MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b53db8cda884be522adeb2f293a41fa80fa2522b3c2eedb1ed20841c5a41d716. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 7

Intelligence 7 IOCs YARA 6 File information Comments

SHA256 hash:	b53db8cda884be522adeb2f293a41fa80fa2522b3c2eedb1ed20841c5a41d716
SHA3-384 hash:	1fd21b12298ba9b885dcedff6559293c65fed44227f2e3f3add389a7b7216e1247ad06d473d72bfdc97772e4d16e8cbb
SHA1 hash:	d42e0c20ec82ee74aa93dc868e92d5c5c2c44a27
MD5 hash:	42dbc170a1295f086765253132ed14de
humanhash:	eleven-don-nevada-mobile
File name:	databook.vbs
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	2'772 bytes
First seen:	2022-02-10 18:54:02 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	48:w4hamNkb+4psQjdwNmwUFJP0Wp/IIg1HQAYBOq08mi6kp+LL7l0Kn:rsLzps5Nmw+0CIIgOASdZQLLRNn
Threatray	1'000 similar samples on MalwareBazaar
TLSH	T1E151405F2047E03996A71AF9AD0F443DB1A5856A627CC8517A0CC7E00F3843DEBC69AE
Reporter	James_inthe_box
Tags:	RemcosRAT vbs

Intelligence

File Origin

# of uploads :

# of downloads :

317

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/240734/

Detection(s):

SecuriteInfo.com.Trojan.VBS.SAgent.gen.7962.27425.UNOFFICIAL

Result

Verdict:

UNKNOWN

Result

Threat name:

Remcos

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/937917

Signature

Command shell drops VBS files

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

DLL side loading technique detected

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Powershell drops PE file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Very long command line found

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected Remcos RAT

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/b53db8cda884be522adeb2f293a41fa80fa2522b3c2eedb1ed20841c5a41d716/

Threat name:

Script-WScript.Trojan.Heuristic

Status:

Malicious

First seen:

2022-02-10 18:54:03 UTC

File Type:

Text (VBS)

AV detection:

9 of 28 (32.14%)

Threat level:

2/5

Verdict:

malicious

Label(s):

remcos

RemcosRAT

1647393d7971b61b15821198c9acb29501e0698e785d69d8d4de46b0c98952ec

RemcosRAT

4462d72d344373067a4a0556c1ef87e3fb07d8b1de7a5baa4580c3ed2b4d37c4

RemcosRAT

51bf9ff43b1aedfebfcf03c71e5bba10a6704b2cf4503e5bbe680221652cc458

RemcosRAT

7228634bbebee87d96a088337f7b0e59645e84561d1e658bc67ccf0fed6d6b80

RemcosRAT

a29b298d47a77ebcdd68e8ca81538d15ef1f53f0ef4ee6041603ef68987bc26b

RemcosRAT

a9b10a2ccd5b3085f4819cbec9c14b63d6111198691b8e99c621dce2060fe4d9

RemcosRAT

b1c5e602c1646d6f3d05c37e301c7b808b21e3128fea2687821b1348f41a892d

RemcosRAT

b9f8a72e66d7208d3dda09ed8a4d654466b46013251cb868d36c56cd521905a1

RemcosRAT

fddfa27a56eb44a653c6d5d7947d62415896a15da7cbd4cf8e7b72334e6f0833

RemcosRAT

+ 990 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:shiesty collection rat spyware stealer

Link:

https://tria.ge/reports/220210-xj7y8sagap/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Remcos

Malware Config

C2 Extraction:

shiestynerd.dvrlists.com:10174

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b53db8cda884/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	downloader_macros Create hunting rule
Author:	ddvvmmzz
Description:	downloader macros

Rule name:	exec_macros Create hunting rule
Author:	ddvvmmzz
Description:	exec macros

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	obfuscate_macros Create hunting rule
Author:	ddvvmmzz
Description:	obfuscate macros

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/2039785/

Cape

https://www.capesandbox.com/analysis/240734/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample