MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e7af2d2c97dd25be70faff2a6c967cd6b10a392314df05dab92e2c7802eb5ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 5 File information Comments

SHA256 hash:	1e7af2d2c97dd25be70faff2a6c967cd6b10a392314df05dab92e2c7802eb5ca
SHA3-384 hash:	32dae5806aac3398fd6e630ad380a851589a25c94f9f0113e41bb250a73ac642637c463e69f4e9e923b32cd13a563b21
SHA1 hash:	4310fb92fc5ad188e544c50f19f313507b20c306
MD5 hash:	a843f563083b2d38593ba138f25a1429
humanhash:	lima-kentucky-nine-sodium
File name:	Arrival_Notice_29_08_2025-081367383902912775152190221_20122242972912776414200221123100423.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	737'936 bytes
First seen:	2025-08-30 13:58:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 39 x GuLoader, 22 x RemcosRAT)
ssdeep	12288:onPd3miCzyWNG8UkI81MxWbZaWSizES/2mHM/kgrZxF/JLwmvIFFpxsPKObWqAE5:gPdhC2CN14W8Fi/JbgrfFhgsiOL15
TLSH	T198F4238D2BF6D857FA6608751C7A1C73BB78E6098051D33B0B60B34D6CABDE0D069B16
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	abuse_ch
Tags:	exe RemcosRAT signed

Code Signing Certificate

Organisation:	Veleta
Issuer:	Veleta
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-08-10T10:49:47Z
Valid to:	2026-08-10T10:49:47Z
Serial number:	52ea76548a622488bcd1512151fa1fadca42a039
Thumbprint Algorithm:	SHA256
Thumbprint:	4006a59265e0710d0327f270e54a97470e513e6a41871899a4ecc1255aaa21a0
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

Vendor Threat Intelligence

Malware family:

guloader

ID:

File name:

Arrival_Notice_29_08_2025-081367383902912775152190221_20122242972912776414200221123100423.exe

Verdict:

Malicious activity

Analysis date:

2025-08-30 14:13:32 UTC

Tags:

auto-reg guloader rat remcos remote

Link:

https://app.any.run/tasks/6cc8cebf-9d30-435f-aee6-91c9e8223cef

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Guloader

Link:

https://www.capesandbox.com/analysis/24248/

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68b303973e988eb6ab82fe52

Tags:

injection obfusc crypt

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Searching for the window

Creating a file

Delayed reading of the file

Sending a custom TCP request

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug blackhole installer microsoft_visual_cc nsis overlay signed

Link:

https://www.filescan.io/uploads/68b303fe39a6221faa7661e1/reports/5a35f6a7-a704-491f-a95b-d64fbdbb2a96/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/1e7af2d2c97dd25be70faff2a6c967cd6b10a392314df05dab92e2c7802eb5ca

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-08-29T01:33:00Z UTC

Last seen:

2025-08-29T01:33:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/1e7af2d2c97dd25be70faff2a6c967cd6b10a392314df05dab92e2c7802eb5ca/results?tab=lookup

Malware family:

Unlabeled

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/c322180d-95d1-4a8e-bcc1-c21cd81d9412

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1768146

Signature

AI detected suspicious PE digital signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Detected Remcos RAT

Found malware configuration

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Score:

94%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1e7af2d2c97dd25be70faff2a6c967cd6b10a392314df05dab92e2c7802eb5ca

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/a843f563083b2d38593ba138f25a1429

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/1e7af2d2c97dd25be70faff2a6c967cd6b10a392314df05dab92e2c7802eb5ca/

Threat name:

Win32.Trojan.Nemesis

Status:

Malicious

First seen:

2025-08-29 04:42:38 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dz5pfuwjpxjfxzypv7zknslhzvvrbi4sgfg7axnlslrmpabowxfa._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:guloader family:remcos botnet:nappy discovery downloader persistence rat

Link:

https://tria.ge/reports/250830-ra4ybsvkz3/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Loads dropped DLL

Guloader family

Guloader,Cloudeye

Remcos

Remcos family

Malware Config

C2 Extraction:

107.150.0.150:51659

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d5d2377f-0d4e-4e73-b737-c223f04c2d1d

Unpacked files

SH256 hash:

1e7af2d2c97dd25be70faff2a6c967cd6b10a392314df05dab92e2c7802eb5ca

MD5 hash:

a843f563083b2d38593ba138f25a1429

SHA1 hash:

4310fb92fc5ad188e544c50f19f313507b20c306

Link:

https://www.unpac.me/results/e7d0489e-9cac-48ab-a6b5-20a4a29d21c8/

SH256 hash:

c2188d674b5c8b191736bf4e7893a3ced71ab050c6dd029ebcb5b1629a581165

MD5 hash:

4f6e1486a260259d9b4e0b61b712aae4

SHA1 hash:

7a9c3137d26d8dcdfe73d41060c04c766887873a

Link:

https://www.unpac.me/results/e7d0489e-9cac-48ab-a6b5-20a4a29d21c8/

SH256 hash:

d5a74e72b48653e665ab4344a377616259917fcf168ea81e60b1ee6e3a5a53cf

MD5 hash:

96457e8a8c86d592064380684de27cf7

SHA1 hash:

a027882497fe4a042fa8cdb06259a04827441b68

Link:

https://www.unpac.me/results/e7d0489e-9cac-48ab-a6b5-20a4a29d21c8/

SH256 hash:

32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e

MD5 hash:

50016010fb0d8db2bc4cd258ceb43be5

SHA1 hash:

44ba95ee12e69da72478cf358c93533a9c7a01dc

Link:

https://www.unpac.me/results/e7d0489e-9cac-48ab-a6b5-20a4a29d21c8/

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1e7af2d2c97d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1e7af2d2c97dd25be70faff2a6c967cd6b10a392314df05dab92e2c7802eb5ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	SUSP_NullSoftInst_Combo_Oct20_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects suspicious NullSoft Installer combination with common Copyright strings
Reference:	https://twitter.com/malwrhunterteam/status/1313023627177193472

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/24248/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample