MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd6da022c8b2ab80d081be47fd73c588baaa2dff06acabc1a3e681fe1fdc800c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd6da022c8b2ab80d081be47fd73c588baaa2dff06acabc1a3e681fe1fdc800c
SHA3-384 hash: 7d46fe8b557c99ad967276a5d0e54f3e149bc4111a6cea271b13df0417f78373253e60b4690bd8936fb7b352c1fb8b80
SHA1 hash: d59ceba881be62a9377558fe0589c69e937bef76
MD5 hash: 518cf4dc563783e4a2d2f9f407242074
humanhash: kitten-johnny-alanine-lake
File name:DHL INVOICE DOCUMENT NOTIFICATION 202403286777373688_pdf.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:13'338 bytes
First seen:2024-03-29 07:29:28 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:0FgU1ntWJVSZB8SaeR03f5Isev233OF3dw:xU1t+VyaJ3f5Vevo3OFdw
TLSH T1CD524AA4AE46114A822797F389CD2A31C13911F7452248BA7E4DF77E0E057763C2D66F
Reporter abuse_ch
Tags:DHL RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/66066e01ec04992a87d22a40/reports/b39c7368-6c3c-4303-90b9-e1d0166a684b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/cd6da022c8b2ab80d081be47fd73c588baaa2dff06acabc1a3e681fe1fdc800c
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1417404
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Potential malicious VBS script found (suspicious strings)
Powershell uses Background Intelligent Transfer Service (BITS)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Remcos
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417404 Sample: DHL INVOICE DOCUMENT NOTIFI... Startdate: 29/03/2024 Architecture: WINDOWS Score: 100 47 mexbar.duckdns.org 2->47 49 www.jongzelfstandig.nl 2->49 51 geoplugin.net 2->51 71 Multi AV Scanner detection for domain / URL 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 79 11 other signatures 2->79 11 wscript.exe 1 2->11         started        14 svchost.exe 1 2 2->14         started        signatures3 77 Uses dynamic DNS services 47->77 process4 dnsIp5 87 VBScript performs obfuscated calls to suspicious functions 11->87 89 Suspicious powershell command line found 11->89 91 Wscript starts Powershell (via cmd or directly) 11->91 93 3 other signatures 11->93 17 powershell.exe 16 11->17         started        20 WmiPrvSE.exe 11->20         started        57 www.jongzelfstandig.nl 185.104.29.74, 443, 49713, 49714 AS-ZXCSNL Netherlands 14->57 59 127.0.0.1 unknown unknown 14->59 signatures6 process7 signatures8 67 Suspicious powershell command line found 17->67 69 Very long command line found 17->69 22 powershell.exe 23 17->22         started        25 conhost.exe 17->25         started        process9 signatures10 81 Writes to foreign memory regions 22->81 83 Powershell uses Background Intelligent Transfer Service (BITS) 22->83 85 Found suspicious powershell code related to unpacking or dynamic code loading 22->85 27 wab.exe 5 17 22->27         started        process11 dnsIp12 53 mexbar.duckdns.org 147.189.132.242, 3119, 49719, 49720 JANETJiscServicesLimitedGB United Kingdom 27->53 55 geoplugin.net 178.237.33.50, 49722, 80 ATOM86-ASATOM86NL Netherlands 27->55 45 C:\ProgramData\remcos\logs.dat, data 27->45 dropped 95 Detected Remcos RAT 27->95 97 Tries to harvest and steal browser information (history, passwords, etc) 27->97 99 Maps a DLL or memory area into another process 27->99 101 Installs a global keyboard hook 27->101 32 wab.exe 1 27->32         started        35 wab.exe 1 27->35         started        37 wab.exe 2 27->37         started        39 2 other processes 27->39 file13 signatures14 process15 signatures16 61 Tries to steal Instant Messenger accounts or passwords 32->61 63 Tries to steal Mail credentials (via file / registry access) 32->63 65 Tries to harvest and steal browser information (history, passwords, etc) 35->65 41 conhost.exe 39->41         started        43 reg.exe 1 1 39->43         started        process17
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/cd6da022c8b2ab80d081be47fd73c588baaa2dff06acabc1a3e681fe1fdc800c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd6da022c8b2ab80d081be47fd73c588baaa2dff06acabc1a3e681fe1fdc800c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zvw2aiwiwkvybuebxzd7246frc5kulp7a2wkxqnd42a74h64qaga._file
Verdict:
unknown
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader persistence upx
Link:
https://tria.ge/reports/240329-jbvgaacd4z/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
UPX packed file
Blocklisted process makes network request
Guloader,Cloudeye
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd6da022c8b2ab80d081be47fd73c588baaa2dff06acabc1a3e681fe1fdc800c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments