MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15f59282ba4232125d82540bcaf82e77047b209ca34c092c84061cd43e835ace. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15f59282ba4232125d82540bcaf82e77047b209ca34c092c84061cd43e835ace
SHA3-384 hash: 30fd4ea4a0c6206b1e534fd6e926dba8e249f4819e90a8d5e9f2eccecf49efa2180133a022bc6f154c72dcf6706fe845
SHA1 hash: 86f01a4c55b1b535986ed49f3fd2eeb414d50d05
MD5 hash: 8d35e387ee20f70c3ebf7798bec89434
humanhash: cola-venus-arkansas-india
File name:15f59282ba4232125d82540bcaf82e77047b209ca34c092c84061cd43e835ace
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:425'784 bytes
First seen:2025-12-08 15:28:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dda1a1d1f8a1d13ae0297b47046b26e (65 x Formbook, 45 x GuLoader, 28 x RemcosRAT)
ssdeep 12288:znPdGP2+KaSJ+ihmWDWZxBaps/OHMYTWmTB5Lwd:rPdGP2HJSWUvLGWCjUd
TLSH T187942301B3A48D6FE8764E708EBF14F75EFABEA50210D3278310A70E36719519D4BB69
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter adrian__luca
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:Frugtstand
Issuer:Frugtstand
Algorithm:sha256WithRSAEncryption
Valid from:2025-10-28T07:12:37Z
Valid to:2026-10-28T07:12:37Z
Serial number: 103a8ef433b132c2206025d7ed0c0d1e7d87e176
Thumbprint Algorithm:SHA256
Thumbprint: 598f254ae37792fecde2494ff67ce760c28d435120db7c6c5ca02d99050de287
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
GuLoader NSIS
Details
GuLoader
a c2 URL, a useragent string, and a string XOR key
GuLoader
an XOR decryption key and an extracted component
NSIS
extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/a29a9c2e-bc21-4a61-a111-9156b36ff02b/
Malware family:
remcos
Create hunting rule
ID:
1
File name:
15f59282ba4232125d82540bcaf82e77047b209ca34c092c84061cd43e835ace
Verdict:
Malicious activity
Analysis date:
2025-12-08 14:17:23 UTC
Tags:
remcos rat remote
Link:
https://app.any.run/tasks/dcacbe8f-0bcf-4bd8-8622-4fb2a933fe11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/43517/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6936ef3edb58e1a2c22b9359
Tags:
injection remcos virus blic
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Searching for the window
Creating a file
Delayed reading of the file
DNS request
Connection attempt
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/15f59282ba4232125d82540bcaf82e77047b209ca34c092c84061cd43e835ace
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-20T19:50:00Z UTC
Last seen:
2025-12-09T23:46:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/15f59282ba4232125d82540bcaf82e77047b209ca34c092c84061cd43e835ace/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0a848b96-c1a0-4045-85f7-b4b8f68260ac
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/15f59282ba4232125d82540bcaf82e77047b209ca34c092c84061cd43e835ace
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/8d35e387ee20f70c3ebf7798bec89434
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15f59282ba4232125d82540bcaf82e77047b209ca34c092c84061cd43e835ace/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2025-11-20 20:40:03 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cx2zfav2iizbexmckqf4v6boo4chwie4ungasleeayonipudllha._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
error
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:remotehost collection discovery downloader persistence rat
Link:
https://tria.ge/reports/251208-sw34laxndz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detected Nirsoft tools
NirSoft MailPassView
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Malware Config
C2 Extraction:
176.117.107.13:2404
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3ff3ff80-ce9e-4624-8d9f-39d1f2d3e4d2
Unpacked files
SH256 hash:
15f59282ba4232125d82540bcaf82e77047b209ca34c092c84061cd43e835ace
MD5 hash:
8d35e387ee20f70c3ebf7798bec89434
SHA1 hash:
86f01a4c55b1b535986ed49f3fd2eeb414d50d05
Link:
https://www.unpac.me/results/1bb38fc8-9d7c-4a9a-ae9e-7b15a46b494a/
SH256 hash:
4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
MD5 hash:
1d8f01a83ddd259bc339902c1d33c8f1
SHA1 hash:
9f7806af462c94c39e2ec6cc9c7ad05c44eba04e
Link:
https://www.unpac.me/results/1bb38fc8-9d7c-4a9a-ae9e-7b15a46b494a/
SH256 hash:
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
MD5 hash:
4add245d4ba34b04f213409bfe504c07
SHA1 hash:
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
Link:
https://www.unpac.me/results/1bb38fc8-9d7c-4a9a-ae9e-7b15a46b494a/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/15f59282ba42/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15f59282ba4232125d82540bcaf82e77047b209ca34c092c84061cd43e835ace

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/43517/

Comments