MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4c96c493952ab9601201dc7875a664148107c06a5481ae53414037fc1edccda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4c96c493952ab9601201dc7875a664148107c06a5481ae53414037fc1edccda
SHA3-384 hash: 154ff3258f70b83f3c5819c8d10019481ccbd9de62c2fc6c50ee16ad39cf6030faed473e98a4379b4efb7d4b68311760
SHA1 hash: bfe049d9f1e1ad081575e2bcc8a2f9e80893b187
MD5 hash: d463ce7d9ec980218c7ad75c79c26e13
humanhash: jupiter-alabama-december-iowa
File name:Arrival_Notice.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:19'826 bytes
First seen:2023-10-24 12:52:30 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:w5gRZkrgrrNVemBGyysviSJ0C9posVt2I89OFOSZO/FGwBxkT:2gRKgrrXdjk4/TFFpwFGw/kT
Threatray 2'730 similar samples on MalwareBazaar
TLSH T177924CA2DE4D160849077B979C4FD8A5C87AC11D25BA0615BE9C039EB30A57CC37FB2E
Reporter malrpt
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/455982/
Detection(s):
SecuriteInfo.com.VBS.Agent.CCDA.tr.17429.25702.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6537be31859ce74156817b7d/reports/448795f7-fe77-4c9a-950b-fd991b4d26e5/overview
Verdict:
Suspicious
Labled as:
Trojan.VBS.SAgent
Link:
https://www.hybrid-analysis.com/sample/d4c96c493952ab9601201dc7875a664148107c06a5481ae53414037fc1edccda
Result
Verdict:
MALICIOUS
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331260
Signature
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1331260 Sample: Arrival_Notice.vbs Startdate: 24/10/2023 Architecture: WINDOWS Score: 100 23 bustabantu0817.duckdns.org 2->23 25 bantubusta0816.ddns.net 2->25 27 cdn.discordapp.com 2->27 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 Yara detected GuLoader 2->39 41 2 other signatures 2->41 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 43 VBScript performs obfuscated calls to suspicious functions 9->43 45 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 9->45 47 Suspicious powershell command line found 9->47 49 4 other signatures 9->49 12 powershell.exe 16 9->12         started        process6 signatures7 51 Suspicious powershell command line found 12->51 53 Very long command line found 12->53 15 powershell.exe 21 12->15         started        18 conhost.exe 12->18         started        process8 signatures9 55 Writes to foreign memory regions 15->55 57 Maps a DLL or memory area into another process 15->57 59 Found suspicious powershell code related to unpacking or dynamic code loading 15->59 20 wab.exe 6 6 15->20         started        process10 dnsIp11 29 bustabantu0817.duckdns.org 197.210.85.182, 6699 VCG-ASNG Nigeria 20->29 31 bantubusta0816.ddns.net 172.94.4.196, 6699 M247GB United States 20->31 33 162.159.129.233, 443, 49744 CLOUDFLARENETUS United States 20->33
Score:
86%
Verdict:
Malware
File Type:
ASCII
Link:
https://malprob.io/report/d4c96c493952ab9601201dc7875a664148107c06a5481ae53414037fc1edccda
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4c96c493952ab9601201dc7875a664148107c06a5481ae53414037fc1edccda/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2tewysjzkkvzmajadxdyowtgifeba7aguvebvzjucqbx7qpnztna._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
045b514767dbbe5c411284ea83b2d47b62b1f7a258f866871bfebc14667ef5e6
RemcosRAT
091b0fddf7de1c049a9957de41cfd1c12bc3962a8dc70126654b23254b1ec9ad
RemcosRAT
1aee775c13151f0853c02dbd804ad25f1ea6b3c5db6312760d67af89e689845a
RemcosRAT
55eebc888e9151e28295587ff7c12c40f8b7ae5f23d29bac79c6444277940a6a
RemcosRAT
6ecf9fda65dc1a4a9c7610510ac9f78a6663e75d736a8444c72e11a0cc8d8d46
RemcosRAT
7076d5e0459c068bc798fb168a91c4f33f2895e52356946da3f7617b7fc28b57
RemcosRAT
7f793f734102e69d7ac16e898a6a65f3d7eae3581c82a7fc8f853299ed18d590
RemcosRAT
9707c1faa4b7191af96f2879472c6bb368eef29b80d917dc9dc197f92ae86b8f
RemcosRAT
b94bcb3ea1cef8b1759856c06c57264332223216fda926fdb58bc848e5a5494d
RemcosRAT
e479c0b49b6fe13242fc767e1db58067b61e4c16ff7068d3b39c4d8c2836428f
RemcosRAT
+ 2'720 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:egwu una persistence rat
Link:
https://tria.ge/reports/231024-p4mj2ada5y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
bantubusta0816.ddns.net:6699
bustabantu0817.duckdns.org:6699
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d4c96c493952/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/455982/

Comments