MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ba5cd4efe4e3ea5751e2ae04bb37c4858bc286f1a3adf2d5c76b44348a14708. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 20

Intelligence 20 IOCs YARA 14 File information Comments

SHA256 hash:	1ba5cd4efe4e3ea5751e2ae04bb37c4858bc286f1a3adf2d5c76b44348a14708
SHA3-384 hash:	c4acdd31ec0310fc4242ee85b2abe285447bc0ccdcec0720bfa6c2300343f22f5ac1086a1cad222fb61da409b09d20a4
SHA1 hash:	36882ec6df27839fe7f4a50dd4e25ab6c00e691b
MD5 hash:	4ce519251ceff1dc3719e22d8ba51faf
humanhash:	black-july-kilo-lithium
File name:	Backdoor.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	98'304 bytes
First seen:	2026-05-27 12:37:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d3a62971944197f0701c7049a9c739d1 (73 x RemcosRAT)
ssdeep	1536:AhhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6Gr2:GhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+g
Threatray	426 similar samples on MalwareBazaar
TLSH	T1DFA3D717BA4BD0B3E42191F186826BA18FBC7C333646213BD74FC9419DB8486D456EFA
TrID	40.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 21.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 8.5% (.EXE) Win64 Executable (generic) (6522/11/2) 6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
dhash icon	989894b49c9494f0 (56 x RemcosRAT)
Reporter	Anonymous
Tags:	c2 exe RAT remcos RemcosRAT Remote

Anonymous

Remcos RAT - Remote Access TrojanC&C sinkholed - dead sampleIOC domains for research and detection

Intelligence

File Origin

# of uploads :

# of downloads :

118

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Remcos

Details

Remcos

a version number and verbose configuration settings

Link:

https://research.acce.ciphertechsolutions.com/results/d34878c1-2b10-4fe0-8f3f-efd7156714ee/

Malware family:

remcos

ID:

File name:

Backdoor.exe

Verdict:

Malicious activity

Analysis date:

2026-05-27 12:32:56 UTC

Tags:

remcos rat

Link:

https://app.any.run/tasks/e4c0aeae-02c3-40c8-9930-e8248bd97483

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/68163/

Detection(s):

Win.Malware.Azden-7587127-0

Win.Malware.Rescoms-6598304-0

Win.Malware.Zusy-6832224-0

YARA.MALPEDIA_Win_Remcos_Auto.UNOFFICIAL

YARA.SEKOIA_Rat_Win_Remcos.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a16e5275b1db29f5a486b98

Tags:

remcos emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Creating a window

DNS request

Connection attempt

Launching a service

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm cmd config-extracted crypto evasive evasive eventvwr explorer fingerprint keylogger lolbin microsoft_visual_cc rat rat reconnaissance remcos

Link:

https://www.filescan.io/uploads/6a16e5c7099ef368af05409d/reports/ed3fa8c5-86a0-4dc8-b913-bd12896f519d/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/1ba5cd4efe4e3ea5751e2ae04bb37c4858bc286f1a3adf2d5c76b44348a14708

Verdict:

Malicious

File Type:

exe x32

Detections:

Backdoor.Win32.Remcos.sb Backdoor.Win32.Remcos.f HEUR:Trojan.Win32.Generic HEUR:Trojan.Win32.Agent.gen Exploit.Win32.BypassUAC.sb

Link:

https://opentip.kaspersky.com/1ba5cd4efe4e3ea5751e2ae04bb37c4858bc286f1a3adf2d5c76b44348a14708/results?tab=lookup

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3a750ec1-5495-4b00-9bf0-706d8b057377

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1ba5cd4efe4e3ea5751e2ae04bb37c4858bc286f1a3adf2d5c76b44348a14708

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/1ba5cd4efe4e3ea5751e2ae04bb37c4858bc286f1a3adf2d5c76b44348a14708/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/1ba5cd4efe4e3ea5751e2ae04bb37c4858bc286f1a3adf2d5c76b44348a14708

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2026-05-27 12:35:55 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

35 of 36 (97.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dos42tx6jy7kk5i6flqexm34jbmlykdpdi5n6lk4o22egsfbi4ea._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

8a5ab8b21bade2c1b4cb16c662c572cf02744bdaefe20914e6f21ffe83c842ec

RemcosRAT

d1c0a9525bf259465de304408570586693062d18f7d59ec854dbc8158acb700b

RemcosRAT

e6e8ef9be0380cfb43b1127f85909488095f2056d67d4ec8512a3ea40f8a4803

RemcosRAT

error

RemcosRAT

f4a2c80797bebaf01a6cc770e15aead0f6c399a491b6a669c4678f1378475bb4

RemcosRAT

+ 416 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:host discovery rat

Link:

https://tria.ge/reports/260527-pvestsdx7k/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

System Location Discovery: System Language Discovery

Malware Config

C2 Extraction:

goldenscissoreindhoven.nl:2404
maurya.nl:2404
yellowred.in:2404
jvegter.nl:2404
gwwsite.nl:2404
mixkitchenamsterdam.nl:2404
nok.com.mx:2404
gg88.yellowred.in:2404
thiengiaviet.com:2404
schoenberg-ensemble.nl:2404

Unpacked files

SH256 hash:

1ba5cd4efe4e3ea5751e2ae04bb37c4858bc286f1a3adf2d5c76b44348a14708

MD5 hash:

4ce519251ceff1dc3719e22d8ba51faf

SHA1 hash:

36882ec6df27839fe7f4a50dd4e25ab6c00e691b

Detections:

win_remcos_auto

win_remcos_g0

Remcos

Link:

https://www.unpac.me/results/45f6b83f-e38f-465d-93a8-637ff1d3a35d/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1ba5cd4efe4e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CMD_Ping_Localhost Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	malware_Remcos_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	RAT_remcos_strings Create hunting rule
Author:	0x0d4y
Description:	This rule detects the remcos through your specific strings.
Reference:	Internal Research

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	Windows_Generic_Threat_994f2330 Create hunting rule
Author:	Elastic Security

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/e4c0aeae-02c3-40c8-9930-e8248bd97483

Dropped by

Remcos Rat

Delivery method

Multiple

Cape

https://www.capesandbox.com/analysis/68163/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample