MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be907e559d6c92bbb3090149503aa9a159bacd22b6093d0cd2e2bf9c1d0f9b4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be907e559d6c92bbb3090149503aa9a159bacd22b6093d0cd2e2bf9c1d0f9b4b
SHA3-384 hash: bb00a30290dda5db4cd5244a0e1f98a8c4a8514b327003a1d973597f1d7af793f98020bd403fdaf8b2e6aa195757201c
SHA1 hash: e38fceadf9ac9faf49a1dee6e3c68c5953a6f85c
MD5 hash: f2956cc8c39b5b95a778779ac75ba0ed
humanhash: texas-mockingbird-mango-speaker
File name:creambungoodforyourchoicetogetmeback.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:133'518 bytes
First seen:2024-10-23 06:05:57 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:Eam7Xn4kxqku+6VgfgA28jKLNpU4kcQ87T:Ea2Xn4kxqku+ZC8jkNpU4kcrT
TLSH T147D3BA7AEE700CECF7CC4A57B6FDA2DA322D935B934B1F84469B3942D82274D94D04A4
Magika txt
Reporter abuse_ch
Tags:hta RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Obfus-95.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671893629e67c24682035d73
Tags:
Powershell Gumen
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/be907e559d6c92bbb3090149503aa9a159bacd22b6093d0cd2e2bf9c1d0f9b4b/results/dashboard
Payload URLs
URL
File name
http://107.175.229.138/600/wlanext.exe
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Unknown
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/67189255d875ce8b57d747bc/reports/68631570-660a-4a9f-bfae-9cc8ffec26f2/overview
Verdict:
Malicious
Labled as:
VBS.Asthma.2.8FDFE18F
Link:
https://www.hybrid-analysis.com/sample/be907e559d6c92bbb3090149503aa9a159bacd22b6093d0cd2e2bf9c1d0f9b4b
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
Cobalt Strike
Create hunting rule
Detection:
malicious
Classification:
expl.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1539847
Signature
AI detected suspicious sample
Detected Cobalt Strike Beacon
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1539847 Sample: creambungoodforyourchoiceto... Startdate: 23/10/2024 Architecture: WINDOWS Score: 92 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected Powershell decode and execute 2->36 38 Sigma detected: Suspicious MSHTA Child Process 2->38 40 3 other signatures 2->40 8 mshta.exe 1 2->8         started        process3 signatures4 42 Detected Cobalt Strike Beacon 8->42 44 Suspicious powershell command line found 8->44 46 PowerShell case anomaly found 8->46 11 powershell.exe 37 8->11         started        process5 dnsIp6 30 107.175.229.138, 49730, 80 AS-COLOCROSSINGUS United States 11->30 28 C:\Users\user\AppData\...\llgndel5.cmdline, Unicode 11->28 dropped 48 Detected Cobalt Strike Beacon 11->48 16 powershell.exe 21 11->16         started        19 csc.exe 3 11->19         started        22 conhost.exe 11->22         started        file7 signatures8 process9 file10 32 Loading BitLocker PowerShell Module 16->32 26 C:\Users\user\AppData\Local\...\llgndel5.dll, PE32 19->26 dropped 24 cvtres.exe 1 19->24         started        signatures11 process12
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/be907e559d6c92bbb3090149503aa9a159bacd22b6093d0cd2e2bf9c1d0f9b4b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be907e559d6c92bbb3090149503aa9a159bacd22b6093d0cd2e2bf9c1d0f9b4b/
Threat name:
Script-WScript.Downloader.Asthma
Create hunting rule
Status:
Malicious
First seen:
2024-10-21 11:48:00 UTC
File Type:
Text
AV detection:
7 of 38 (18.42%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x2ih4vm5nsjlxmyjafevaovjufm3vtjcwyet2dgs4k7zyhiptnfq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/241023-gtq6gavbrf/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Blocklisted process makes network request
Evasion via Device Credential Deployment
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/be907e559d6c92bbb3090149503aa9a159bacd22b6093d0cd2e2bf9c1d0f9b4b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

HTML Application (hta) hta be907e559d6c92bbb3090149503aa9a159bacd22b6093d0cd2e2bf9c1d0f9b4b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3249405/
  
Delivery method
Distributed via web download

Comments