MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e224c2c5cc744249849a02dc80b8f3b54e68b867df6919675d32195c71fd2e23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e224c2c5cc744249849a02dc80b8f3b54e68b867df6919675d32195c71fd2e23
SHA3-384 hash: f02dd106bb0ca5b0005dd8032eff0763d17823e6407fa85f2599a5ee4a8083cb1e1ad562d8d920bcbba4716c2a665dc0
SHA1 hash: 84bf4b5ca3029cc3c9ffede2ec99cad516a6a5cd
MD5 hash: d21fa8f92d5215bf0dcaa7b777d76ee9
humanhash: king-sad-delaware-papa
File name:HKL.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:754'532 bytes
First seen:2023-06-01 17:32:36 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:HPG6wfkYFEhNe4VTdRnTT8w4TWkuIFd7c7nBy+KV9jCZqskg/rpd+og0S7wQzS1y:twfkYF0gh9eZqX
Threatray 1'968 similar samples on MalwareBazaar
TLSH T101F4866791DE5084B3722D40F7BD96245F1BB6EA8839C90D888C8A2D77DF8078B517B3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter James_inthe_box
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/394566/
Detection(s):
SecuriteInfo.com.VBS.Obfuscated-IA.13309.4983.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6478d64ff2395e845d615734/reports/07e2b1ef-e683-4ce0-9a5d-bfc2e08c70c9/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e224c2c5cc744249849a02dc80b8f3b54e68b867df6919675d32195c71fd2e23
Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1247069
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious values (likely registry only malware)
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suspicious powershell command line found
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 880086 Sample: HKL.vbs Startdate: 01/06/2023 Architecture: WINDOWS Score: 100 34 Multi AV Scanner detection for domain / URL 2->34 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 7 other signatures 2->40 8 wscript.exe 1 2->8         started        11 wscript.exe 2->11         started        13 wscript.exe 2->13         started        process3 signatures4 52 VBScript performs obfuscated calls to suspicious functions 8->52 54 Suspicious powershell command line found 8->54 56 Wscript starts Powershell (via cmd or directly) 8->56 58 Very long command line found 8->58 15 powershell.exe 15 8 8->15         started        process5 signatures6 60 Suspicious powershell command line found 15->60 62 Creates autostart registry keys with suspicious values (likely registry only malware) 15->62 64 Writes to foreign memory regions 15->64 66 Injects a PE file into a foreign processes 15->66 18 RegSvcs.exe 15->18         started        21 RegSvcs.exe 3 14 15->21         started        24 powershell.exe 12 15->24         started        26 conhost.exe 15->26         started        process7 dnsIp8 42 Contains functionality to bypass UAC (CMSTPLUA) 18->42 44 Contains functionalty to change the wallpaper 18->44 46 Contains functionality to steal Chrome passwords or cookies 18->46 50 3 other signatures 18->50 30 gdyhjjdhbvxgsfe.gotdns.ch 45.81.39.214, 2718, 49700 LVLT-10753US United States 21->30 32 geoplugin.net 178.237.33.50, 49701, 80 ATOM86-ASATOM86NL Netherlands 21->32 48 Installs a global keyboard hook 21->48 28 conhost.exe 24->28         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e224c2c5cc744249849a02dc80b8f3b54e68b867df6919675d32195c71fd2e23/
Threat name:
Script-WScript.Trojan.Minerva
Create hunting rule
Status:
Malicious
First seen:
2023-06-01 17:32:29 UTC
File Type:
Text (VBS)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ismfromorbetbe2aloibohtwvhgrodh35ursz25gimvy4p5fyrq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
5b1e8d8e1c47866009a79f371befaff9f673cb07656a0eb9509771dffd8f7ea7
RemcosRAT
648cf8b93fa2f02344ef0ab1684a0e6cfb45b61a21f79890c5183e8068f6a1fa
RemcosRAT
8a69c6b0efd7bbf528d4a163be673143bf04021faafcc076aa2cc73d7688de63
RemcosRAT
b2a00a736c7f3cc7212c99c445c222c589c08fdffbb0085d0688a857b081eec1
RemcosRAT
b6c627336f2b88a0eaa3a58ef166fa2c5eed3b409c649a7228b1d3c8573a770b
RemcosRAT
c57ef56c3465d7d32b6851cdfd6d950fbbc53a40c825f547f4b4cc0f01123346
RemcosRAT
d4bbd5ce6f012df9861c4bee326c87539c7b92b5cbdfb73b54fd7f1321d15eb9
RemcosRAT
d7300cfd284114c32015ed2c8d711f8d5c204428e85addd79fc73539c024ca7e
RemcosRAT
d935d16b1603eb83d9c8587e3fe36ba247341adb572bac99a291f35bd13d7292
RemcosRAT
db5aac25dcb71e739e6f5571cb7d10ba2f30c891d4a19307d6bf8c549b2074cb
RemcosRAT
+ 1'958 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:awelle-host persistence rat
Link:
https://tria.ge/reports/230601-v4t7rsfe87/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
gdyhjjdhbvxgsfe.gotdns.ch:2718
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e224c2c5cc74/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/e224c2c5cc744249849a02dc80b8f3b54e68b867df6919675d32195c71fd2e23

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/394566/
  
URLhaus
https://urlhaus.abuse.ch/url/2649310/

Comments