MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02fca8837852c3cbb9774f065e44401971f68b48205f7cd788ea8a8de6cfb0d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02fca8837852c3cbb9774f065e44401971f68b48205f7cd788ea8a8de6cfb0d3
SHA3-384 hash: 31fa8c60018dfa527c62746a7d4927b4dd04dbc455332413f1703ff5c6e8a1556ae6ba2f31967f50cfbb638f41613ff7
SHA1 hash: a1352ef4864eb21e7b9d6b101f64d62835a191f5
MD5 hash: 40b2417a4c92832d631cd23ae01674f1
humanhash: winter-shade-mockingbird-dakota
File name:goodformulafodme.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:293'085 bytes
First seen:2026-06-05 08:35:53 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/plain
ssdeep 1536:K88888888888888888888888888888888888888888888888888888888rOa888s:sz
Threatray 2'381 similar samples on MalwareBazaar
TLSH T1E054AA606C115134DF9475B2E1331DA43B901AAE347AF24BD82B3283FB57F26D92E786
Magika javascript
Reporter abuse_ch
Tags:hta RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
52
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.VBS.Starter.519.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a219163f8676ad4d36109ea
Tags:
n/a
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/02fca8837852c3cbb9774f065e44401971f68b48205f7cd788ea8a8de6cfb0d3/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm fingerprint powershell
Link:
https://www.filescan.io/uploads/6a228b3512da0d249c65f0c1/reports/75e84b42-f0ee-45c8-88f0-bfb54085add0/overview
Verdict:
Malicious
Labled as:
JS/Agent.UOK trojan
Link:
https://www.hybrid-analysis.com/sample/02fca8837852c3cbb9774f065e44401971f68b48205f7cd788ea8a8de6cfb0d3
Verdict:
Malicious
File Type:
hta
First seen:
2026-06-04T11:58:00Z UTC
Last seen:
2026-06-04T12:28:00Z UTC
Hits:
~10
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic HEUR:Trojan.HTA.SAgent.gen
Link:
https://opentip.kaspersky.com/02fca8837852c3cbb9774f065e44401971f68b48205f7cd788ea8a8de6cfb0d3/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1923504
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates processes via WMI
Delayed program exit found
Detected large data written to user environment variables, potentially indicating payload staging for fileless execution
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Remcos
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1923504 Sample: goodformulafodme.hta Startdate: 05/06/2026 Architecture: WINDOWS Score: 100 24 macat433.duckdns.org 2->24 26 as.al 2->26 28 geoplugin.net 2->28 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 54 10 other signatures 2->54 8 mshta.exe 1 2->8         started        signatures3 52 Uses dynamic DNS services 24->52 process4 signatures5 56 Obfuscated command line found 8->56 58 Bypasses PowerShell execution policy 8->58 60 Creates processes via WMI 8->60 62 Detected large data written to user environment variables, potentially indicating payload staging for fileless execution 8->62 11 powershell.exe 14 16 8->11         started        process6 dnsIp7 30 as.al 172.67.75.232, 443, 49693 CLOUDFLARENET-CloudflareIncUS Canada 11->30 32 107.172.13.211, 49694, 80 AS-COLOCROSSING-HostPapaUS United States 11->32 64 Writes to foreign memory regions 11->64 66 Injects a PE file into a foreign processes 11->66 68 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->68 15 CasPol.exe 4 8 11->15         started        20 conhost.exe 11->20         started        signatures8 process9 dnsIp10 34 macat433.duckdns.org 5.101.82.8, 48214, 49698 AS-GLOBALTELEHOST-GTHostUS Czechia 15->34 36 geoplugin.net 178.237.33.50, 49699, 80 ATOM86-ASATOM86NL Netherlands 15->36 22 C:\ProgramData\remcos\logs.dat, data 15->22 dropped 38 Contains functionality to bypass UAC (CMSTPLUA) 15->38 40 Detected Remcos RAT 15->40 42 Contains functionalty to change the wallpaper 15->42 44 6 other signatures 15->44 file11 signatures12
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/02fca8837852c3cbb9774f065e44401971f68b48205f7cd788ea8a8de6cfb0d3
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/02fca8837852c3cbb9774f065e44401971f68b48205f7cd788ea8a8de6cfb0d3/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/02fca8837852c3cbb9774f065e44401971f68b48205f7cd788ea8a8de6cfb0d3
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-06-04 14:53:27 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
9 of 36 (25.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=al6kra3yklb4xolxj4df4rcadfy7nc2iebpxzv4i5kfi3zwpwdjq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1345f21a54489d342367deff244634710e027677d73452dfa10e132ccf860137
RemcosRAT
40e0114651519e1e52d0cbbc3249f64287608430983c961ab957d2d211d00b98
RemcosRAT
57d30e4e1dacb16f24d5a20cd5b3eccc4a7d45903b27aae77402b612a51f8e5b
RemcosRAT
71c29304a2de3c58998e6c086e13b37dc9333b6003ceac0ff7275a11c5e8a6da
RemcosRAT
74725df0bbad7d1a41c4dc4660bd63a3ba816aa0aad76f6c16a828f017b2a0ed
RemcosRAT
75a7143599bc7154f6290dac048a9a9f75065b435080e44a3cdee74b87933439
RemcosRAT
83f2db1181db66925720fa42b738ae21d3735b78c9f24daf97a9424eca7e5caf
RemcosRAT
error
RemcosRAT
+ 2'371 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:udok discovery execution rat
Link:
https://tria.ge/reports/260605-kjydkscw7s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Badlisted process makes network request
Family: Remcos
Process spawned unexpected child process
Malware Config
C2 Extraction:
macat433.duckdns.org:48214
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/02fca8837852/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/02fca8837852c3cbb9774f065e44401971f68b48205f7cd788ea8a8de6cfb0d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments