MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7cd7840de7c9286335721dbd14ca25849599e290f2fcfcbcffd1daf678663dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7cd7840de7c9286335721dbd14ca25849599e290f2fcfcbcffd1daf678663dd
SHA3-384 hash: 8ba13d3649084361742614ed8530173e8afe555f260e5bd427f6cdd18386d689b4d6151a30874e12254f69bb08d1826d
SHA1 hash: 57c0f9bb6134c4cd09b3ce1f1356b6c06a8c1861
MD5 hash: 216014f72f66557c54d21bfb8ff4b443
humanhash: white-wolfram-march-three
File name:c1.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'445 bytes
First seen:2025-01-16 09:31:35 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 48:zOhhqnDjVJ9EAJtQWFUR/CZNOiPiZvJklJNA/kjw2K4DhEHP//w/CO:zkqnDjVJ9DJpZ0aiZvqQk02K4m//S
TLSH T1A5618322E9AEBC94473973700809299AE3C70B1357615B09FCDF241FEF78610E34AA9D
Magika vba
Reporter abuse_ch
Tags:hta RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
PUA.Win.Trojan.Script-44
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6788d217aa9c8e7858df0339
Tags:
obfuscate xtreme shell
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/b7cd7840de7c9286335721dbd14ca25849599e290f2fcfcbcffd1daf678663dd/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6788d217d9291dce66757bd9/reports/d3382699-d789-4abe-9756-828d40e5709f/overview
Verdict:
Malicious
Labled as:
GT:VB.Downloader.14
Link:
https://www.hybrid-analysis.com/sample/b7cd7840de7c9286335721dbd14ca25849599e290f2fcfcbcffd1daf678663dd
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1592601
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious MSHTA Child Process
Behaviour
Behavior Graph:
Download SVG
Score:
1%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/b7cd7840de7c9286335721dbd14ca25849599e290f2fcfcbcffd1daf678663dd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7cd7840de7c9286335721dbd14ca25849599e290f2fcfcbcffd1daf678663dd/
Threat name:
Win32.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-01-16 09:32:03 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
6 of 24 (25.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w7gxqqg6psjimm2xehn5ctfclbevthrjb4x47s6p7uo26z4gmpoq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/250116-lhlttstngs/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b7cd7840de7c9286335721dbd14ca25849599e290f2fcfcbcffd1daf678663dd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

HTML Application (hta) hta b7cd7840de7c9286335721dbd14ca25849599e290f2fcfcbcffd1daf678663dd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3390124/
  
Delivery method
Distributed via web download

Comments