MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecd14c3cf75fd350c3dbb849d5fea36c8f00d66665a67d1f0ed1d41c8f7a7648. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecd14c3cf75fd350c3dbb849d5fea36c8f00d66665a67d1f0ed1d41c8f7a7648
SHA3-384 hash: 3147b184f237d0a2b0c27ab47b2e2ce9e4a2e43792316e0db816c83bc0de350f96175bbb1122f1c4ebe93a70eacd2e17
SHA1 hash: ea3c8f8617f060f095d75c2f67ae054def1bfa94
MD5 hash: 1ed1e9dce1cb79bc90938280c24114d2
humanhash: iowa-august-north-tennis
File name:Payment reference no. - FT910298955674.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'533 bytes
First seen:2025-03-26 13:09:19 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 24:d03GAnsxMouEPaJzLNgZs2Nr0nfmyAGUyAmkagckRVg7mggUulcEyuYPYTLxv:dqGAnsxMovPaJ1CTt0nOyQyHkaqVf0ub
Threatray 104 similar samples on MalwareBazaar
TLSH T15F31BF2DC568F8D0436E70A548634F0E10991F24DBFC6778FD961A951925A01CF1D23F
Magika javascript
Reporter abuse_ch
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
601
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e3fca7cb6d38a89f3e5b81
Tags:
n/a
Verdict:
Malicious
Labled as:
Trojan.Agent.JS
Link:
https://www.hybrid-analysis.com/sample/ecd14c3cf75fd350c3dbb849d5fea36c8f00d66665a67d1f0ed1d41c8f7a7648
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1649114
Signature
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Loading BitLocker PowerShell Module
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Creation with Colorcpl
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649114 Sample: Payment reference no. - FT9... Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 70 bb990a9a6fafe.duckdns.org 2->70 72 www.nawatbsc.com 2->72 98 Found malware configuration 2->98 100 Malicious sample detected (through community Yara rule) 2->100 102 Multi AV Scanner detection for submitted file 2->102 106 13 other signatures 2->106 11 wscript.exe 1 1 2->11         started        14 Xdnxwtne.PIF 2->14         started        16 svchost.exe 2->16         started        signatures3 104 Uses dynamic DNS services 70->104 process4 dnsIp5 116 Malicious encrypted Powershell command line found 11->116 118 JScript performs obfuscated calls to suspicious functions 11->118 120 Wscript starts Powershell (via cmd or directly) 11->120 124 3 other signatures 11->124 19 wscript.exe 1 11->19         started        122 Allocates many large memory junks 14->122 22 colorcpl.exe 14->22         started        68 127.0.0.1 unknown unknown 16->68 signatures6 process7 signatures8 108 Malicious encrypted Powershell command line found 19->108 110 Wscript starts Powershell (via cmd or directly) 19->110 112 Encrypted powershell cmdline option found 19->112 114 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->114 24 powershell.exe 14 17 19->24         started        28 powershell.exe 7 19->28         started        31 powershell.exe 7 19->31         started        process9 dnsIp10 74 www.nawatbsc.com 185.208.156.66, 49681, 80 SIMPLECARRIERCH Switzerland 24->74 66 C:\Users\user\AppData\Local\Temp\loader.exe, PE32 24->66 dropped 33 loader.exe 1 7 24->33         started        37 conhost.exe 24->37         started        126 Adds a directory exclusion to Windows Defender 28->126 128 Powershell drops PE file 28->128 39 powershell.exe 23 28->39         started        41 conhost.exe 28->41         started        43 reg.exe 1 1 31->43         started        45 conhost.exe 31->45         started        file11 signatures12 process13 file14 64 C:\Users\user\Links\Xdnxwtne.PIF, PE32 33->64 dropped 86 Drops PE files with a suspicious file extension 33->86 88 Writes to foreign memory regions 33->88 90 Allocates memory in foreign processes 33->90 96 4 other signatures 33->96 47 colorcpl.exe 6 3 33->47         started        52 cmd.exe 1 33->52         started        54 cmd.exe 1 33->54         started        92 Loading BitLocker PowerShell Module 39->92 56 WmiPrvSE.exe 39->56         started        94 Adds extensions / path to Windows Defender exclusion list (Registry) 43->94 signatures15 process16 dnsIp17 76 103.186.117.225, 6666, 9916 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 47->76 62 C:\ProgramData\mkwain\logs.dat, data 47->62 dropped 78 Contains functionality to bypass UAC (CMSTPLUA) 47->78 80 Contains functionalty to change the wallpaper 47->80 82 Contains functionality to steal Chrome passwords or cookies 47->82 84 2 other signatures 47->84 58 conhost.exe 52->58         started        60 conhost.exe 54->60         started        file18 signatures19 process20
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ecd14c3cf75fd350c3dbb849d5fea36c8f00d66665a67d1f0ed1d41c8f7a7648
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ecd14c3cf75fd350c3dbb849d5fea36c8f00d66665a67d1f0ed1d41c8f7a7648/
Threat name:
Script-JS.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-03-26 13:09:34 UTC
File Type:
Text (VBS)
AV detection:
5 of 24 (20.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5tiuyphxl7jvbq63xbe5l7vdnshqbvtgmwth2hyo2hkbzd32ozea._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
7b408a4b96dafc7827412d9e9caf5075e0fd398c58d22ea3607399f609d3a88f
RemcosRAT
8455a4960b81bd908b3c73ccdd8e1b95630551bb8810be539aa20725ccd82079
RemcosRAT
92b04adb83d15beda4030aed92dd90658783cf892537a6d40dc1892750fba2de
RemcosRAT
a483446fced41553da4b8d08570b04e6d1ca031d9f6b36cad07aae139e89d1e7
RemcosRAT
c82345d3e83948ee59b4842af218edcbc1f0cfb2ef95eae8e961731a09648f21
RemcosRAT
d74eb652273b8867042ff9e624074b4cb9a1fe34849997b669043a6b48fee1ce
RemcosRAT
e4808f0dcd8731d7642a89fefad15205ec001eb6f1819280fb664a478a22613b
RemcosRAT
error
RemcosRAT
+ 94 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery execution persistence trojan
Link:
https://tria.ge/reports/250326-qel3msv1dt/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Malware Config
Dropper Extraction:
http://www.nawatbsc.com/file/loader.exe
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ecd14c3cf75f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ecd14c3cf75fd350c3dbb849d5fea36c8f00d66665a67d1f0ed1d41c8f7a7648

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments