MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e973d2c24a1d459a9cf7a0b083293b5d6e057e81f190293205fe11844de03bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e973d2c24a1d459a9cf7a0b083293b5d6e057e81f190293205fe11844de03bf
SHA3-384 hash: cae9202c102c3e15151221691f29dd0219fec3857d53c0204d24278755095b76ca36a370f7cbf7776bb1a15bd864d098
SHA1 hash: e3b5a61a0d874417a61eec1afbae8c56688a296e
MD5 hash: 3402c87b5ccfc6f2994595c4b9b1d013
humanhash: magnesium-asparagus-california-nuts
File name:0e973d2c24a1d459a9cf7a0b083293b5d6e057e81f190293205fe11844de03bf
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'616'896 bytes
First seen:2025-03-10 11:40:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:lcQD1BxgVG0A/q8rlEbQqGQiRqdj7/2OS:9D150ApGbQRRwdOO
Threatray 4'620 similar samples on MalwareBazaar
TLSH T133755B987240B19FCC57CB32CA649C74AA607C76933B920F945729EEB95F697CF100E2
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 0307612c88000000 (65 x AgentTesla, 47 x RemcosRAT, 9 x MassLogger)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
0e973d2c24a1d459a9cf7a0b083293b5d6e057e81f190293205fe11844de03bf.exe
Verdict:
Malicious activity
Analysis date:
2025-03-10 11:49:16 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/9a36d52f-1908-4e7b-882d-baca495ffa18

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ced1bb0d1b39e3a208af9a
Tags:
keylog shell word
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Setting a keyboard event handler
Connection attempt
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67cecfdf3c5f644bd94b1d8d/reports/87ac897d-00eb-4cf1-9ad7-8aa0daa1717e/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0e973d2c24a1d459a9cf7a0b083293b5d6e057e81f190293205fe11844de03bf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/47b1ada2-6d14-4f59-92c3-fa8d110ecb94
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1633574
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1633574 Sample: stVwE8JA1y.exe Startdate: 10/03/2025 Architecture: WINDOWS Score: 100 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 9 other signatures 2->47 7 stVwE8JA1y.exe 4 2->7         started        11 svchost.exe 1 1 2->11         started        process3 dnsIp4 27 C:\Users\user\AppData\...\stVwE8JA1y.exe.log, ASCII 7->27 dropped 49 Contains functionality to bypass UAC (CMSTPLUA) 7->49 51 Detected unpacking (changes PE section rights) 7->51 53 Detected unpacking (overwrites its own PE header) 7->53 55 6 other signatures 7->55 14 stVwE8JA1y.exe 4 2 7->14         started        19 powershell.exe 23 7->19         started        21 stVwE8JA1y.exe 7->21         started        31 127.0.0.1 unknown unknown 11->31 file5 signatures6 process7 dnsIp8 33 195.211.191.39, 1987, 49709, 49720 PITLINE-ASUA Ukraine 14->33 29 C:\ProgramData\remcos\logs.dat, data 14->29 dropped 35 Detected Remcos RAT 14->35 37 Installs a global keyboard hook 14->37 39 Loading BitLocker PowerShell Module 19->39 23 WmiPrvSE.exe 19->23         started        25 conhost.exe 19->25         started        file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0e973d2c24a1d459a9cf7a0b083293b5d6e057e81f190293205fe11844de03bf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e973d2c24a1d459a9cf7a0b083293b5d6e057e81f190293205fe11844de03bf/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-02-24 16:35:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b2lt2lbeuhkftkoppifqqmutwxloav7id4mqfezal7qrqrg6ao7q._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
remcos
Create hunting rule
Similar samples:
1d6a540ec5c26039979eb96d9c53b949694d5e95b7bedd7f941f49336c06534e
RemcosRAT
2e4a8adeb10758473cd1d42e9869ee03840016814c6cfc0465303b19afaca46f
RemcosRAT
78a5958d02189160abf7e588dada6295e444b6522a45b8f556878ff56058edbc
RemcosRAT
7feca68aa30931d5af1378f39e194f9e7076df3073402d6fa31a48b60836ae16
RemcosRAT
88d5346489cca6b4114b60889108d286c46144507e2011081e0c7080eeb18d03
RemcosRAT
ad4e305243eea4eb48308ce4bccd6b999ed93f9810a82236987187fda9e12de1
RemcosRAT
b2ad15205bc0385eacc9412fbc35639de0d5ecce1b045770cbcc584b41371c0d
RemcosRAT
ca763bc6524433635d6e783c01d6eaac6e7afcefab82124d0fd98715e1d982cc
RemcosRAT
d3626bd96d6a11668a6864a514fa77ebb3372a5f88069b4aba668b773e3d6946
RemcosRAT
e0ddedaa06761076b5647d0a26e2193602cd1136b71c130a0c06542f39464183
RemcosRAT
error
RemcosRAT
+ 4'610 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:noree discovery execution rat
Link:
https://tria.ge/reports/250310-nthyestshv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Remcos
Remcos family
Malware Config
C2 Extraction:
195.211.191.39:1987
Verdict:
Malicious
Tags:
remcos
YARA:
n/a
Link:
https://app.threat.zone/submission/7816b5b1-a7d4-431c-8a01-136428ada892
Unpacked files
SH256 hash:
0e973d2c24a1d459a9cf7a0b083293b5d6e057e81f190293205fe11844de03bf
MD5 hash:
3402c87b5ccfc6f2994595c4b9b1d013
SHA1 hash:
e3b5a61a0d874417a61eec1afbae8c56688a296e
Link:
https://www.unpac.me/results/3a8a997e-11f0-48ab-8b09-c7170023c721/
SH256 hash:
e80a463e16b14b43e4112cb8f0cb0cf44ff245be592202042373a02b9ea4deb9
MD5 hash:
bbea1aafd0d7058f6f46c8ceff355f96
SHA1 hash:
14ca07073c0a943129823d6532358a55761a203f
Link:
https://www.unpac.me/results/3a8a997e-11f0-48ab-8b09-c7170023c721/
SH256 hash:
fe0daef84e86ff2d25b4285ca9bfc948dc7178b8caa4714d4bb75af598e6f989
MD5 hash:
38ee0fc0dad2c509e9ac8fc6cbf20bd6
SHA1 hash:
54e0a6110b49e87208d522fb43f4a0d62be7968d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/3a8a997e-11f0-48ab-8b09-c7170023c721/
SH256 hash:
3ccc6bf16d3fa471cd937dd68a2c6499a1e8951464a3092b2c33b4e96b4051a5
MD5 hash:
16aa5ea5967f26c355ab09560af9328e
SHA1 hash:
9c86c0381fdb536ae47a71e07a163d0e0ae0a60d
Detections:
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/3a8a997e-11f0-48ab-8b09-c7170023c721/
Parent samples :
88d5346489cca6b4114b60889108d286c46144507e2011081e0c7080eeb18d03
d3626bd96d6a11668a6864a514fa77ebb3372a5f88069b4aba668b773e3d6946
0e973d2c24a1d459a9cf7a0b083293b5d6e057e81f190293205fe11844de03bf
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0e973d2c24a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Remcos_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Remcos Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (Unrestricted:true)high

Comments