiIacJmG
Threatray	1'412 similar samples on MalwareBazaar
TLSH	T10643410AD353255BC4C3AF839FD611FCF4B0D99B60EEDC603A7A479529E386082745E6
Magika	vba
Reporter	abuse_ch
Tags:	RemcosRAT vbs

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/23683/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68adc6453e988eb6ab82c41b

Tags:

obfuscate xtreme spawn

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 evasive obfuscated obfuscated opendir opendir powershell

Link:

https://www.filescan.io/uploads/68adc66128a89d9dd4f49874/reports/aab465e2-7808-4076-bb21-dd32acce3739/overview

Verdict:

Malicious

Labled as:

Valyria

Link:

https://www.hybrid-analysis.com/sample/b3e1a441845d5db54c8b20222f61259157d96a5c681ca893640d737b546e5420

Verdict:

Malicious

File Type:

vbs

First seen:

2025-08-26T07:37:00Z UTC

Last seen:

2025-08-26T07:37:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/b3e1a441845d5db54c8b20222f61259157d96a5c681ca893640d737b546e5420/results?tab=lookup

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1765482

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates processes via WMI

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Remcos

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected Powershell download and execute

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

37%

Verdict:

Susipicious

File Type:

SCRIPT

Link:

https://malprob.io/report/b3e1a441845d5db54c8b20222f61259157d96a5c681ca893640d737b546e5420

Verdict:

Malware

YARA:

1 match(es)

Tags:

Batch Command DeObfuscated PowerShell PowerShell Call Scripting.FileSystemObject SMTPControl.SMTP VBScript

Link:

https://app.malva.re/file/b5e360bf48a072a8fd3d9d80ffcb4151

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/b3e1a441845d5db54c8b20222f61259157d96a5c681ca893640d737b546e5420/

Threat name:

Script-WScript.Backdoor.Remcos

Status:

Malicious

First seen:

2025-08-26 14:36:34 UTC

File Type:

Text (VBS)

AV detection:

10 of 24 (41.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wpq2iqmelvo3ktelearc6yjfsfl5s2s4naokre3ebvzxwvdokqqa._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

567f768cff1b5969e082271fd31ed9bd6d1b264ba2f2525937e12006a5569977

RemcosRAT

6bc677ac4c36cb99e3170edb2b29b8e8b47399a2896f8f0c6fa998b4337bcf35

RemcosRAT

b913d0ba4c81312099d6776c0c0806486254be12e7b0cb0ce19b9fa9203397f3

RemcosRAT

c208d8d0493c60f14172acb4549dcb394d2b92d30bcae4880e66df3c3a7100e4

RemcosRAT

d58ef7f6352296a5f9052e5bb522a0556037f373b27dd1bf4c53a521f0f7a0a8

RemcosRAT

dacfee8b1805f6536369bf401c7104946429f2e68c4e7143b60d9153b23c7c76

RemcosRAT

e119c6c5485307075a1e5d0950a77f978f7f17e23c315ed8c38cc1259b8af26f

RemcosRAT

error

RemcosRAT

+ 1'402 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos defense_evasion discovery execution rat

Link:

https://tria.ge/reports/250826-ryt32ahj2w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Modifies trusted root certificate store through registry

Process spawned unexpected child process

Remcos

Remcos family

Malware Config

C2 Extraction:

45.221.64.233:465

Dropper Extraction:

http://192.3.177.152/xampp/optimized_MSI.png

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b3e1a441845d5db54c8b20222f61259157d96a5c681ca893640d737b546e5420

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/23683/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample