MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d67dacec099bf03c40fcb8320ea5fe18a36113511f2602ce0024ec42c709713. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d67dacec099bf03c40fcb8320ea5fe18a36113511f2602ce0024ec42c709713
SHA3-384 hash: fd02aac27bcea1fac627f2a00c4dfa72fdad59e2a57fdbb3c5badef137b9b5539ce7155b4baaaa913cf612d0c50d1106
SHA1 hash: 9527290bf39cca6d20f62cd357a78ebb3fb732a2
MD5 hash: 4d3450b132aba66480a845e58a491971
humanhash: minnesota-winter-earth-pizza
File name:1d67dacec099bf03c40fcb8320ea5fe18a36113511f2602ce0024ec42c709713
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'673'216 bytes
First seen:2025-09-05 13:13:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'669 x AgentTesla, 19'482 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:amZvV0lUMFKYcEccRAeSXYfOjPnk6WWZ22fJeTZcwSeyT6AGaC2dsRwPd1iHpzqb:r6XSIfQWQINwr7CRRwV1nnLnk
TLSH T11A75AD00BFAC1716E53C28FE266649375B722B039418F0DAF8BD52DE9FA5B05463B352
TrID 66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.5% (.EXE) Win64 Executable (generic) (10522/11/4)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
1d67dacec099bf03c40fcb8320ea5fe18a36113511f2602ce0024ec42c709713
Verdict:
Malicious activity
Analysis date:
2025-09-05 20:30:23 UTC
Tags:
remcos rat remote auto-sch-xml
Link:
https://app.any.run/tasks/412860b6-9afb-4ed4-9b1d-a783b4f14040

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/25626/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bae269eb163e0ec184845d
Tags:
virus spawn msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Connection attempt
DNS request
Sending an HTTP GET request
Changing a file
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt obfuscated packed packed packer_detected remcos
Link:
https://www.filescan.io/uploads/68baf0d620d0ee406d96c332/reports/ceccf597-750b-4e7f-8a6b-57cc2e2844e7/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/1d67dacec099bf03c40fcb8320ea5fe18a36113511f2602ce0024ec42c709713
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-23T16:22:00Z UTC
Last seen:
2025-08-23T16:22:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/1d67dacec099bf03c40fcb8320ea5fe18a36113511f2602ce0024ec42c709713/results?tab=lookup
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a312a42e-5935-4319-a9d3-9aed75f68654
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1d67dacec099bf03c40fcb8320ea5fe18a36113511f2602ce0024ec42c709713
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.31 Win 32 Exe x86
Link:
https://app.malva.re/file/4d3450b132aba66480a845e58a491971
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1d67dacec099bf03c40fcb8320ea5fe18a36113511f2602ce0024ec42c709713/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-08-25 00:25:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
76
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dvt5vtwatg7qhrapzobsb2s74gfdmejvchzgalhaajhmildqs4jq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos collection credential_access discovery execution persistence rat stealer
Link:
https://tria.ge/reports/250905-rjh28abm61/
Behaviour
Enumerates system info in registry
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Executes dropped EXE
Uses the VBS compiler for execution
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6fb80338-2c09-4b2f-9c03-08f92fa58229
Unpacked files
SH256 hash:
1d67dacec099bf03c40fcb8320ea5fe18a36113511f2602ce0024ec42c709713
MD5 hash:
4d3450b132aba66480a845e58a491971
SHA1 hash:
9527290bf39cca6d20f62cd357a78ebb3fb732a2
Link:
https://www.unpac.me/results/ecdb0a5c-11b8-410e-88fd-217e78ba7b2f/
SH256 hash:
b2a18a51f6cdb530f5063ccf53d1011bb1fcdb46bcd42ce1abb4ad207697c7c8
MD5 hash:
3f81c3b08ac395bf5160684bba6f273b
SHA1 hash:
0f4f96444c6f435b5322c749e3d0e1929be7b2fc
Detections:
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/ecdb0a5c-11b8-410e-88fd-217e78ba7b2f/
Parent samples :
971c47e1602e19ed5c2d65992bbd8ed9d8480e60849c355dd2e6909ae83dcfba
870d065bd083e30edfa0d9f8c1dbad6c2ad69ae46d4bb9a29b786a560936900a
1d67dacec099bf03c40fcb8320ea5fe18a36113511f2602ce0024ec42c709713
SH256 hash:
227a6731e7e370b7ec82e4618b68f1126fefaa8c34b5489156acc8081a17252d
MD5 hash:
e5aadd793fed88cba6d0166acdda5564
SHA1 hash:
2857271c72c2ddd457bf0bf50efe7c5035cc02ba
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ecdb0a5c-11b8-410e-88fd-217e78ba7b2f/
SH256 hash:
18ec2f02a931ddec650022a9c82bb14a8f180626460f70b9db517c7f2df1d61f
MD5 hash:
8fbc028c3b3984606261d39e4537bb0c
SHA1 hash:
4cb9a560da28d72bc04512c1f4d47b2c914b16de
Link:
https://www.unpac.me/results/ecdb0a5c-11b8-410e-88fd-217e78ba7b2f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d67dacec099bf03c40fcb8320ea5fe18a36113511f2602ce0024ec42c709713

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/25626/

Comments