MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bd50faa3a761deff7f9b94efb42cac9ee9b074e5296ec721a089f34af9e972a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 21


Intelligence 21 IOCs YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1bd50faa3a761deff7f9b94efb42cac9ee9b074e5296ec721a089f34af9e972a
SHA3-384 hash: 2b2a46e5a21bf8b11d5c03c44d92c74b437c8f07a734de70e3f1a6c16af71b3bbb55230d10984440cae89f3b6876445f
SHA1 hash: 3a8301aeb54da9380eef272d59825c505a7ecc49
MD5 hash: 231e7b516429326b9084b1772ef77d98
humanhash: stream-fifteen-iowa-double
File name:NOTEPAD.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'360'896 bytes
First seen:2026-02-27 16:13:02 UTC
Last seen:2026-02-27 17:42:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'741 x Formbook, 12'286 x SnakeKeylogger)
ssdeep 24576:CKSrMii7OCuCJZFqFJChgncP7g17XAmYYUWHSkyAN1xI5aO:CK2MiRCvZFq7nc817XAfY5zNsU
TLSH T1DF5501642796DD06C36D433158E5F17897B59E97B120C20ABEEE3D97BB2EF110A82343
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
NETReactor RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/92b6ed56-d78b-44a6-b79e-deecb3534a06/
Malware family:
amadey
Create hunting rule
ID:
1
File name:
virusvippro.exe
Verdict:
Malicious activity
Analysis date:
2026-02-26 14:03:12 UTC
Tags:
auto metasploit framework github amadey botnet stealer stealc possible-phishing anti-evasion telegram phishing clickfix python barys powershell maskgram xenorat rat anydesk rmm-tool generic action1rmm screenconnect tool remote maskgramstealer tinynuke miner meterpreter backdoor havoc koistealer koiloader loader wannacry ransomware cobaltstrike guloader cryptowall njrat remcos vidar xred networm amus asyncrat smb bruteratel formbook sheet pyinstaller redline stealerium pastebin coinminer gh0st cryptolocker bladabindi pushware adware scan smbscan donutloader putty noescape wiper gotohttp ghostsocks proxyware whitesnakestealer xworm
Link:
https://app.any.run/tasks/1cf7f269-638c-477f-9a92-9fcd7b08a3e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/54876/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3463.31902.25508.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a1c2a3c950ab5d9ab223ce
Tags:
autorun keylog virus word
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
bitmap net_reactor obfuscated packed packed packed remcos stego vbnet
Link:
https://www.filescan.io/uploads/69a1c29ccd25bfe1dfdc06c2/reports/864473b7-c828-49ee-b5c7-3aab9670ac3e/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/1bd50faa3a761deff7f9b94efb42cac9ee9b074e5296ec721a089f34af9e972a
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
Detections:
Backdoor.Win32.Remcos.f HEUR:Trojan.MSIL.Injuke.gen Trojan.MSIL.Agent.sb PDM:Trojan.Win32.Generic Exploit.Win32.BypassUAC.sb Backdoor.Win32.Remcos.sb
Link:
https://opentip.kaspersky.com/1bd50faa3a761deff7f9b94efb42cac9ee9b074e5296ec721a089f34af9e972a/results?tab=lookup
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d4b7c927-7651-444a-bff9-8d8ad8d603ad
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1876052
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Notepad Making Network Connection
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Unusual module load detection (module proxying)
Windows shortcut file (LNK) contains suspicious command line arguments
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1876052 Sample: NOTEPAD.exe Startdate: 27/02/2026 Architecture: WINDOWS Score: 100 38 rency.ydns.eu 2->38 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 13 other signatures 2->62 8 powershell.exe 15 2->8         started        10 NOTEPAD.exe 7 2->10         started        14 svchost.exe 1 1 2->14         started        signatures3 process4 dnsIp5 17 vLzpDgLFhXnuq.exe 5 8->17         started        20 conhost.exe 1 8->20         started        32 C:\Users\user\AppData\...\vLzpDgLFhXnuq.exe, PE32 10->32 dropped 34 C:\...\vLzpDgLFhXnuq.exe:Zone.Identifier, ASCII 10->34 dropped 36 C:\Users\user\AppData\...36OTEPAD.exe.log, ASCII 10->36 dropped 64 Injects a PE file into a foreign processes 10->64 66 Unusual module load detection (module proxying) 10->66 22 NOTEPAD.exe 2 3 10->22         started        26 NOTEPAD.exe 10->26         started        42 127.0.0.1 unknown unknown 14->42 file6 signatures7 process8 dnsIp9 44 Antivirus detection for dropped file 17->44 46 Multi AV Scanner detection for dropped file 17->46 48 Contains functionalty to change the wallpaper 17->48 54 6 other signatures 17->54 28 vLzpDgLFhXnuq.exe 17->28         started        40 rency.ydns.eu 91.92.241.145, 2404, 49692 THEZONEBG Bulgaria 22->40 30 C:\ProgramData\remcos\logs.dat, data 22->30 dropped 50 System process connects to network (likely due to code injection or exploit) 22->50 52 Installs a global keyboard hook 22->52 file10 signatures11 process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1bd50faa3a761deff7f9b94efb42cac9ee9b074e5296ec721a089f34af9e972a
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1bd50faa3a761deff7f9b94efb42cac9ee9b074e5296ec721a089f34af9e972a/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/1bd50faa3a761deff7f9b94efb42cac9ee9b074e5296ec721a089f34af9e972a
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2026-02-26 15:56:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
41
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dpkq7kr2oyo6757zxfhpwqwkzhxjwb2okkloy4q2bcptjl46s4va._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
error
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:2026 discovery rat
Link:
https://tria.ge/reports/260227-tn781sez3d/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Drops startup file
Remcos
Remcos family
Malware Config
C2 Extraction:
rency.ydns.eu:2404
wqo9.firewall-gateway.de:4045
code1.ydns.eu:9302
Unpacked files
SH256 hash:
1bd50faa3a761deff7f9b94efb42cac9ee9b074e5296ec721a089f34af9e972a
MD5 hash:
231e7b516429326b9084b1772ef77d98
SHA1 hash:
3a8301aeb54da9380eef272d59825c505a7ecc49
Link:
https://www.unpac.me/results/27923b23-d929-47ed-94c4-56b753fc09ad/
SH256 hash:
0bfd239d51a6f775f5157222246c02d0e72c31fb130f4e3722bfbf644bdee382
MD5 hash:
7ae9d31c959adb3b412a12acc34113b4
SHA1 hash:
0c23ad65dd5d670dc2af83cd74518ffa0357e01d
Link:
https://www.unpac.me/results/27923b23-d929-47ed-94c4-56b753fc09ad/
SH256 hash:
7a129bbad06bad0fabfa21b3563e6ad745dc9fa85aabad67071c367e9fc7378d
MD5 hash:
0dfed1a13f8173e3b9828055cbba343a
SHA1 hash:
8da2d58913d2dc819e6f2b75cbe6b57d56dc061e
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/27923b23-d929-47ed-94c4-56b753fc09ad/
SH256 hash:
3d2513aef57950b4fbaa6595bdd45cb50534eb7e27f059eb71758b42ff6509dc
MD5 hash:
3d67305123746bc4b006a04fedbaf05e
SHA1 hash:
9925c9dfaf0321be5f52fb24f7179cb53dfe71e5
Detections:
win_remcos_auto
Create hunting rule
win_remcos_w0
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Link:
https://www.unpac.me/results/27923b23-d929-47ed-94c4-56b753fc09ad/
Parent samples :
8109a0528091c8be7fc71e941604672f1cfba50a020c9b4fce74be6e092764f4
7419b292f77e62623a70a50d129c225c4d26fb53282f573f4e7f57242bbf946f
a0b526925bb48806b6ea9abd3d7edae9097c315bd491c37ece9103b1471c1c5e
5cf7d883f29fd1ef93f0f744413f97d419985587544d36b5326f7e8cd3828a66
e3ccebebae0ce58740624ec86b74e6325e0384b3181fc493b022720c378b9a4e
1bd50faa3a761deff7f9b94efb42cac9ee9b074e5296ec721a089f34af9e972a
ddf18913e974e0d83e4f65d4fb9b20e98974bf87cc414af05184fe20bc0f6e87
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1bd50faa3a76/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1bd50faa3a761deff7f9b94efb42cac9ee9b074e5296ec721a089f34af9e972a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_921ef449
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 1bd50faa3a761deff7f9b94efb42cac9ee9b074e5296ec721a089f34af9e972a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3679158/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/54876/
  
URLhaus
https://urlhaus.abuse.ch/url/3786898/

Comments