MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17134855fb6c5c7d5357c6a3b87a3bff86c43501e3d6cdfc963204559b1e8d21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	17134855fb6c5c7d5357c6a3b87a3bff86c43501e3d6cdfc963204559b1e8d21
SHA3-384 hash:	5980f03e62ea287194d7e6718efeac45ebffc31ed2e2474c521c78c1d46e5b5ee2b9e5ef682c97704e374a45e905a059
SHA1 hash:	76bfcd75eb207903bc01937892f86abe41e6a2e9
MD5 hash:	fa1e01a7b0e427c055eeeed76d4dfc16
humanhash:	pip-island-king-tennis
File name:	17134855fb6c5c7d5357c6a3b87a3bff86c43501e3d6cdfc963204559b1e8d21
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'331'712 bytes
First seen:	2026-03-06 14:46:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'861 x AgentTesla, 19'793 x Formbook, 12'305 x SnakeKeylogger)
ssdeep	24576:5SDGxm5ElNTuyRyYTdhfcyLF/s5WYt+RbAj/AJusucy1xqN9CaguQlVict:5SDGxXlNT95NcyLS5WdAj/A+fosuWQc
TLSH	T13455121162AFDD22C6A9177350E2E63403B09E5AE013D72B1DEE2FE7BA567D61D84303
TrID	72.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.4% (.EXE) Win64 Executable (generic) (6522/11/2) 4.4% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	adrian__luca
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/7f9d19f6-8377-4024-a47b-9b65aa3694e0/

Malware family:

remcos

ID:

File name:

17134855fb6c5c7d5357c6a3b87a3bff86c43501e3d6cdfc963204559b1e8d21

Verdict:

Malicious activity

Analysis date:

2026-03-06 15:08:59 UTC

Tags:

remcos rat auto-startup susp-lnk

Link:

https://app.any.run/tasks/2e32df33-f39c-47ff-81ad-0e9e5e66ec07

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/55964/

Detection(s):

Win.Packed.Msilzilla-10059476-0

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69aae908002d37d5c984be15

Tags:

injection autorun virus spawn

Verdict:

Malicious

Labled as:

PasswordStealer.Genie8DN.Generic

Link:

https://www.hybrid-analysis.com/sample/17134855fb6c5c7d5357c6a3b87a3bff86c43501e3d6cdfc963204559b1e8d21

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-02-12T23:54:00Z UTC

Last seen:

2026-02-13T10:39:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/17134855fb6c5c7d5357c6a3b87a3bff86c43501e3d6cdfc963204559b1e8d21/results?tab=lookup

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a4e6ca50-68e8-49d6-86bd-d6e8b9395e97

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/17134855fb6c5c7d5357c6a3b87a3bff86c43501e3d6cdfc963204559b1e8d21

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/17134855fb6c5c7d5357c6a3b87a3bff86c43501e3d6cdfc963204559b1e8d21/

Threat name:

Win32.Infostealer.Genie8DN

Status:

Malicious

First seen:

2026-02-13 05:48:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 36 (61.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c4juqvp3nroh2u2xy2r3q6r376dminib4plm37ewgicflgy6ruqq._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos discovery rat

Link:

https://tria.ge/reports/260306-r5legaay2v/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Drops startup file

Remcos

Remcos family

Malware Config

C2 Extraction:

37.120.155.34:2469

Unpacked files

SH256 hash:

17134855fb6c5c7d5357c6a3b87a3bff86c43501e3d6cdfc963204559b1e8d21

MD5 hash:

fa1e01a7b0e427c055eeeed76d4dfc16

SHA1 hash:

76bfcd75eb207903bc01937892f86abe41e6a2e9

Link:

https://www.unpac.me/results/9ece3069-a5e2-4bed-a1c6-52069ff2bbe5/

SH256 hash:

48fa91de316a3b8b9b173548ff297a529e8045cfba133655cb8d7bf2517df628

MD5 hash:

54f2d8dcde429e9fa2c0cef39b6bb0e7

SHA1 hash:

1b0181a02d9f36613fdd5170d1b84a5a8358b2af

Link:

https://www.unpac.me/results/9ece3069-a5e2-4bed-a1c6-52069ff2bbe5/

SH256 hash:

b697f5bc215fc82f85842c32f2ff3ea82a983b479fda069ca443a534cc7b7167

MD5 hash:

22163fe98af1d905e5ac534d1144f9e6

SHA1 hash:

5178047d67c2bb384acd8e2f55749c8daefc99e8

Detections:

win_remcos_auto

win_remcos_w0

Remcos

malware_windows_remcos_rat

win_remcos_rat_unpacked

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Link:

https://www.unpac.me/results/9ece3069-a5e2-4bed-a1c6-52069ff2bbe5/

Parent samples :

935472ec0746ee4c02fbf1e4306d8995955d1d8be8dd6ba19933928d3c4fa5a3
dc06752bce3e55d5122cc6588af713c966feb9133b2f3ae44d7086f7295a76c6
7cc6b476fa83fe157ece10867c61b37587d9d425e26bf26ef16b5f13d38f2c44
4e34822a9cccaf17a60bee19d98b6663bb1d81134a490d5812f4b399b40694bd
99562c4b1720a4d4289d7563e2b40e3910f8295587ab07d0b95cc81a91fe309b
e401c37dcfe4433d2b0fdbe449f905554b5449d397eb18e2c78cca0b10dc113b
f5a7610bff9baba9698bd70bc333f1741a2af5639037fd671bef5e67b5b74027
17134855fb6c5c7d5357c6a3b87a3bff86c43501e3d6cdfc963204559b1e8d21

SH256 hash:

bf8060d113b307a84083c2f858c089db95eac3e64ca5baee827fbe1855e2e7da

MD5 hash:

78885ac237cdc8aae6bd6d1d5711c9ae

SHA1 hash:

65532ceeb9f94021e7f622f9c20194121b6d7637

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/9ece3069-a5e2-4bed-a1c6-52069ff2bbe5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/17134855fb6c5c7d5357c6a3b87a3bff86c43501e3d6cdfc963204559b1e8d21

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/55964/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample