MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9ef47c6f722307c0a1df59c932898e4fcb365a3e53c13066aeb7d92439382de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9ef47c6f722307c0a1df59c932898e4fcb365a3e53c13066aeb7d92439382de
SHA3-384 hash: ee83afc8bf9720efe4984ac9f040101d13fe97497fa9a893a8ee6a06c0889d533367e705aca43b50fa14d5e00e741772
SHA1 hash: ec058a416fcfe8277931503cc63a7f72b429ee92
MD5 hash: d2558185d1f9381341a3d71f8cfaad7c
humanhash: autumn-river-finch-twelve
File name:d2558185d1f9381341a3d71f8cfaad7c.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:156'424 bytes
First seen:2024-08-10 07:50:59 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 768:tZ6A3yXNA0AGAWTiGHriGCX57fY5ExiG3HJQiXAZO:tn
TLSH T12FE3AF579203E47D691359FFEA7CEED100D0DE8ADBC8968344FE4459ABD0FACB608096
Reporter abuse_ch
Tags:hta RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Obfus-360.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.VBS.Agent-9.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.Obfus-95.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b71bf5aa5b40be0a9ff141
Tags:
Execution Exploit Generic Network Stealth Trojan Html
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/f9ef47c6f722307c0a1df59c932898e4fcb365a3e53c13066aeb7d92439382de/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/66b71bf2c5888b2b8916ce6b/reports/60192985-d2b5-4b64-8384-1599e12871cb/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f9ef47c6f722307c0a1df59c932898e4fcb365a3e53c13066aeb7d92439382de
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Cobalt Strike, GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1490964
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Detected Cobalt Strike Beacon
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Powershell drops PE file
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sample uses process hollowing technique
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Yara detected obfuscated html page
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1490964 Sample: ndGmwWXGOn.hta Startdate: 10/08/2024 Architecture: WINDOWS Score: 100 92 iwarsut775laudrye2.duckdns.org 2->92 94 welcomsplus.ru 2->94 96 3 other IPs or domains 2->96 118 Multi AV Scanner detection for domain / URL 2->118 120 Malicious sample detected (through community Yara rule) 2->120 122 Antivirus detection for URL or domain 2->122 126 18 other signatures 2->126 14 mshta.exe 1 2->14         started        signatures3 124 Uses dynamic DNS services 92->124 process4 signatures5 146 Suspicious command line found 14->146 17 cmd.exe 1 14->17         started        process6 signatures7 110 Detected Cobalt Strike Beacon 17->110 112 Suspicious powershell command line found 17->112 114 Wscript starts Powershell (via cmd or directly) 17->114 20 powershell.exe 44 17->20         started        25 conhost.exe 17->25         started        process8 dnsIp9 98 23.94.239.112, 49707, 80 AS-COLOCROSSINGUS United States 20->98 76 C:\Users\user\AppData\Roaming\sahost.exe, PE32 20->76 dropped 78 C:\Users\user\AppData\Local\...\sahost[1].exe, PE32 20->78 dropped 80 C:\Users\user\AppData\...\xjugk5t2.cmdline, Unicode 20->80 dropped 128 Found suspicious powershell code related to unpacking or dynamic code loading 20->128 130 Loading BitLocker PowerShell Module 20->130 132 Powershell drops PE file 20->132 27 sahost.exe 1 20 20->27         started        31 csc.exe 3 20->31         started        file10 signatures11 process12 file13 86 C:\Users\user\AppData\...\opencv_ml2410.dll, PE32+ 27->86 dropped 88 C:\Users\user\AppData\...\Tagvandets.Dec160, ASCII 27->88 dropped 140 Multi AV Scanner detection for dropped file 27->140 142 Detected Cobalt Strike Beacon 27->142 144 Suspicious powershell command line found 27->144 33 powershell.exe 19 27->33         started        90 C:\Users\user\AppData\Local\...\xjugk5t2.dll, PE32 31->90 dropped 37 cvtres.exe 1 31->37         started        signatures14 process15 file16 74 C:\Users\user\AppData\Local\...\sahost.exe, PE32 33->74 dropped 116 Writes to foreign memory regions 33->116 39 wab.exe 8 16 33->39         started        44 conhost.exe 33->44         started        signatures17 process18 dnsIp19 100 iwarsut775laudrye2.duckdns.org 172.111.137.137, 49717, 49718, 49719 SOFTLAYERUS United States 39->100 102 geoplugin.net 178.237.33.50, 49720, 80 ATOM86-ASATOM86NL Netherlands 39->102 104 welcomsplus.ru 31.31.198.183, 443, 49716 AS-REGRU Russian Federation 39->104 82 C:\Users\user\AppData\Roaming\sfvnspt.dat, data 39->82 dropped 84 C:\Users\user\AppData\...\Forfrelsens.vbs, ASCII 39->84 dropped 134 Maps a DLL or memory area into another process 39->134 136 Sample uses process hollowing technique 39->136 138 Installs a global keyboard hook 39->138 46 wscript.exe 39->46         started        49 cmd.exe 39->49         started        51 wab.exe 39->51         started        53 14 other processes 39->53 file20 signatures21 process22 signatures23 148 Detected Cobalt Strike Beacon 46->148 150 Suspicious powershell command line found 46->150 152 Wscript starts Powershell (via cmd or directly) 46->152 154 5 other signatures 46->154 55 powershell.exe 46->55         started        58 conhost.exe 49->58         started        60 reg.exe 49->60         started        62 WerFault.exe 51->62         started        64 WerFault.exe 53->64         started        66 WerFault.exe 53->66         started        68 WerFault.exe 53->68         started        process24 dnsIp25 106 asociatiatraditiimaria.ro 93.113.54.56, 443, 49721, 49725 GTSCEGTSCentralEuropeAntelGermanyCZ Romania 55->106 108 new.quranushaiqer.org.sa 34.166.62.190, 443, 49732 ATGS-MMD-ASUS United States 55->108 70 conhost.exe 55->70         started        72 cmd.exe 55->72         started        process26
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/f9ef47c6f722307c0a1df59c932898e4fcb365a3e53c13066aeb7d92439382de
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9ef47c6f722307c0a1df59c932898e4fcb365a3e53c13066aeb7d92439382de/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2024-08-08 15:20:50 UTC
File Type:
Text (JavaScript)
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7hxuprxxeiyhycq56wojgkey4t6lgznd4u6bgbtk5n6zeq4tqlpa._file
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader collection credential_access defense_evasion discovery downloader execution persistence stealer
Link:
https://tria.ge/reports/240810-jpvdfa1drr/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Evasion via Device Credential Deployment
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Guloader,Cloudeye
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f9ef47c6f722307c0a1df59c932898e4fcb365a3e53c13066aeb7d92439382de

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

HTML Application (hta) hta f9ef47c6f722307c0a1df59c932898e4fcb365a3e53c13066aeb7d92439382de

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3097273/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3098014/

Comments