MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 0e25b5299c3df59e05d296b1478d43094d5d81e1a5b8706fd355b36388244326. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RemcosRAT
Vendor detections: 17
| SHA256 hash: | 0e25b5299c3df59e05d296b1478d43094d5d81e1a5b8706fd355b36388244326 |
|---|---|
| SHA3-384 hash: | f947c694fa12736f170dbef427341fbac03c9c222d3e07caac6e8c417de7723d95c388f78f8e6839ce7df15d587f4593 |
| SHA1 hash: | 95971cc0caf853f0e4750cdaff5874b4adc2a4a3 |
| MD5 hash: | 850d9e8271dcae3b78c922aeddd9f743 |
| humanhash: | louisiana-kentucky-king-november |
| File name: | Documento_digitaL.SCR |
| Download: | download sample |
| Signature | RemcosRAT |
| File size: | 1'450'497 bytes |
| First seen: | 2023-07-08 09:09:25 UTC |
| Last seen: | 2025-06-12 08:38:48 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat) |
| ssdeep | 24576:9VgmnudJ41JhQ0IM6AYsLKBL/7DciY5tTb2p0UdEWVnK:9VSr4+M63ci6b2pxI |
| TLSH | T182651241BAC258B1E5B21E7109396660593B7D240F78C94F23DC3E2FB7B36816A31B67 |
| TrID | 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10523/12/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1) 0.6% (.EXE) OS/2 Executable (generic) (2029/13) |
| File icon (PE): |  |
| dhash icon | 68d8d8c8d9a9c1d9 (96 x SnakeKeylogger, 67 x RemcosRAT, 66 x Formbook) |
| Reporter |  JAMESWT_WT |
| Tags: | APT-C-36 BlindEagle exe RemcosRAT |
Intelligence
File Origin
# of uploads :
2
# of downloads :
304
Origin country :
ITVendor Threat Intelligence
Malware family:
remcos
ID:
1
File name:
https://notificacionesjuridicasonline.otcy.com/
Verdict:
Malicious activity
Analysis date:
2023-07-06 06:09:48 UTC
Tags:
rat remcos
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Creating a file
Setting a keyboard event handler
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
6/10
Tags:
n/a
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
greyware lolbin masquerade overlay packed remcos replace setupapi shdocvw shell32
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Verdict:
Malicious
Detection:
remcos
Threat name:
Win32.Trojan.Remcos
Status:
Malicious
First seen:
2023-07-06 17:52:34 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
21 of 38 (55.26%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
remcos
Result
Malware family:
remcos
Score:
10/10
Tags:
family:remcos botnet:matarifejulio5 persistence rat
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
matarife.duckdns.org:2798
Unpacked files
SH256 hash:
8478f4c6273835d025a96e7693d53dc069fe8caca0427255f79df8bbc75aabcb
MD5 hash:
d724615a0d9758f6d445626ce8b06171
SHA1 hash:
0dc02fba78101783b015d55ab876606eae1f0431
Detections:
XWorm
XWorm
XWorm
XWorm
XWorm
SH256 hash:
fae0c0c3868fcc0a32876b8a872b8957bf34c3addc28deb792eadf65441e4766
MD5 hash:
efe99cdbc15cac9a854f8ba2081cd6d3
SHA1 hash:
a73119e09237c7a886700c92371cd40f1fa7d5c0
Detections:
Remcos
win_remcos_auto
Remcos
win_remcos_auto
Remcos
win_remcos_auto
Remcos
win_remcos_auto
Remcos
win_remcos_auto
SH256 hash:
198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05
MD5 hash:
9b3a1b5d3ffe9fb9db6c5aaefa1ae076
SHA1 hash:
0da05e4c72430da0d061a02cd6cf50c41e6bd83a
SH256 hash:
a48d384686aac5421324ef96e81afbfa797fdb45a696d8ece51b2b0ef0bee12e
MD5 hash:
c1bed472a644009ecc926ae1a962a575
SHA1 hash:
0b2daaedad67f44c7c91e5b5d8dd4887ca0a141b
SH256 hash:
51e46ab5623646e8fea7fd1b13348f0adc510a0712e7b1b506d3117d6b066c19
MD5 hash:
f0ee9b49497460c19c470e2ba4a9db70
SHA1 hash:
4dcc8dd8b1f54fa6f0d7af9438b403fbf84f8b37
SH256 hash:
8478f4c6273835d025a96e7693d53dc069fe8caca0427255f79df8bbc75aabcb
MD5 hash:
d724615a0d9758f6d445626ce8b06171
SHA1 hash:
0dc02fba78101783b015d55ab876606eae1f0431
Detections:
XWorm
XWorm
XWorm
XWorm
XWorm
SH256 hash:
fae0c0c3868fcc0a32876b8a872b8957bf34c3addc28deb792eadf65441e4766
MD5 hash:
efe99cdbc15cac9a854f8ba2081cd6d3
SHA1 hash:
a73119e09237c7a886700c92371cd40f1fa7d5c0
Detections:
Remcos
win_remcos_auto
Remcos
win_remcos_auto
Remcos
win_remcos_auto
Remcos
win_remcos_auto
Remcos
win_remcos_auto
SH256 hash:
198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05
MD5 hash:
9b3a1b5d3ffe9fb9db6c5aaefa1ae076
SHA1 hash:
0da05e4c72430da0d061a02cd6cf50c41e6bd83a
SH256 hash:
8478f4c6273835d025a96e7693d53dc069fe8caca0427255f79df8bbc75aabcb
MD5 hash:
d724615a0d9758f6d445626ce8b06171
SHA1 hash:
0dc02fba78101783b015d55ab876606eae1f0431
Detections:
XWorm
XWorm
XWorm
XWorm
XWorm
SH256 hash:
a48d384686aac5421324ef96e81afbfa797fdb45a696d8ece51b2b0ef0bee12e
MD5 hash:
c1bed472a644009ecc926ae1a962a575
SHA1 hash:
0b2daaedad67f44c7c91e5b5d8dd4887ca0a141b
SH256 hash:
fae0c0c3868fcc0a32876b8a872b8957bf34c3addc28deb792eadf65441e4766
MD5 hash:
efe99cdbc15cac9a854f8ba2081cd6d3
SHA1 hash:
a73119e09237c7a886700c92371cd40f1fa7d5c0
Detections:
Remcos
win_remcos_auto
Remcos
win_remcos_auto
Remcos
win_remcos_auto
Remcos
win_remcos_auto
Remcos
win_remcos_auto
SH256 hash:
51e46ab5623646e8fea7fd1b13348f0adc510a0712e7b1b506d3117d6b066c19
MD5 hash:
f0ee9b49497460c19c470e2ba4a9db70
SHA1 hash:
4dcc8dd8b1f54fa6f0d7af9438b403fbf84f8b37
SH256 hash:
198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05
MD5 hash:
9b3a1b5d3ffe9fb9db6c5aaefa1ae076
SHA1 hash:
0da05e4c72430da0d061a02cd6cf50c41e6bd83a
SH256 hash:
a48d384686aac5421324ef96e81afbfa797fdb45a696d8ece51b2b0ef0bee12e
MD5 hash:
c1bed472a644009ecc926ae1a962a575
SHA1 hash:
0b2daaedad67f44c7c91e5b5d8dd4887ca0a141b
SH256 hash:
51e46ab5623646e8fea7fd1b13348f0adc510a0712e7b1b506d3117d6b066c19
MD5 hash:
f0ee9b49497460c19c470e2ba4a9db70
SHA1 hash:
4dcc8dd8b1f54fa6f0d7af9438b403fbf84f8b37
SH256 hash:
8478f4c6273835d025a96e7693d53dc069fe8caca0427255f79df8bbc75aabcb
MD5 hash:
d724615a0d9758f6d445626ce8b06171
SHA1 hash:
0dc02fba78101783b015d55ab876606eae1f0431
Detections:
XWorm
XWorm
XWorm
XWorm
XWorm
SH256 hash:
fae0c0c3868fcc0a32876b8a872b8957bf34c3addc28deb792eadf65441e4766
MD5 hash:
efe99cdbc15cac9a854f8ba2081cd6d3
SHA1 hash:
a73119e09237c7a886700c92371cd40f1fa7d5c0
Detections:
Remcos
win_remcos_auto
Remcos
win_remcos_auto
Remcos
win_remcos_auto
Remcos
win_remcos_auto
Remcos
win_remcos_auto
SH256 hash:
198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05
MD5 hash:
9b3a1b5d3ffe9fb9db6c5aaefa1ae076
SHA1 hash:
0da05e4c72430da0d061a02cd6cf50c41e6bd83a
SH256 hash:
a48d384686aac5421324ef96e81afbfa797fdb45a696d8ece51b2b0ef0bee12e
MD5 hash:
c1bed472a644009ecc926ae1a962a575
SHA1 hash:
0b2daaedad67f44c7c91e5b5d8dd4887ca0a141b
SH256 hash:
51e46ab5623646e8fea7fd1b13348f0adc510a0712e7b1b506d3117d6b066c19
MD5 hash:
f0ee9b49497460c19c470e2ba4a9db70
SHA1 hash:
4dcc8dd8b1f54fa6f0d7af9438b403fbf84f8b37
SH256 hash:
8478f4c6273835d025a96e7693d53dc069fe8caca0427255f79df8bbc75aabcb
MD5 hash:
d724615a0d9758f6d445626ce8b06171
SHA1 hash:
0dc02fba78101783b015d55ab876606eae1f0431
Detections:
XWorm
XWorm
XWorm
XWorm
XWorm
SH256 hash:
fae0c0c3868fcc0a32876b8a872b8957bf34c3addc28deb792eadf65441e4766
MD5 hash:
efe99cdbc15cac9a854f8ba2081cd6d3
SHA1 hash:
a73119e09237c7a886700c92371cd40f1fa7d5c0
Detections:
Remcos
win_remcos_auto
Remcos
win_remcos_auto
Remcos
win_remcos_auto
Remcos
win_remcos_auto
Remcos
win_remcos_auto
SH256 hash:
198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05
MD5 hash:
9b3a1b5d3ffe9fb9db6c5aaefa1ae076
SHA1 hash:
0da05e4c72430da0d061a02cd6cf50c41e6bd83a
SH256 hash:
a48d384686aac5421324ef96e81afbfa797fdb45a696d8ece51b2b0ef0bee12e
MD5 hash:
c1bed472a644009ecc926ae1a962a575
SHA1 hash:
0b2daaedad67f44c7c91e5b5d8dd4887ca0a141b
SH256 hash:
51e46ab5623646e8fea7fd1b13348f0adc510a0712e7b1b506d3117d6b066c19
MD5 hash:
f0ee9b49497460c19c470e2ba4a9db70
SHA1 hash:
4dcc8dd8b1f54fa6f0d7af9438b403fbf84f8b37
SH256 hash:
0e25b5299c3df59e05d296b1478d43094d5d81e1a5b8706fd355b36388244326
MD5 hash:
850d9e8271dcae3b78c922aeddd9f743
SHA1 hash:
95971cc0caf853f0e4750cdaff5874b4adc2a4a3
Malware family:
Remcos
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | iexplorer_remcos |
|---|---|
| Author: | iam-py-test |
| Description: | Detect iexplorer being taken over by Remcos |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Windows executables referencing non-Windows User-Agents |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
| Rule name: | MALWARE_Win_AsyncRAT |
|---|---|
| Author: | ditekSHen |
| Description: | Detects AsyncRAT |
| Rule name: | pe_imphash |
|---|
| Rule name: | Remcos |
|---|---|
| Author: | kevoreilly |
| Description: | Remcos Payload |
| Rule name: | REMCOS_RAT_variants |
|---|
| Rule name: | SelfExtractingRAR |
|---|---|
| Author: | Xavier Mertens |
| Description: | Detects an SFX archive with automatic script execution |
| Rule name: | sfx_pdb_winrar_restrict |
|---|---|
| Author: | @razvialex |
| Description: | Detect interesting files containing sfx with pdb paths. |
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Windows_Trojan_Remcos_b296e965 |
|---|---|
| Author: | Elastic Security |
| Rule name: | win_remcos_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.remcos. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.