MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1630e8b9995d554a7b791dfa929f77c659c48e0358008fb7eb66fe54d63d86b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 18

Intelligence 18 IOCs YARA 5 File information Comments

SHA256 hash:	1630e8b9995d554a7b791dfa929f77c659c48e0358008fb7eb66fe54d63d86b3
SHA3-384 hash:	1f924126965442e3a333340e4a511131a1cb7c721545d056971c88af96d0a8763441f95f7ec9440562a19f9473e3997a
SHA1 hash:	6fb358a0d33f51a5fde463649a2d334c96225e56
MD5 hash:	6cebc7622dc1c098ff31b53f024e3ad8
humanhash:	paris-happy-kentucky-wolfram
File name:	1630e8b9995d554a7b791dfa929f77c659c48e0358008fb7eb66fe54d63d86b3
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'125'376 bytes
First seen:	2025-04-11 06:22:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:poEIncdqKWNZtMI8yLA7RKSPDph7ZbCYUyA:gc2NIyyJPDp/JUyA
Threatray	4'228 similar samples on MalwareBazaar
TLSH	T12D35DFF06388C416D8AB56B99436D6B36673EE0D9C19C74E2DC5BE9B7C333460013A9B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	6cecccccb4c2f2b2 (38 x AgentTesla, 30 x Formbook, 24 x PythonStealer)
Reporter	JAMESWT_WT
Tags:	154-39-0-198 exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

456

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

Payment_details_HSBC7412529828654.exe

Verdict:

Malicious activity

Analysis date:

2025-04-10 11:39:57 UTC

Tags:

remcos rat netreactor remote

Link:

https://app.any.run/tasks/e60245e2-bf56-440b-b8e9-a33a39cc3026

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/1791/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67f7ae0cd6e7c3effaceea64

Tags:

remcos shell micro sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Restart of the analyzed sample

Creating a file

Creating a process from a recently created file

Running batch commands

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected remcos vbnet

Link:

https://www.filescan.io/uploads/67f8b54d0eb02f7be13af1b3/reports/3b7eb7e2-8385-4fe8-a8a8-2c0babd66e73/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/1630e8b9995d554a7b791dfa929f77c659c48e0358008fb7eb66fe54d63d86b3

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/241579e3-b8d2-45db-8ded-a0007bb2036b

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1662839

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates autostart registry keys to launch java

Delayed program exit found

Detected Remcos RAT

Exploit detected, runtime environment starts unknown processes

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Processes Spawned by Java.EXE

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Suspicious execution chain found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected AntiVM3

Yara detected Remcos RAT

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1630e8b9995d554a7b791dfa929f77c659c48e0358008fb7eb66fe54d63d86b3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1630e8b9995d554a7b791dfa929f77c659c48e0358008fb7eb66fe54d63d86b3/

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Malicious

First seen:

2025-04-09 03:23:02 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 36 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cyyoromzlvkuu63zdx5jfh3xyzm4jdqdlaai7n7lm37fjvr5q2zq._file

Verdict:

malicious

Label(s):

captiveaaloader

unc_loader_037

remcos

RemcosRAT

59558d5bc10450ec63904f60f61b13f2e2feba2160c02bdd50eba25cd1b3b355

RemcosRAT

b89219f349b4d70a5a2388c390fcff2aff6267dfec60887dafbcaf948ff96a56

RemcosRAT

d5eea8b6b2924e5f41d0562bd73b61267b99e3e7787d83d19ce5dd67f95feb85

RemcosRAT

dacf76612ec19aa3f80f070321abac8830e376981ccd5ec4eebd1ba017c6e462

RemcosRAT

error

RemcosRAT

+ 4'218 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:rclient001 collection discovery execution persistence rat spyware stealer

Link:

https://tria.ge/reports/250411-g5h91a1xdz/

Behaviour

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Remcos

Remcos family

Malware Config

C2 Extraction:

154.39.0.198:2404

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/72121197-79ee-4ef5-a756-f3f38889a90d

Unpacked files

SH256 hash:

1630e8b9995d554a7b791dfa929f77c659c48e0358008fb7eb66fe54d63d86b3

MD5 hash:

6cebc7622dc1c098ff31b53f024e3ad8

SHA1 hash:

6fb358a0d33f51a5fde463649a2d334c96225e56

Link:

https://www.unpac.me/results/b03e4665-7e24-4f6f-974e-2567d761f6fb/

SH256 hash:

b981d7566ac2b8a9061188aceaff5733fab2e5db6972574973d67516802ede98

MD5 hash:

7e80681e963d487679af9115d8117b84

SHA1 hash:

136f566fbe0ddc2a4e9400c9e0538913f9ac0905

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/b03e4665-7e24-4f6f-974e-2567d761f6fb/

SH256 hash:

d1565b7e500f1d93873d3a5d622385a03278f79dbb35281ab4aea1896e2ac030

MD5 hash:

af69bcbcf5c38f9e1b050b199a8a0d3b

SHA1 hash:

7d5b9e7c687e091651b5aac0c0196e1ce82516c5

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/b03e4665-7e24-4f6f-974e-2567d761f6fb/

Parent samples :

2a70db0a80475b95076e3ac773bf31a512eac29e3bc6f2742146815dd209f5e9
804ca58e99fe47f33eb0ee7db9b0e4794dbe30c165f219bd85884f0f84ac7846
8a83249f26da9d22a6f3c1de677e98b4872368f013d21e87391417bf31da0b98
af33ab150d8a4076d522d235ff3b77508ec19e52b6ac17bdb6eccd842f6babc4
a6d1bf193f5a5f2f6f9e766dffb51b66122e96dc8d2b76c3674fe2968d32c811
41d7369f717e33a88918da397a21fdc2a1db9c76629b7d5c6be1786f8cee9d5a
a05882d8e179d3a1a3ac69ce4b81bc72ee80f026d921e2598a5eddefd803511b
1b9ddbe7a21e44c82dc78c8e8361baca31adea4d8a8e673536b249b46305860c
2c815316f091040c2f89bcbaae0464cd89a9bfd5225f917ac01fabb9136a3fd4
fc523562bc368e6ab9c0106a1f3d6e23c4104f120c65c65b9c9adb2ee57c63ca
fd4c4d051a2d6a69a40e1e8f2f4a1cbcd54a4f27fd7ab4843452c98611aad9c7
c7d5e01e287cfc5c4c967c1ec895659bf25a80fbe8266a87f083bc80ddc82cce
46b9ea7cdf572a0e0128450f141ab2c31922dbbea4b632401fe42d85ba21cbcd
88d63b81ce4d25ca852251449940416ac2a8c61f5cf4a452ab690d26dc372876
72be9fedc41813b76d9a0707925542a7919f9192ca9cdc8ef82b952dce22da4f
4ac15244ddd64dbbf277c8d20628a9593dc0df8feafd932a7746d1b99c2ba826
17445fc3b78c7a08d5c4bc4164d04f99a4906ca50fc7552c1420c9efbebfe215
ef31c771e1f44656fdc9e84c3745d8bef369879697c144110edac6b814878ee3
071ecee4bd6564ec46147d2cf3f94c230f6da364a7eca4305e2f69f56e8ac4e4
30d5fcd7da81bc0b8d77d5b3547a227bac06bc781990f528c0bd78d696235779
90c33f008fb667cf96ff92b14f8834e702e3f4444d195328c9be186e801e6823
4dce97ef955a132177e7043fc0d11e35c3e1d03f833b3b30951d7b2ce6db735e
094c46819bcd5e6fb0d7cc1415452e1ad1654da29a54685ecb8f92c751bb0822
d3b0e954250d481d37ce371255c6eb7deb4bb53c1784f2a7111487bb42f4ee5e
1ebc38bc1bd49c8564e94d2242c4deed0bd0d69c0086ab7cc2dc180c77a989ce
b4391a76a1e786d93c45cb78576609d9f75ce63d9253edac9c66ef921b5a7de6
909759c61b9cc4ea2307f313c5d944e3cc6c5210aabb7d53477262b725aa086e
15a7845256801920c72d8eb0b8be091fc8e6bc2461bf1cc53db2cf2b3c76b315
53fbed42c919ae2818899979a637b0d9d9b7df437ee239c2bc60945053b9ed07
82ebf6faf3f97b1fdc2508ef2fb4c22c5e39bd2572c95d358574d2bfe280aa3a
dbb10cc6fb3fc9fca393ff312d53af0d938aae2099e23dd69d1fb9ce6828f3b8
f8984264632a0aba48bcd90967988aa1d2c10f9381d00abc08456431ea46d208
e594f00895dd29d763379ee4aa87c6004e811385f71077959674c4ef636f5a2e
761766237d7a8d58a5cdf2aa5ccace247b724d033d3196bc441c6a9c31717561
b1e2b8b0806852aa586a0491fc91a832babfff3882eaed12a6b7d2e7b776d4c4
b259302d7ea5bfb1f2ad8f50e8de4df48d96021070ee77c5b7819583ec43f372
6bb21551577d98edc3a3c4db8d941258f86c89db185fa2095f54ad4944a62b87
0ca81feea4b45d3c004c6f98c4d092227dd5c0a32044f19956117f9ee4dbc749
0103b1c78fd2b588d3df5c688369fce8621e8c22d3207faaa1e8404c0ac860c9
f2392e04e5ffb9bcee95ce763a7686322a9abd7210af28ef3f653402515a6013
8357f957b093fda087166e77b0e6a59d8d0d2fde1002d0be9ce5f99db26d63bb
be4448d373ea201e390e0bb158bba4f3ceb111ff37cd586c770a3d0e887d5bf1
c36369fab2df20ecfe48904d1e740c361fbf72f7f06221cefcbb1586d696506a
f91c4c7fd22d1d1ad83e7b8984b7b317689c6c75b3dc5ad29292a72161ab2164
d00a21bc17cc36be9b55a6c36f6c51e3f8f5300bfcd80246cfaadc4d3b638a99
db54fbe35d83bb19deaf215649ce9c33974913b4a03fb0060f6afec3a33d1d42
2fa30c4928317befeb052607fb0181fbd4be52f5b2c37cbe4bdb42e743355449
b155dd58a04167ae2b542b3e84c60e2761bd66e7a96f66476d5568b84b801936
c7bdef6f72689a3279cfbd4a47882019055e0138cdb2ab229cdb96f9ed541196
1630e8b9995d554a7b791dfa929f77c659c48e0358008fb7eb66fe54d63d86b3
2bc972f3ec09f8d1bdc1b25a3fe57db9a08577117d3a0d0ce5e5282e976d9111
5506f23308b0b3dff288866ab0b560f2fe5d61f53f4730428ab145f5ee033f84
8734c94b5ebc9260065d6ac359500b8f17f290be6c74bb72b9c0cacccf9b7d63
dbbf0fd1d25e6411faddab4b2f689dcffd04ce06642e1319f9d6fb00a2c343ca
b8c36a5b681b071cc8c8a34fa1d1656b705dbe1f433706b386b78fd73ef6e884
bd786fd63a731d3b49654aa94045c0b9c11c5c7112636befa6ecee7ff91d4c51
99af728a80e56652b6622bc371fd9a6cc4702e2c5598918c42eee05681850d2b
a9d818bc38d2a84ff40e54a062a9fba01a0648300fb1a892432547bc5b85e158
9c50c6516f166d7975bfb56b0a41cffb52844eb63c1c9ef2fd3502305d075a96
ddbf042dcfbeef6cf190530ca077b62d1366ef54356d0ed63814e8b9b07ca8de
31699232fd5243c9ed94a774b8b36fe40211590ba9460d8eca4251c24618beb9
5d8ae2e91d0e7c2dfb51972bc8f825ed37a76ab49d70809a446bcf3dd9dc9759
c0834472538b4521860ce0d38b7fb302e06da7fb0f328d2ce1614b176b44f5f9
c90b2d72296b49c72b221773c6fcc65648e0f0aa7ffc62611681c9cd07e6bf32
84d88aa331513f6d7e41095e2187e4571dd08b9aedd52202dbb39fa1e9fd5565
ee38d1b102d49efb131e686f67a3499b35eb4e412ed8c9bd6a5fe8a22320b3d6
e1c7a0142096027135342d53d50e982ca0db4683cb578fa7528f7da6394397d6
59c68aa4d3b5e77347aa69a31f2592220359ff8f45c18bf9ef5ad047e072534d
3eab5d3870693e704bdf913c10eb1b7a2a9dfbc3e85c58d2e3685ccbb5a1114a
6714c82529a444b8ce3f8bfae085604f2618954394d7812e68f473ebfca78a26
a6595037149574b9ef6ac2be554fda95aef17dac424a214f8582031112a43f56
dd762de25b94a493d115906421412af660db77916a2a09baa40be5a9fcbf63d1
d5bd67edddb02aaf59ac0743bc2ad8fe235ee8b4cda045e2475193cb8ccca8ff

SH256 hash:

2181648874957f6cc668d640de2ab2a2adbb56d42165308e9db48b63ccd3b018

MD5 hash:

648e3b48aa38078abe70a7ef12f18c49

SHA1 hash:

f8373bb36d931b596c2cda86cbaa1fd4da8fad01

Detections:

win_remcos_w0

win_remcos_auto

Remcos

malware_windows_remcos_rat

win_remcos_rat_unpacked

INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer

Link:

https://www.unpac.me/results/b03e4665-7e24-4f6f-974e-2567d761f6fb/

Parent samples :

c7bdef6f72689a3279cfbd4a47882019055e0138cdb2ab229cdb96f9ed541196
1630e8b9995d554a7b791dfa929f77c659c48e0358008fb7eb66fe54d63d86b3

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1630e8b9995d554a7b791dfa929f77c659c48e0358008fb7eb66fe54d63d86b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/1791/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample