MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1154c3527815ca9abc389ad84cf036d778fe9870c56265d03729752ce6e9a03d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 21

Intelligence 21 IOCs 1 YARA 27 File information Comments

SHA256 hash:	1154c3527815ca9abc389ad84cf036d778fe9870c56265d03729752ce6e9a03d
SHA3-384 hash:	88bd28f61ba689a488953e79b597f7bdbbdbc23628e54eaeef0b7d723f08dea9ad5ea5083f2237a65059ec34073027db
SHA1 hash:	551d7bc6c269354518dd84012fd7e1906e7248b6
MD5 hash:	47c5e3f9269c9ed69fe92eeecf6d3c19
humanhash:	utah-nine-london-stream
File name:	1154c3527815ca9abc389ad84cf036d778fe9870c5626.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'120'264 bytes
First seen:	2025-10-11 20:30:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:4u2k80oOdn6ReBjjkuFJ/WIT9VCV1hmNJwfMRQEtQaO:4hX0oOxAelkuvWIT9A/hmNMBNaO
Threatray	2'635 similar samples on MalwareBazaar
TLSH	T15D35F0457644C2D5DA080632E817EFF815666CCBD6BC949F2B99FE913AF2BD0C01E90E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
196.251.80.62:4651

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
196.251.80.62:4651	https://threatfox.abuse.ch/ioc/1612039/

Intelligence

File Origin

# of uploads :

# of downloads :

189

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

1154c3527815ca9abc389ad84cf036d778fe9870c56265d03729752ce6e9a03d.exe

Verdict:

Malicious activity

Analysis date:

2025-10-11 20:04:51 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/9e96e983-727d-4237-b16a-78882f933417

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/32444/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68eab862777ae46bec41967b

Tags:

injection spawn shell lien

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Connection attempt

Sending a custom TCP request

Creating a file in the %temp% directory

Launching a process

DNS request

Reading critical registry keys

Launching a service

Sending an HTTP GET request

Stealing user critical data

Adding an exclusion to Microsoft Defender

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 config-extracted evasive expired-cert invalid-signature lolbin msbuild obfuscated obfuscated packed packed rat rat reconnaissance redcap regsvcs remcos remcos rezer0 roboski schtasks signed strictor vbc vbnet windows

Link:

https://www.filescan.io/uploads/68eabe8511e0595e203a2a94/reports/942cd2dc-76c9-40e0-bc92-a0761e9c9ac8/overview

Verdict:

Malicious

Labled as:

Strictor.Generic

Link:

https://www.hybrid-analysis.com/sample/1154c3527815ca9abc389ad84cf036d778fe9870c56265d03729752ce6e9a03d

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-10T07:27:00Z UTC

Last seen:

2025-10-12T04:28:00Z UTC

Hits:

~100

Detections:

Trojan.MSIL.Inject.sb VHO:Trojan-PSW.Win32.Greedy.gen Backdoor.Remcos.TCP.C&C Trojan-PSW.Win32.Stealer.sb Trojan-Dropper.Win32.Injector.qcik Trojan.MSIL.Crypt.sb HEUR:Backdoor.MSIL.Remcos.gen PDM:Trojan.Win32.Generic Trojan.MSIL.Taskun.sb not-a-virus:HEUR:PSWTool.Win32.PassView.c not-a-virus:HEUR:PSWTool.Win32.PassView.a not-a-virus:HEUR:PSWTool.Win32.PassView.b

Link:

https://opentip.kaspersky.com/1154c3527815ca9abc389ad84cf036d778fe9870c56265d03729752ce6e9a03d/results?tab=lookup

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2cff5b3e-9d9e-4fe1-9764-053a2123d86d

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1793399

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to determine the online IP of the system

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Detected Remcos RAT

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1154c3527815ca9abc389ad84cf036d778fe9870c56265d03729752ce6e9a03d

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.36 Win 32 Exe x86

Link:

https://app.malva.re/file/47c5e3f9269c9ed69fe92eeecf6d3c19

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1154c3527815ca9abc389ad84cf036d778fe9870c56265d03729752ce6e9a03d/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/1154c3527815ca9abc389ad84cf036d778fe9870c56265d03729752ce6e9a03d

Threat name:

Win32.Packed.Generic

Status:

Suspicious

First seen:

2025-10-09 20:15:52 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

1/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cfkmgutycxfjvpbytlmez4bw254p5gdqyvrglubxff2szzxjua6q._file

Verdict:

malicious

Label(s):

nirsoft

admintool_mailpassview

remcos

unc_loader_037

RemcosRAT

1154c3527815ca9abc389ad84cf036d778fe9870c56265d03729752ce6e9a03d

RemcosRAT

28aab36bc389948b4a145e2087ab28fe8deda466ac7f7a2d9217b42bd0774caf

RemcosRAT

31ad3cdc1ccc501f7d7ac1d15c4092e834fe9dd9f62d26c076cd4bf86ceeb444

RemcosRAT

ab3b3296f0c1362788a03e256a24c7e6a38661c484cca9d281bf929521dd7c68

RemcosRAT

ad2a25116e5cfd8e2868ffc4cff90912987dc0e38fe51c73e759cd7a06b6a249

RemcosRAT

b54ff52b3729fd79f32b7ea4644a8d85380658ce987ac1eea45ca6f76cc6f8ab

RemcosRAT

error

RemcosRAT

+ 2'625 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost collection defense_evasion discovery execution rat spyware trojan

Link:

https://tria.ge/reports/251011-zalqrawzhs/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Looks up external IP address via web service

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Remcos

Remcos family

Malware Config

C2 Extraction:

196.251.80.62:4651

Verdict:

Malicious

Tags:

Remcos

YARA:

n/a

Link:

https://app.threat.zone/submission/59a233c0-392f-42fc-ada8-5b044ad2f9dc

Unpacked files

SH256 hash:

1154c3527815ca9abc389ad84cf036d778fe9870c56265d03729752ce6e9a03d

MD5 hash:

47c5e3f9269c9ed69fe92eeecf6d3c19

SHA1 hash:

551d7bc6c269354518dd84012fd7e1906e7248b6

Link:

https://www.unpac.me/results/89a54800-5aa5-428e-b955-e77632453f0d/

SH256 hash:

2bc3f5dfe2393f615e61819602ab2287f17863535d9750cc973d60cdd54a91cb

MD5 hash:

3e6dd9b875a13d6b038112387b621019

SHA1 hash:

762c8065dbced997e3c87c29e52ed57abb039e1c

Detections:

win_remcos_w0

win_remcos_auto

Remcos

malware_windows_remcos_rat

win_remcos_rat_unpacked

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Link:

https://www.unpac.me/results/89a54800-5aa5-428e-b955-e77632453f0d/

SH256 hash:

868f9844cd6f0ea25b1115f509044f21f71a787afe9b706eb44c11f4942cb563

MD5 hash:

55786c675054c44592975b5fa7f643fb

SHA1 hash:

851f36ec99a212528ee1d5070af0907aaa05c483

Link:

https://www.unpac.me/results/89a54800-5aa5-428e-b955-e77632453f0d/

SH256 hash:

ac8ba96b718981b7f5483804287d1fc738c3ff233af72a12b68769e8972e31eb

MD5 hash:

44a4f5706b392e8706290a25a900f8c3

SHA1 hash:

d14114da1c02bd531306b2007c0d31344fe68243

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/89a54800-5aa5-428e-b955-e77632453f0d/

Malware family:

WebBrowserPassView

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1154c3527815/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1154c3527815ca9abc389ad84cf036d778fe9870c56265d03729752ce6e9a03d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_EXE_Packed_MPress Create hunting rule
Author:	ditekSHen
Description:	Detects executables built or packed with MPress PE compressor

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Remcos_unpacked_PulseIntel Create hunting rule
Author:	PulseIntel
Description:	Remcos Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	TeslaCryptPackedMalware Create hunting rule

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

Rule name:	win_remcos_rat_unpacked Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	win_remcos_w0 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	yarahub_win_remcos_rat_unpacked_aug_2023 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/32444/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample