MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6a1d0c6cdb62e541492740eeabafe7f88f242d6a442fa0e2d2b4e8b1a2b1617. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6a1d0c6cdb62e541492740eeabafe7f88f242d6a442fa0e2d2b4e8b1a2b1617
SHA3-384 hash: c579e036ceef8d9b35c58598e2a5127ef26ee274425d8eaa52e4ce96e60da6b1f1956a9de55b7be19679b70d9696d7c3
SHA1 hash: 90b802655c11e33edeac8e70e01aaaff2c751e01
MD5 hash: 315401e5c4a15efa7628f2f10e56e122
humanhash: friend-crazy-yankee-whiskey
File name:Swift.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'056 bytes
First seen:2022-05-06 16:04:51 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:il0NdDWPVTJhP9zeUF0JI1rS80HyYzAwccqWVJM0CI+/BKxda0tm0BdIsAxClPL:RCx1e5JI1rS8kyYAwjD2IIBYda0E8IaL
Threatray 8'762 similar samples on MalwareBazaar
TLSH T1E251ED0D7A5FB52452323F72DCAB189E5E734B87AA7401523A06EAA7CD3D02CD7C582C
Reporter abuse_ch
Tags:RAT RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
317
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269136/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/62754750982f586844ebcf0f/reports/e163309b-4009-4768-a5f2-d1b52603f6f9/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/989191
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Disables UAC (registry)
DLL side loading technique detected
Drops PE files to the startup folder
Drops VBS files to the startup folder
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell drops PE file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 621686 Sample: Swift.vbs Startdate: 06/05/2022 Architecture: WINDOWS Score: 100 99 Found malware configuration 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Antivirus detection for URL or domain 2->103 105 6 other signatures 2->105 9 wscript.exe 14 2->9         started        13 wscript.exe 14 2->13         started        process3 dnsIp4 59 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49710, 49712 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->59 61 ydkceg.db.files.1drv.com 9->61 69 2 other IPs or domains 9->69 125 System process connects to network (likely due to code injection or exploit) 9->125 127 Wscript starts Powershell (via cmd or directly) 9->127 129 Very long command line found 9->129 15 powershell.exe 14 21 9->15         started        20 cmd.exe 1 9->20         started        63 ydkceg.db.files.1drv.com 13->63 65 onedrive.live.com 13->65 67 db-files.fe.1drv.com 13->67 22 powershell.exe 13->22         started        signatures5 process6 dnsIp7 73 ydlnbq.db.files.1drv.com 15->73 75 onedrive.live.com 15->75 81 2 other IPs or domains 15->81 53 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 15->53 dropped 87 Writes to foreign memory regions 15->87 89 DLL side loading technique detected 15->89 91 Injects a PE file into a foreign processes 15->91 93 Powershell drops PE file 15->93 24 RegAsm.exe 2 15 15->24         started        28 RegAsm.exe 15->28         started        30 conhost.exe 15->30         started        95 Drops VBS files to the startup folder 20->95 97 Drops PE files to the startup folder 20->97 32 conhost.exe 20->32         started        77 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49764 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->77 79 ydlnbq.db.files.1drv.com 22->79 83 3 other IPs or domains 22->83 34 conhost.exe 22->34         started        36 RegAsm.exe 22->36         started        file8 signatures9 process10 dnsIp11 55 god7.duckdns.org 37.0.14.217, 1984, 49765, 49767 WKD-ASIE Netherlands 24->55 57 geoplugin.net 178.237.33.50, 49766, 80 ATOM86-ASATOM86NL Netherlands 24->57 113 Installs a global keyboard hook 24->113 115 Injects a PE file into a foreign processes 24->115 38 RegAsm.exe 24->38         started        41 RegAsm.exe 24->41         started        43 cmd.exe 1 24->43         started        45 7 other processes 24->45 117 Found evasive API chain (may stop execution after checking mutex) 28->117 119 Tries to steal Mail credentials (via file registry) 28->119 121 Contains functionality to steal Chrome passwords or cookies 28->121 123 2 other signatures 28->123 signatures12 process13 dnsIp14 107 Tries to steal Instant Messenger accounts or passwords 38->107 109 Tries to steal Mail credentials (via file / registry access) 38->109 48 reg.exe 1 43->48         started        51 conhost.exe 43->51         started        71 192.168.2.1 unknown unknown 45->71 111 Tries to harvest and steal browser information (history, passwords, etc) 45->111 signatures15 process16 signatures17 85 Disables UAC (registry) 48->85
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6a1d0c6cdb62e541492740eeabafe7f88f242d6a442fa0e2d2b4e8b1a2b1617/
Threat name:
Win32.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-05-06 03:36:10 UTC
File Type:
Text (VBS)
AV detection:
4 of 42 (9.52%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=42q5brwnwyxfifesoqhovox6p6epeqwwurbpudrnfnhiwgrlcylq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1ccf09551ed031fa0755e2d2c22e05f8136cce389c5b6585d3f3395041637389
RemcosRAT
6a182d41a2d215552343174e699a7dba2d6282136f338a88826ac5eac8f0e7f6
RemcosRAT
6d21985a34efde10ae60b32f3d1f309da2707f6421bdb78f1da14ec1341b22ec
RemcosRAT
81a08b163648f4a09fbba230dc34b1b2c7e7e979fedc23c6bf89af0f39f32cff
RemcosRAT
88a52cb96bc7ae6d6788e1c3f4bca7c4bd379037cba08c6a86f28694f767d9d9
RemcosRAT
a1b385afa0592f1fc9e0eaacd751beb5e15ff4151f2ac98e0166f29955690b9c
RemcosRAT
a5235adab75f69fd47b814a81ed89fe195e9a37e59c742e42363379742fc3b43
RemcosRAT
cc93c7587dba9e4af2265a77a349230cb8ab0a0d8c524f4cfad4886fad7a34ab
RemcosRAT
fafd7463254353a7e4ea4900b93f412fb84bbbddae730fc145c54331eb2533f8
RemcosRAT
+ 8'752 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:system evasion rat trojan
Link:
https://tria.ge/reports/220506-tjgv9scghp/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Remcos
UAC bypass
Malware Config
C2 Extraction:
god7.duckdns.org:1984
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e6a1d0c6cdb6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6a1d0c6cdb62e541492740eeabafe7f88f242d6a442fa0e2d2b4e8b1a2b1617

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269136/

Comments