MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e12fdcfde01952915157328b7afec8830f172814db0ce8d8658d427088b728d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e12fdcfde01952915157328b7afec8830f172814db0ce8d8658d427088b728d0
SHA3-384 hash: 4741b153fda7e8f2a53e97b4156755e2973beb755f825897237d854adc6078a60692cfc1522527da295d40e0b8c6d549
SHA1 hash: 440df904aaa0be5be4077f9210f373150045529c
MD5 hash: 8c6bd375e09fed816cc4e495a955c3c6
humanhash: stream-kentucky-seventeen-butter
File name:NEW ORDER 3102022.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'275 bytes
First seen:2022-03-10 10:13:34 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:TqSmKAA9V2764d7lSeOo/e/gxyCuL06PIQ+hGfg0BdO:Tpr9q648o/e/gxyDLXEhYgr
Threatray 1'470 similar samples on MalwareBazaar
TLSH T10941FC4A79AB796852323EB2AC0F485DE6755393E138C2537A0CC3D9CF3659CEB8080D
Reporter abuse_ch
Tags:RemcosRAT vbs


Avatar
abuse_ch
Payload URL:
http://www.meonhanong.com/bins/on1.jpg
http://www.meonhanong.com/bins/on.jpg

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/249088/
Detection(s):
SecuriteInfo.com.VBS.Agent.iz.17480.22832.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6229cf6d0cd58dbd9275833f/reports/76f851e8-9911-4c1c-8e6e-df9960151662/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/954080
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
DLL side loading technique detected
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Powershell drops PE file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 586558 Sample: NEW ORDER 3102022.vbs Startdate: 10/03/2022 Architecture: WINDOWS Score: 100 49 store-images.s-microsoft.com 2->49 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for URL or domain 2->71 73 Yara detected Remcos RAT 2->73 75 3 other signatures 2->75 9 wscript.exe 13 2->9         started        13 wscript.exe 14 2->13         started        signatures3 process4 dnsIp5 93 System process connects to network (likely due to code injection or exploit) 9->93 95 Wscript starts Powershell (via cmd or directly) 9->95 97 Very long command line found 9->97 15 powershell.exe 9->15         started        53 www.meonhanong.com 103.90.233.184, 49750, 49777, 49778 WEBPANDA-AS-VNCongtyTNHHWebPandaVN Viet Nam 13->53 20 powershell.exe 14 19 13->20         started        22 cmd.exe 1 13->22         started        signatures6 process7 dnsIp8 55 www.meonhanong.com 15->55 47 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 15->47 dropped 59 Writes to foreign memory regions 15->59 61 DLL side loading technique detected 15->61 63 Injects a PE file into a foreign processes 15->63 24 RegAsm.exe 2 15->24         started        28 RegAsm.exe 15->28         started        30 conhost.exe 15->30         started        57 www.meonhanong.com 20->57 65 Powershell drops PE file 20->65 32 conhost.exe 20->32         started        34 RegAsm.exe 20->34         started        67 Drops PE files to the startup folder 22->67 36 conhost.exe 22->36         started        file9 signatures10 process11 dnsIp12 51 emedoo.ddns.net 185.140.53.136, 49791, 49792, 49794 DAVID_CRAIGGG Sweden 24->51 83 Injects a PE file into a foreign processes 24->83 38 RegAsm.exe 24->38         started        41 RegAsm.exe 24->41         started        43 RegAsm.exe 24->43         started        45 6 other processes 24->45 85 Tries to steal Mail credentials (via file registry) 28->85 87 Contains functionality to steal Chrome passwords or cookies 28->87 89 Contains functionality to inject code into remote processes 28->89 91 2 other signatures 28->91 signatures13 process14 signatures15 77 Tries to steal Instant Messenger accounts or passwords 38->77 79 Tries to steal Mail credentials (via file / registry access) 38->79 81 Tries to harvest and steal browser information (history, passwords, etc) 45->81
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e12fdcfde01952915157328b7afec8830f172814db0ce8d8658d427088b728d0/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-03-10 10:14:10 UTC
File Type:
Text (VBS)
AV detection:
4 of 41 (9.76%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ex5z7padfjjcukxgkfxv7wiqmhrokau3mgorwdfrvbhbcfxfdia._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
09b75cdc3edcad3cc8b1729683a1132506e851c9d7a1d864fc842284822d1ba5
RemcosRAT
38c2822b3929fe567273c89ddbdc3fb49a750199cd795f36ad6dc29bb614e4c6
RemcosRAT
7b5f70276fe64b0ec64ff186af6706b1dbbf2e2dc69e4b1546745b293121116f
RemcosRAT
a02d52f23eb9e8a857c9ed01d81e6220e787a1e2838d42c2734e99bc73cff250
RemcosRAT
b0ac37aec0eef942e0ff9c35828584b8d887f951ec13afbd80cdc4ce23595ae4
RemcosRAT
b53db8cda884be522adeb2f293a41fa80fa2522b3c2eedb1ed20841c5a41d716
RemcosRAT
c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738
RemcosRAT
eb1d29174d0a65b4ff95f172d35532666fed7cd6659ec77591240777b5b76452
RemcosRAT
ebf21217cedcf7f1809418985cb120b150b12d2ec955119c73f7c3170b5f2232
RemcosRAT
+ 1'460 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:bubu rat
Link:
https://tria.ge/reports/220310-l9n39seeg5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
emedoo.ddns.net:5050
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e12fdcfde019/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e12fdcfde01952915157328b7afec8830f172814db0ce8d8658d427088b728d0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/host/www.meonhanong.com/
Cape
Cape
https://www.capesandbox.com/analysis/249088/

Comments