MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a4118fe4308cbb2db46ba76de82d70345b00cd3ec93167056fc572e8d4c4f64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	0a4118fe4308cbb2db46ba76de82d70345b00cd3ec93167056fc572e8d4c4f64
SHA3-384 hash:	0316fd1795d66bce23e50542ba91a9dd1dd5df10f90e9211aed659d1ece592fe4da621b5f255b22337afcce8aa57e8e8
SHA1 hash:	02ea8b0bded4e1ea160d7c8ac767499886eafefc
MD5 hash:	940644c823ea0ef593f724cf35b7b960
humanhash:	november-tango-diet-echo
File name:	Banco Santander_Cópia de Pagamento.pdf.vba
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	8'432 bytes
First seen:	2026-03-31 17:41:24 UTC
Last seen:	Never
File type:	bat
MIME type:	text/x-msdos-batch
ssdeep	192:NBeUcyimtOOvXcai5pwz2M9nQSls0O36Fp8bKX0Qq5HZp8bxO5X0QqUls0ZpnQFc:X2u4xZskB
Threatray	2'225 similar samples on MalwareBazaar
TLSH	T19D02296C4FC3B2CF6136B3EAA1B60590DBAD803F2539F5A5D721F5384891DCD92290E8
Magika	batch
Reporter	BastianHein
Tags:	bat RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

remcos

ID:

File name:

BancoSantander_CopiadePagamento.pdf.bat

Verdict:

Malicious activity

Analysis date:

2026-03-31 09:42:10 UTC

Tags:

loader autoit rat remcos

Link:

https://app.any.run/tasks/a0b58af6-9c2e-4c6c-baa5-dab91f662dee

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/59935/

Detection(s):

SecuriteInfo.com.Other.Malware-gen.61364337.UNOFFICIAL

Verdict:

Malicious

Score:

95.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69cb96f16363ca5d27f013a0

Tags:

obfuscated shell sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

DNS request

Creating a file in the %temp% subdirectories

Creating a process with a hidden window

Creating a file

Creating a process from a recently created file

Creating a window

Reading critical registry keys

Launching a service

Changing a file

Query of malicious DNS domain

Connection attempt to an infection source

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 encrypted masquerade obfuscated obfuscated powershell

Link:

https://www.filescan.io/uploads/69cc07ed2346b9da57b41ddd/reports/50142c9e-6f50-4cab-89ca-c29e144e7aab/overview

Verdict:

Malicious

Labled as:

Trojan/BAT.Agent

Link:

https://www.hybrid-analysis.com/sample/0a4118fe4308cbb2db46ba76de82d70345b00cd3ec93167056fc572e8d4c4f64

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-03-31T05:28:00Z UTC

Last seen:

2026-04-02T15:24:00Z UTC

Hits:

~1000

Detections:

HEUR:Trojan.BAT.Generic

Link:

https://opentip.kaspersky.com/0a4118fe4308cbb2db46ba76de82d70345b00cd3ec93167056fc572e8d4c4f64/results?tab=lookup

Score:

82%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/0a4118fe4308cbb2db46ba76de82d70345b00cd3ec93167056fc572e8d4c4f64

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0a4118fe4308cbb2db46ba76de82d70345b00cd3ec93167056fc572e8d4c4f64/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/0a4118fe4308cbb2db46ba76de82d70345b00cd3ec93167056fc572e8d4c4f64

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2026-03-31 09:42:18 UTC

File Type:

Text (Batch)

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bjarr7sdbdf3fw2gxj3n5awxanc3adgt5sjrm4cw7rls5dkmj5sa._file

Verdict:

malicious

Label(s):

remcos

nirsoft

purehvnc

admintool_mailpassview

RemcosRAT

0f1425848b9b390461924a03c4c9bac804cf1f9694ea66469d3222b730a816b5

RemcosRAT

2c96593464444832a36744802f9a0104bb702f08dbe5049d069935a803809c8e

RemcosRAT

4f745300cafa61916be7a4e403c593c3f399a179aa73593d8e5229577b64eee5

RemcosRAT

8ca2c9617bdb41c99880091d7ed9182213770e81db8b9129559b413fab812426

RemcosRAT

a8b3a9ea280d776d79f038ff5c2b3b095d8e0c1b25df954bce598e0733d8149a

RemcosRAT

ce3d4a6aca8b7fc6e921fd16c0db7b6eb080cea524fa8df7d7b69104d62e5c23

RemcosRAT

eaab2fd25ccde3b7b149a07e74e69ff9cd3886c852e562b2e5c576233c4466d1

RemcosRAT

error

RemcosRAT

+ 2'215 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost collection discovery rat

Link:

https://tria.ge/reports/260331-wa899sfw4y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Executes dropped EXE

Badlisted process makes network request

Detected Nirsoft tools

Remcos

Remcos family

Malware Config

C2 Extraction:

178.16.53.54:8972

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0a4118fe4308/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/0a4118fe4308cbb2db46ba76de82d70345b00cd3ec93167056fc572e8d4c4f64

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/59935/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample