MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 038da33f8a4482e112b68cd8eb315e10e8a0117a0194b881669c40a41ae0cbc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 038da33f8a4482e112b68cd8eb315e10e8a0117a0194b881669c40a41ae0cbc5
SHA3-384 hash: 940ff49eee6e805bf6f93278c1cbca78ad97f0a6130f9d890c9f8175c6af17cf1b7efbc63ba000301ccf7341bbc286ae
SHA1 hash: e15037c7cf6a10a2204c4d267bb8a2cd307461f2
MD5 hash: b215bfeff0ec221658b8d3f20e9ffe73
humanhash: salami-indigo-mobile-vegan
File name:038da33f8a4482e112b68cd8eb315e10e8a0117a0194b881669c40a41ae0cbc5
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:580'120 bytes
First seen:2025-12-08 14:42:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 46ce5c12b293febbeb513b196aa7f843 (35 x GuLoader, 21 x RemcosRAT, 5 x VIPKeylogger)
ssdeep 12288:hX4j6f40DcylpOb/sbIQdk1d5pJQFh0ZumYX41oSsl8d8OmdoI:h4oD3lcT2k1dzG0ZPNqSmqSoI
Threatray 2'426 similar samples on MalwareBazaar
TLSH T12EC4F1303514F469DA1FA13D0B2DF22E9BB9FCE4270781576B50BE6E797A183880B8D5
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 3068d0d8cce46431 (3 x RemcosRAT, 2 x GuLoader)
Reporter adrian__luca
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:hacklers
Issuer:hacklers
Algorithm:sha256WithRSAEncryption
Valid from:2025-09-26T08:55:17Z
Valid to:2026-09-26T08:55:17Z
Serial number: 36c776a8c8ea6db7584aea9d46dc9c7401e4fc3f
Thumbprint Algorithm:SHA256
Thumbprint: c5d526aee9ffdfcf5371aa334e815a36072792630bf7e958a012179806a0565e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
HU HU
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/c64a292d-abdb-4e2e-9922-106436a7e7d8/
Malware family:
remcos
Create hunting rule
ID:
1
File name:
038da33f8a4482e112b68cd8eb315e10e8a0117a0194b881669c40a41ae0cbc5
Verdict:
Malicious activity
Analysis date:
2025-12-08 16:20:34 UTC
Tags:
auto-reg rat remcos remote stealer guloader
Link:
https://app.any.run/tasks/2a53220b-3ad3-4753-9f75-2badc49cf0f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/43125/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6936e3e7db58e1a2c22b839c
Tags:
injection obfusc virus
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/038da33f8a4482e112b68cd8eb315e10e8a0117a0194b881669c40a41ae0cbc5
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-11T14:59:00Z UTC
Last seen:
2025-12-10T12:21:00Z UTC
Hits:
~10000
Link:
https://opentip.kaspersky.com/038da33f8a4482e112b68cd8eb315e10e8a0117a0194b881669c40a41ae0cbc5/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b9f95bea-9c83-4967-994b-4771135154b2
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/038da33f8a4482e112b68cd8eb315e10e8a0117a0194b881669c40a41ae0cbc5
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/b215bfeff0ec221658b8d3f20e9ffe73
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/038da33f8a4482e112b68cd8eb315e10e8a0117a0194b881669c40a41ae0cbc5/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2025-11-11 23:59:03 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aog2gp4kisbocevwrtmowmk6cdukael2agklralgtrakigxazpcq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0140edbd4ebb2e1d24804f6c9891e2309829ecf28ed86b4a038b63cdcb641d0d
RemcosRAT
545812664008d0b35cf61c15c79526b1d5d05aef886a3f85c9056570fbf13933
RemcosRAT
b4974c7f703bc826a655d542c19dcf0e61c9e8c64b2ff7a2f981fdae8adac615
RemcosRAT
bf146e17295c2110de80689f5fcb8252abdab5f6c26fee30e843300ffea63276
RemcosRAT
ec40add0f6f93d1ed5cc9a72fde905d55f17f394525fae57eb514a935a202660
RemcosRAT
error
RemcosRAT
+ 2'416 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos collection discovery downloader persistence rat
Link:
https://tria.ge/reports/251208-r299esdj7w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detected Nirsoft tools
NirSoft MailPassView
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Malware Config
C2 Extraction:
107.172.235.204:6000
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/76ff1e7b-b9e2-43b2-9721-7893f1c8b45d
Unpacked files
SH256 hash:
8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c
MD5 hash:
9b38a1b07a0ebc5c7e59e63346ecc2db
SHA1 hash:
97332a2ffcf12a3e3f27e7c05213b5d7faa13735
Link:
https://www.unpac.me/results/8b4b1a05-9db3-4767-b3e9-6cffdcb75476/
SH256 hash:
b1350f487692057c8ffde75dcc55287a52a3272240d4d4912f24464b27551fc0
MD5 hash:
8f0e7415f33843431df308bb8e06af81
SHA1 hash:
1314272e6ad3be1985d4a1607b890a34b0bde8b5
Link:
https://www.unpac.me/results/8b4b1a05-9db3-4767-b3e9-6cffdcb75476/
SH256 hash:
038da33f8a4482e112b68cd8eb315e10e8a0117a0194b881669c40a41ae0cbc5
MD5 hash:
b215bfeff0ec221658b8d3f20e9ffe73
SHA1 hash:
e15037c7cf6a10a2204c4d267bb8a2cd307461f2
Link:
https://www.unpac.me/results/8b4b1a05-9db3-4767-b3e9-6cffdcb75476/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/038da33f8a44/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/038da33f8a4482e112b68cd8eb315e10e8a0117a0194b881669c40a41ae0cbc5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/43125/

Comments