MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdf18dce59da13a347c6d2d60a0bf6190228b46e595863308769a1cb34ca5fd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdf18dce59da13a347c6d2d60a0bf6190228b46e595863308769a1cb34ca5fd0
SHA3-384 hash: 0a70fb5535970ee253358dd06c2512f0738efef584aaa4056c7df749b55a3b17967bc3f1e95d307f593f4b9bcb684e6f
SHA1 hash: 6d91b3d22422a376ccc0560ee3894b1a863ee6db
MD5 hash: c4f72b3412982fc5aafd0c2aaea244e3
humanhash: four-johnny-ohio-william
File name:31agosto.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:4'353'564 bytes
First seen:2025-11-07 08:06:01 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:abebebebTbebebebTbebebebUbS7X+Bbebebebqbebebebqbebebebqbebebeb6N:gbS7X+j
Threatray 643 similar samples on MalwareBazaar
TLSH T1D1164C43FA9F421476E39B16584950758F27E3CEAAB499CF449C90E0C7AB304CADFB52
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter abuse_ch
Tags:RAT RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/36425/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690da88c3afb53888cc94179
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
asyncrat base64 guloader obfuscated powershell
Link:
https://www.filescan.io/uploads/690da887fad650b0c998a804/reports/abd28e2b-1fe1-4f8b-a401-bab229466321/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/cdf18dce59da13a347c6d2d60a0bf6190228b46e595863308769a1cb34ca5fd0
Verdict:
Malicious
File Type:
text
First seen:
2025-11-05T13:36:00Z UTC
Last seen:
2025-11-05T16:36:00Z UTC
Hits:
~10
Detections:
Trojan-Downloader.JS.SLoad.sb Trojan.Win32.Agent.sb Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/cdf18dce59da13a347c6d2d60a0bf6190228b46e595863308769a1cb34ca5fd0/results?tab=lookup
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1809796
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1809796 Sample: 31agosto.vbs Startdate: 07/11/2025 Architecture: WINDOWS Score: 100 34 purerat32.duckdns.org 2->34 36 gitlab.com 2->36 38 bg.microsoft.map.fastly.net 2->38 54 Suricata IDS alerts for network traffic 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for submitted file 2->58 62 11 other signatures 2->62 10 wscript.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 60 Uses dynamic DNS services 34->60 process4 dnsIp5 70 Suspicious powershell command line found 10->70 72 Wscript starts Powershell (via cmd or directly) 10->72 74 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->74 76 Suspicious execution chain found 10->76 16 powershell.exe 7 10->16         started        44 127.0.0.1 unknown unknown 13->44 signatures6 process7 signatures8 46 Suspicious powershell command line found 16->46 48 Found many strings related to Crypto-Wallets (likely being stolen) 16->48 50 Encrypted powershell cmdline option found 16->50 52 2 other signatures 16->52 19 powershell.exe 14 17 16->19         started        22 conhost.exe 16->22         started        process9 file10 32 C:\Users\user\AppData\Local\Temp\DvVbs.ps1, Unicode 19->32 dropped 24 powershell.exe 11 19->24         started        process11 dnsIp12 40 gitlab.com 172.65.251.78, 443, 49683 CLOUDFLARENETUS United States 24->40 64 Writes to foreign memory regions 24->64 66 Potential dropper URLs found in powershell memory 24->66 68 Injects a PE file into a foreign processes 24->68 28 aspnet_regbrowsers.exe 2 2 24->28         started        signatures13 process14 dnsIp15 42 purerat32.duckdns.org 186.169.69.76, 2023, 49691, 49693 COLOMBIATELECOMUNICACIONESSAESPCO Colombia 28->42 78 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 28->78 80 Found many strings related to Crypto-Wallets (likely being stolen) 28->80 82 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->82 84 4 other signatures 28->84 signatures16
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/cdf18dce59da13a347c6d2d60a0bf6190228b46e595863308769a1cb34ca5fd0
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdf18dce59da13a347c6d2d60a0bf6190228b46e595863308769a1cb34ca5fd0/
Verdict:
Malicious
Threat:
Trojan-Downloader.JS.SLoad
Link:
https://tip.neiki.dev/file/cdf18dce59da13a347c6d2d60a0bf6190228b46e595863308769a1cb34ca5fd0
Threat name:
Script-WScript.Downloader.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-11-05 23:33:00 UTC
File Type:
Text (VBS)
AV detection:
8 of 24 (33.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zxyy3tsz3ij2gr6g2llauc7wdebcrndolfmggmehngq4wngkl7ia._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
katzstealer
Create hunting rule
Similar samples:
16979f2060a835ff4b481cc0e192ac0302f65e3fa9e389e53b8e79f52821d0cb
RemcosRAT
1ae8f5d331a1c6138b60c0e9b7f3ddecda3868e6c408b97a061ed50916245b93
RemcosRAT
6f0877cdcc9b0b0c6837fe90e9f8d2492f36471cb57a477e24b57530d16b5ec9
RemcosRAT
859de7f0b61c2ce5e61b9737583fb72a80b0219c13c200a2d0de3e0da7f38307
RemcosRAT
901d6191e8bf99cf1a2a6b770519d18b82875294e95a55d1e87e42ef8bad213a
RemcosRAT
932791f59371b7a69c112bedde0a369f77b03ce6ab3f4cb1c08be7ff49846137
RemcosRAT
a1638a6e9d55a06c4fe43c738950b84a01f43f7883f1bd06bb2cbb60f02c87d2
RemcosRAT
b8aae9a506fea0ae59c1bab1d46ad400597a741c5c009a20e13ac4e0c55fac0e
RemcosRAT
error
RemcosRAT
+ 633 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution
Link:
https://tria.ge/reports/251107-jzk8hsbj9w/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Badlisted process makes network request
Malware Config
Dropper Extraction:
https://firebasestorage.googleapis.com/v0/b/loloer3434.firebasestorage.app/o/RODAHAZLO%2Fdllsky%20(7).txt?alt=media&token=434b9d0d-5a6c-4db8-9ad2-07383b7c2606
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cdf18dce59da13a347c6d2d60a0bf6190228b46e595863308769a1cb34ca5fd0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Visual Basic Script (vbs) vbs cdf18dce59da13a347c6d2d60a0bf6190228b46e595863308769a1cb34ca5fd0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3684403/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3626699/
  
URLhaus
https://urlhaus.abuse.ch/url/3696625/
  
URLhaus
https://urlhaus.abuse.ch/url/3684483/
  
URLhaus
https://urlhaus.abuse.ch/url/3619990/
  
URLhaus
https://urlhaus.abuse.ch/url/3626691/
  
URLhaus
https://urlhaus.abuse.ch/url/3684488/
  
URLhaus
https://urlhaus.abuse.ch/url/3684444/
  
URLhaus
https://urlhaus.abuse.ch/url/3692775/
Cape
Cape
https://www.capesandbox.com/analysis/36425/

Comments