MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 2944010e5dc27c32e209f1aa2f0e9fb2ba05e90acb0beaccf16622b31389a349. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RemcosRAT
Vendor detections: 19
| SHA256 hash: | 2944010e5dc27c32e209f1aa2f0e9fb2ba05e90acb0beaccf16622b31389a349 |
|---|---|
| SHA3-384 hash: | bc00ee77f389095aecb16582a5a24dd57910f38290a58d67c1a61a0de33244bce2cc37ed785cb7b770b460e7209c0925 |
| SHA1 hash: | 6aea060064608778a6266d73a91b3f149e7baec6 |
| MD5 hash: | 6cd777ffe145cdd3d86dff6128013aa6 |
| humanhash: | princess-romeo-robert-lamp |
| File name: | Fiyat Teklifi ve Termin Bilgisi Rica Ederiz. SiparisNHM-0026.exe |
| Download: | download sample |
| Signature | RemcosRAT |
| File size: | 1'296'904 bytes |
| First seen: | 2026-02-26 16:19:37 UTC |
| Last seen: | 2026-02-26 17:24:11 UTC |
| File type: | |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'741 x Formbook, 12'286 x SnakeKeylogger) |
| ssdeep | 24576:NrbbXjskG0SmW+ZfYHPr3kNO5UAqa/B60rnV1tVd9oPBTvgOmNUNEbp:NrnXjsIW+ZfsPrUNVAm0xVdiJTvyNUmF |
| Threatray | 1'310 similar samples on MalwareBazaar |
| TLSH | T1A25513146615D703D9D69B741AB2F2785BBC6DCAB850E3074FE8ADEFB866B050D08383 |
| TrID | 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
| Magika | pebin |
| Reporter | |
| Tags: | exe geo RAT RemcosRAT TUR |
Intelligence
File Origin
SEVendor Threat Intelligence
Details
Result
Signature
Behaviour
Result
Behaviour
Malware Config
91.92.242.99:2404
Unpacked files
f75cdb38544336db1eea1ccb9ddb99e1584dbae702986f1321d35825e08ef4d9
bf46723d199408eb636dfbb7d50ef97fad7c96be7aedca35fa350c92a7492a4e
5f947957f8b2c4cc8609167eaec826c9855e15c55dac3926c33b2a0c003cf773
19126fee5cfe21a6ac12f8aad59bbb83610c1c2971bde33d3a6c789e3a4952bc
df20937ff3543e699ba6abdbd74e74e276dc8bfab9fb5cad1927292541887f7c
2944010e5dc27c32e209f1aa2f0e9fb2ba05e90acb0beaccf16622b31389a349
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables signed with stolen, revoked or invalid certificates |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | PE_Digital_Certificate |
|---|---|
| Author: | albertzsigovits |
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.