MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d98541f0e7659a620cfd349405facb991e7e7973e90f7bef7f7882315023e96f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d98541f0e7659a620cfd349405facb991e7e7973e90f7bef7f7882315023e96f
SHA3-384 hash: 122b84df7cc829f5f6237f3b5fda2741375e476ce9f3e3d0845e452794b13a9c7245591aaf638f93c3beff1144cf8272
SHA1 hash: 505a0f72aa8d6b0403ebab2e0e291f53baa6bd09
MD5 hash: d5f24aa0e828d9cf1ad6cd5b12b22d34
humanhash: nebraska-yankee-blue-failed
File name:payment copy SWIFT.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'688 bytes
First seen:2022-03-29 07:06:24 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:qUilCKD9UsgjSZJi1rSm02OFXWVf8e1SVpo0BdAr:q5Kv8Ji1rSm1vJ/mSh
Threatray 1'087 similar samples on MalwareBazaar
TLSH T1F6512119708B757822311E72EC1B14DC9A774383A27851A0FE1DDADACE365ACA7C1C1C
Reporter abuse_ch
Tags:RemcosRAT vbs


Avatar
abuse_ch
Payload URLs:
http://3.26.185.34/pat1.jpg
http://3.26.185.34/pat2.jpg

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/258985/
Detection(s):
SecuriteInfo.com.VBS.Agent.ALT.genEldorado.11397.22340.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6242b017a19c649412a46577/reports/c3cbd110-f0b8-4524-889c-3699e4f4e693/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/966425
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Drops PE files to the startup folder
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 598912 Sample: payment copy SWIFT.vbs Startdate: 29/03/2022 Architecture: WINDOWS Score: 100 72 google.com 2->72 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for URL or domain 2->88 90 Antivirus detection for dropped file 2->90 92 5 other signatures 2->92 11 wscript.exe 14 2->11         started        15 wscript.exe 13 2->15         started        17 vlc.exe 2->17         started        19 vlc.exe 2->19         started        signatures3 process4 dnsIp5 74 3.26.185.34, 49774, 49775, 49779 AMAZON-02US United States 11->74 102 Wscript starts Powershell (via cmd or directly) 11->102 104 Very long command line found 11->104 21 powershell.exe 14 19 11->21         started        24 cmd.exe 1 11->24         started        106 System process connects to network (likely due to code injection or exploit) 15->106 26 powershell.exe 15->26         started        28 conhost.exe 17->28         started        30 conhost.exe 19->30         started        signatures6 process7 signatures8 94 Writes to foreign memory regions 21->94 96 Injects a PE file into a foreign processes 21->96 32 MSBuild.exe 21->32         started        35 MSBuild.exe 21->35         started        38 conhost.exe 21->38         started        40 MSBuild.exe 21->40         started        98 Drops VBS files to the startup folder 24->98 100 Drops PE files to the startup folder 24->100 42 conhost.exe 24->42         started        44 MSBuild.exe 26->44         started        46 conhost.exe 26->46         started        process9 file10 76 Contains functionality to steal Chrome passwords or cookies 32->76 78 Contains functionality to inject code into remote processes 32->78 80 Contains functionality to steal Firefox passwords or cookies 32->80 82 Delayed program exit found 32->82 66 C:\Users\user\AppData\Roaming\vlc\vlc.exe, PE32 35->66 dropped 68 C:\Users\user\AppData\Local\...\install.vbs, data 35->68 dropped 48 wscript.exe 35->48         started        52 wscript.exe 44->52         started        signatures11 process12 dnsIp13 70 192.168.2.1 unknown unknown 48->70 84 Wscript starts Powershell (via cmd or directly) 48->84 54 cmd.exe 48->54         started        56 cmd.exe 52->56         started        signatures14 process15 process16 58 conhost.exe 54->58         started        60 vlc.exe 54->60         started        62 conhost.exe 56->62         started        64 vlc.exe 56->64         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d98541f0e7659a620cfd349405facb991e7e7973e90f7bef7f7882315023e96f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-29 07:07:06 UTC
File Type:
Text (VBS)
AV detection:
2 of 41 (4.88%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3gcud4hhmwngedh5gskal6wlteph46lt5ehxx337pcbdcubd5fxq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0c6d9a8770fee14f7194840c71381b4baccaa76da66c5a43a0b7e73352ea4ec1
RemcosRAT
2d6b7a5513ed0cb451701bb494fb87382061195c115ede553f062b4fc0fd4f97
RemcosRAT
3d80ce9c358e80b99744631236e2ed9b598d4cec9951f937f23b0d308da9487e
RemcosRAT
6255ddecb2d0a370dacb6cee78526e33207d8de810f197b2e224968cddddc1b2
RemcosRAT
6df479c8789824106084deb65d731b8a4185a5ba4cbbf8c136cfef29c01f8c78
RemcosRAT
724b6b5e627086ff22b9f2d2c045faa880dea62f513a694058b452aa1b6cad6f
RemcosRAT
7ef0d658364d22fe0bad6552f114fb4c07046497f06fe6ca0094c5863955e27d
RemcosRAT
e12fdcfde01952915157328b7afec8830f172814db0ce8d8658d427088b728d0
RemcosRAT
+ 1'077 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/220329-hxmswscff2/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
rambolastblood.ddns.net:6327
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d98541f0e765/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d98541f0e7659a620cfd349405facb991e7e7973e90f7bef7f7882315023e96f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/host/3.26.185.34/
Cape
Cape
https://www.capesandbox.com/analysis/258985/

Comments