MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1981e12873bf244b386e58f51e1281f627b82b1a5d9189d766c7627aa586fbad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1981e12873bf244b386e58f51e1281f627b82b1a5d9189d766c7627aa586fbad
SHA3-384 hash: 5039247a9e433960277e2e7853366d67f2681ddc0f81346f066d2027213bece64007a4792e548af1f22ab5893799f289
SHA1 hash: c17b28621a11a30a87844ba6fb33107ccddb8fa0
MD5 hash: 05f381b8afda13358911f753f44afef7
humanhash: west-magnesium-eighteen-social
File name:Fore.ps1
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'316'792 bytes
First seen:2025-10-22 12:43:24 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24576:VWHFXu1Yhmf3ZCCYQWZVbemdT835MgTI3/JS13ZJi2CdG47v1gRvyYkNoeb9w/8K:Z
Threatray 1'634 similar samples on MalwareBazaar
TLSH T181E5BFB876047DE6266F576FDA96ADDC03B626239ACBA4CC4064B7C305A3375FE02C05
Magika powershell
Reporter abuse_ch
Tags:ps1 RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f8d1803edd081eba40ba7a
Tags:
ransomware vmdetect dropper spawn
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm aspnet_compiler base64 evasive krypt lolbin obfuscated reconnaissance
Link:
https://www.filescan.io/uploads/68f8d17a3a79800405f0eb9c/reports/842327c8-93b1-4dad-83ed-5b591a03600c/overview
Verdict:
Suspicious
Labled as:
PowerShell/Agent.DKT trojan
Link:
https://www.hybrid-analysis.com/sample/1981e12873bf244b386e58f51e1281f627b82b1a5d9189d766c7627aa586fbad
Verdict:
Malicious
File Type:
ps1
First seen:
2025-10-22T09:35:00Z UTC
Last seen:
2025-10-24T09:36:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.InjectorNetT.s Trojan.PowerShell.Agent.sb PDM:Trojan.Win32.Generic Trojan.PowerShell.Obfuscated.r
Link:
https://opentip.kaspersky.com/1981e12873bf244b386e58f51e1281f627b82b1a5d9189d766c7627aa586fbad/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1799796
Signature
AI detected malicious Powershell script
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Powershell decode and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1981e12873bf244b386e58f51e1281f627b82b1a5d9189d766c7627aa586fbad
Verdict:
inconclusive
YARA:
1 match(es)
Tags:
PowerShell
Link:
https://app.malva.re/file/05f381b8afda13358911f753f44afef7
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1981e12873bf244b386e58f51e1281f627b82b1a5d9189d766c7627aa586fbad/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/1981e12873bf244b386e58f51e1281f627b82b1a5d9189d766c7627aa586fbad
Threat name:
Script-BAT.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-10-22 12:44:38 UTC
File Type:
Text (PowerShell)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dga6ckdtx4sewodold2r4eub6yt3qky2lwiytv3gy5rhvjmg7owq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2c3f31c3ee37440e580e755960537e13511027a95e9539da15c3984a8a20be9f
RemcosRAT
36e0589d6c7fe2ba454673e8ad1becbd09d60838d80f95ba4f7c4cbfa635816c
RemcosRAT
42b3442bc675f7ff95d660935ea8756710fea99551b1d614f2e8b7db739d72a0
RemcosRAT
43a538ef95d4f931704d6309fa0a292f38abaeae48836f39115c0d3f4418fdec
RemcosRAT
68bed4f6dbae01424ea129442f2ad03e3bd0de82e145189d0777113c16093b03
RemcosRAT
6ac854ad31f69402e17fc4d7a5a7ee03322328d263b77da8baffbb5a6bba0d90
RemcosRAT
6dda744aac3215478c15a9cd00eebc26e47acc61f76d601f489be3b860b736ba
RemcosRAT
c95de6e5963a1f5a56a8c768e69b59217aceb0c725760b29054d4bc68c75ea7e
RemcosRAT
ef99b1fde610f8d8348ffe784852789eff4aff37aec92439c7076f793940b305
RemcosRAT
error
RemcosRAT
f5147495983f1e0eb0d595bcced8d5fceedfef286909fe6f213760c0742493ac
RemcosRAT
+ 1'624 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost discovery execution rat
Link:
https://tria.ge/reports/251022-px776adx8h/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Remcos
Remcos family
Malware Config
C2 Extraction:
www.blessingsz.com:2404
www.chemeclo.com:2404
www.foodchenn.com:2404
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/1981e12873bf244b386e58f51e1281f627b82b1a5d9189d766c7627aa586fbad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

PowerShell (PS) ps1 1981e12873bf244b386e58f51e1281f627b82b1a5d9189d766c7627aa586fbad

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3682327/
  
Delivery method
Distributed via web download

Comments