MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3128d0f1df7f825183812b9e829fe1e0d80fa706c028e601f10f2cdbcdddd59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3128d0f1df7f825183812b9e829fe1e0d80fa706c028e601f10f2cdbcdddd59
SHA3-384 hash: 29e3386f33a7fecc17972a43857fbc6861f16906e5853776f85bf325afd3d700df9f441aedc40677800c85b4a114d4db
SHA1 hash: a15f8bd807a25538bdff4e25e0c9ff75963a8601
MD5 hash: e9ecc7ef719446f8049dc8cf8475430d
humanhash: lactose-oxygen-may-stream
File name:PO# 07845.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'300'371 bytes
First seen:2026-03-18 10:03:52 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/csv
ssdeep 192:iNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN4:aoyAV4fO
TLSH T18BE518C9D86038DF407FAE6142DFC81B9807FD1769F969285109D4CA2CB9B1EE8D4EE1
Magika txt
Reporter abuse_ch
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57955/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ba7b8888c80c01586b977c
Tags:
n/a
Gathering data
Verdict:
Suspicious
Labled as:
DR/SNH
Link:
https://www.hybrid-analysis.com/sample/d3128d0f1df7f825183812b9e829fe1e0d80fa706c028e601f10f2cdbcdddd59
Verdict:
Malicious
File Type:
text.utf8
Detections:
Trojan-Downloader.JS.Cryptoload.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.VBS.SAgent.gen HEUR:Trojan.Script.Generic Trojan.VBS.SAgent.sb Trojan.JS.SAgent.sb
Link:
https://opentip.kaspersky.com/d3128d0f1df7f825183812b9e829fe1e0d80fa706c028e601f10f2cdbcdddd59/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1885567
Signature
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates processes via WMI
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Remcos
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1885567 Sample: PO# 07845.vbs Startdate: 18/03/2026 Architecture: WINDOWS Score: 100 61 honerable.ydns.eu 2->61 63 www.mediafire.com 2->63 65 4 other IPs or domains 2->65 91 Suricata IDS alerts for network traffic 2->91 93 Found malware configuration 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 16 other signatures 2->97 8 powershell.exe 15 15 2->8         started        12 wscript.exe 1 2 2->12         started        15 wscript.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 71 download2391.mediafire.com 199.91.155.132, 443, 49701, 49711 MEDIAFIREUS United States 8->71 73 cloudinary.map.fastly.net 151.101.1.137, 443, 49697, 49709 FASTLYUS United States 8->73 75 www.mediafire.com 104.17.148.83, 443, 49700, 49710 CLOUDFLARENETUS United States 8->75 113 Creates autostart registry keys with suspicious values (likely registry only malware) 8->113 115 Writes to foreign memory regions 8->115 117 Injects a PE file into a foreign processes 8->117 119 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->119 19 CasPol.exe 4 15 8->19         started        24 CasPol.exe 8->24         started        26 conhost.exe 8->26         started        28 CasPol.exe 8->28         started        59 C:\Users\Public\Downloads59ame_File.vbs, CSV 12->59 dropped 121 Suspicious powershell command line found 12->121 123 Wscript starts Powershell (via cmd or directly) 12->123 125 Windows Shell Script Host drops VBS files 12->125 127 3 other signatures 12->127 30 powershell.exe 15->30         started        32 powershell.exe 15->32         started        77 127.0.0.1 unknown unknown 17->77 file6 signatures7 process8 dnsIp9 67 honerable.ydns.eu 217.64.148.142, 49704, 49706, 50312 OBE-EUROPEObenetworkEuropeSE Sweden 19->67 51 C:\Users\user\AppData\Local\Temp\THCE56.tmp, MS-DOS 19->51 dropped 53 C:\Users\user\AppData\Local\Temp\THCE27.tmp, MS-DOS 19->53 dropped 55 C:\Users\user\AppData\Local\Temp\THCE06.tmp, MS-DOS 19->55 dropped 57 12 other malicious files 19->57 dropped 99 Detected Remcos RAT 19->99 101 Maps a DLL or memory area into another process 19->101 34 userinit.exe 2 19->34         started        37 userinit.exe 1 19->37         started        39 userinit.exe 19->39         started        49 14 other processes 19->49 103 Found hidden mapped module (file has been removed from disk) 24->103 105 Unusual module load detection (module proxying) 24->105 107 Switches to a custom stack to bypass stack traces 24->107 69 resc.cloudinary.com.cdn.cloudflare.net 104.16.78.6, 443, 49712 CLOUDFLARENETUS United States 30->69 109 Writes to foreign memory regions 30->109 111 Injects a PE file into a foreign processes 30->111 41 CasPol.exe 30->41         started        43 conhost.exe 30->43         started        45 CasPol.exe 32->45         started        47 conhost.exe 32->47         started        file10 signatures11 process12 signatures13 79 Tries to steal Mail credentials (via file registry) 34->79 81 Unusual module load detection (module proxying) 34->81 83 Tries to steal Instant Messenger accounts or passwords 37->83 85 Tries to steal Mail credentials (via file / registry access) 37->85 87 Detected Remcos RAT 45->87 89 Tries to harvest and steal browser information (history, passwords, etc) 49->89
Score:
35%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/d3128d0f1df7f825183812b9e829fe1e0d80fa706c028e601f10f2cdbcdddd59
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d3128d0f1df7f825183812b9e829fe1e0d80fa706c028e601f10f2cdbcdddd59/
Verdict:
Malicious
Threat:
Family.REMCOSRAT
Link:
https://tip.neiki.dev/file/d3128d0f1df7f825183812b9e829fe1e0d80fa706c028e601f10f2cdbcdddd59
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2026-03-17 11:51:24 UTC
File Type:
Binary
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2mji2dy5674ckgbyck46qkp6dygyb6tqnqbi4ya7cdzm3pg53vmq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:honfire collection discovery execution persistence rat
Link:
https://tria.ge/reports/260318-mazamafz2t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
Process spawned unexpected child process
Remcos
Remcos family
Malware Config
C2 Extraction:
honerable.ydns.eu:50312
honerable-bk.ydns.eu:52541
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3128d0f1df7f825183812b9e829fe1e0d80fa706c028e601f10f2cdbcdddd59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/57955/

Comments