MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f99757c98007da241258ae12ec0fd5083f0475a993ca6309811263aad17d4661. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f99757c98007da241258ae12ec0fd5083f0475a993ca6309811263aad17d4661
SHA3-384 hash: 634a853c263eeed7c9a2be229770e2e54c18f69f44150d8ffb61f5dc6bc48ec99cada181dc13327068a3c01087df9f59
SHA1 hash: 6b556d04962638694402d15b7fa24b6bd6b1d1f4
MD5 hash: c443d03e485232a860b726fc83593004
humanhash: michigan-six-steak-speaker
File name:c443d03e485232a860b726fc83593004.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:118'450 bytes
First seen:2024-09-30 17:56:59 UTC
Last seen:2024-10-01 07:43:29 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:Ea+M73rNp6fEVNp60WU1Qgr8l+Qu3i9pNp6R6Np6Er5BfqVNp61AT:Ea+Q35puEnp08QgocyNpJpxCnpxT
TLSH T1B8C391A4D93499ECB7CD9E93BDFC3B9C71A8472F5B821E5A875B3845CC6171C909001D
Magika txt
Reporter abuse_ch
Tags:192-3-220-22 hta RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
183
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.DownLoader.6571.29074.16465.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fae773c85f12c405da7991
Tags:
Powershell Gumen
Result
Verdict:
Malicious
File Type:
HTA File - Malicious Base64 Payload
Link:
https://app.docguard.net/f99757c98007da241258ae12ec0fd5083f0475a993ca6309811263aad17d4661/results/dashboard
Payload URLs
URL
File name
http://192.3.220.22/430/dllhost.exe
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/66fae670168559661d50f0b7/reports/a4d6a2cc-9df8-48a9-85d7-fa92b2cc0232/overview
Verdict:
Malicious
Labled as:
VBS.Asthma.2.501DB324
Link:
https://www.hybrid-analysis.com/sample/f99757c98007da241258ae12ec0fd5083f0475a993ca6309811263aad17d4661
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
Cobalt Strike, Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1522886
Signature
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Detected Cobalt Strike Beacon
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Remcos
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Powershell decode and execute
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522886 Sample: 5UQ2Xybm0q.hta Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 69 geoplugin.net 2->69 87 Suricata IDS alerts for network traffic 2->87 89 Found malware configuration 2->89 91 Multi AV Scanner detection for dropped file 2->91 93 12 other signatures 2->93 13 mshta.exe 1 2->13         started        signatures3 process4 signatures5 121 Suspicious command line found 13->121 123 PowerShell case anomaly found 13->123 16 cmd.exe 1 13->16         started        process6 signatures7 77 Detected Cobalt Strike Beacon 16->77 79 Suspicious powershell command line found 16->79 81 PowerShell case anomaly found 16->81 19 powershell.exe 45 16->19         started        24 conhost.exe 16->24         started        process8 dnsIp9 71 192.3.220.22, 49710, 49714, 80 AS-COLOCROSSINGUS United States 19->71 59 C:\Users\user\AppData\Roaming\dllhost.exe, PE32 19->59 dropped 61 C:\Users\user\AppData\...\dllhost[1].exe, PE32 19->61 dropped 63 C:\Users\user\AppData\...\e0lhh4ay.cmdline, Unicode 19->63 dropped 95 Found suspicious powershell code related to unpacking or dynamic code loading 19->95 97 Loading BitLocker PowerShell Module 19->97 99 Powershell drops PE file 19->99 26 dllhost.exe 3 29 19->26         started        30 csc.exe 3 19->30         started        file10 signatures11 process12 file13 65 C:\Users\user\AppData\...\Aerognosy.Res, ASCII 26->65 dropped 109 Multi AV Scanner detection for dropped file 26->109 111 Detected Cobalt Strike Beacon 26->111 113 Suspicious powershell command line found 26->113 32 powershell.exe 27 26->32         started        67 C:\Users\user\AppData\Local\...\e0lhh4ay.dll, PE32 30->67 dropped 36 cvtres.exe 1 30->36         started        signatures14 process15 file16 57 C:\Users\user\AppData\...\Vaccinerende.exe, PE32 32->57 dropped 83 Writes to foreign memory regions 32->83 85 Loading BitLocker PowerShell Module 32->85 38 Vaccinerende.exe 5 14 32->38         started        42 conhost.exe 32->42         started        signatures17 process18 dnsIp19 73 107.173.4.16, 2404, 49715, 49717 AS-COLOCROSSINGUS United States 38->73 75 geoplugin.net 178.237.33.50, 49716, 80 ATOM86-ASATOM86NL Netherlands 38->75 101 Multi AV Scanner detection for dropped file 38->101 103 Detected unpacking (changes PE section rights) 38->103 105 Detected Remcos RAT 38->105 107 3 other signatures 38->107 44 Vaccinerende.exe 38->44         started        47 Vaccinerende.exe 38->47         started        49 Vaccinerende.exe 38->49         started        51 cmd.exe 38->51         started        signatures20 process21 signatures22 115 Tries to steal Instant Messenger accounts or passwords 44->115 117 Tries to steal Mail credentials (via file / registry access) 44->117 119 Tries to harvest and steal browser information (history, passwords, etc) 47->119 53 conhost.exe 51->53         started        55 reg.exe 51->55         started        process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f99757c98007da241258ae12ec0fd5083f0475a993ca6309811263aad17d4661/
Threat name:
Script-WScript.Trojan.Asthma
Create hunting rule
Status:
Malicious
First seen:
2024-09-30 00:22:49 UTC
File Type:
Text
AV detection:
12 of 37 (32.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7glvpsmaa7nciesyvyjoyd6vba7qi5njspfggcmbcjr2vul5izqq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:rem_doc2 collection defense_evasion discovery execution persistence rat spyware stealer
Link:
https://tria.ge/reports/240930-wjkm9ssbpg/
Behaviour
Modifies Internet Explorer settings
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Evasion via Device Credential Deployment
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Malware Config
C2 Extraction:
107.173.4.16:2404
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f99757c98007/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f99757c98007da241258ae12ec0fd5083f0475a993ca6309811263aad17d4661

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

HTML Application (hta) hta f99757c98007da241258ae12ec0fd5083f0475a993ca6309811263aad17d4661

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3201690/
  
Delivery method
Distributed via web download

Comments