MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdff410d32d5b177320f80eb8bc6be51de994bd11cc17e7013ae400e1947ca6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	cdff410d32d5b177320f80eb8bc6be51de994bd11cc17e7013ae400e1947ca6f
SHA3-384 hash:	b788648d81b895bce481ad47c102dc577a342f9158317c4b313de3ad178f8f829a50026be1d39bc28b9b9ea68b731248
SHA1 hash:	03aa37de89660b8d2fd9ef5aabc61a83a7f410c8
MD5 hash:	753a9d435fdf6803ca970ba23d3dfe0d
humanhash:	hotel-white-autumn-arizona
File name:	segura.vbs
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	2'015'602 bytes
First seen:	2024-11-28 17:50:19 UTC
Last seen:	2024-12-02 11:14:58 UTC
File type:	vbs
MIME type:	text/plain
ssdeep	192:dG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4l:XQb7SOE9Cm6wn
Threatray	93 similar samples on MalwareBazaar
TLSH	T15E954F8C97C8B385D964964365E348E28C90EB32194F1C9F675C1E06F0ECABE7D845FA
TrID	66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 33.3% (.MP3) MP3 audio (1000/1)
Magika	unknown
Reporter	Anonymous
Tags:	RemcosRAT vbs

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Script.SNH-gen.10392.405.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6748ae3704c232bff3b465c7

Tags:

xtreme gumen shell sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

powershell

Link:

https://www.filescan.io/uploads/6748ad9e71856046f3a7e36b/reports/8f3795cc-1065-439f-b1ff-f9a05a610302/overview

Verdict:

Suspicious

Labled as:

Trojan.Script.VBS

Link:

https://www.hybrid-analysis.com/sample/cdff410d32d5b177320f80eb8bc6be51de994bd11cc17e7013ae400e1947ca6f

Result

Threat name:

n/a

Detection:

malicious

Classification:

spre.troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1564791

Signature

AI detected suspicious sample

Bypasses PowerShell execution policy

Connects to a pastebin service (likely for C&C)

Encrypted powershell cmdline option found

Found suspicious powershell code related to unpacking or dynamic code loading

Malicious sample detected (through community Yara rule)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Paste sharing url in reverse order

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

VBScript performs obfuscated calls to suspicious functions

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/cdff410d32d5b177320f80eb8bc6be51de994bd11cc17e7013ae400e1947ca6f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cdff410d32d5b177320f80eb8bc6be51de994bd11cc17e7013ae400e1947ca6f/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2024-11-28 17:51:06 UTC

File Type:

Text (VBS)

AV detection:

4 of 24 (16.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zx7ucdjs2wyxomqpqdvyxrv6khpjss6rdtax44atvzaa4gkhzjxq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004

RemcosRAT

82f69d218791526f3724c1e6fcf7e73272182067c80f4d037557289863a241aa

RemcosRAT

b3a40331524394846d2782f1e52e1410ce1681283f8c715373bab73c84fa30ec

RemcosRAT

c865fc0e856370e94724131a1ae04b852d6e4b98d7060a1e702b7ff933ac947b

RemcosRAT

e38472a309a8c98d56f4d3384be87b4f619f93c8af02ca9c08236e20987b380c

RemcosRAT

error

RemcosRAT

+ 83 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:ntpriv discovery execution rat

Link:

https://tria.ge/reports/241128-we5smsvmes/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Blocklisted process makes network request

Remcos

Remcos family

Malware Config

C2 Extraction:

wins.coemprsasltda.pro:3000

Dropper Extraction:

https://pastebin.com/raw/Adv9gBHa

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

vbs cdff410d32d5b177320f80eb8bc6be51de994bd11cc17e7013ae400e1947ca6f

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample