MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29698045dbe2e9eaf2f0ff6830417cb112e5af234225b06242e27198c9321204. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29698045dbe2e9eaf2f0ff6830417cb112e5af234225b06242e27198c9321204
SHA3-384 hash: ef050f7bf4bcd657e5751fa6748813ed9627f20023b3f343bd5a63689c1753ee1b692f384bb4e9f586c5631c02d36be5
SHA1 hash: 6149cec90964b892f2476805a132a389e37332db
MD5 hash: 3128dc9ec0091356552499eb9d76b741
humanhash: salami-cold-solar-one
File name:msword.zip
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:91'553'792 bytes
First seen:2025-08-11 15:42:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 122 x Rhadamanthys, 8 x CoinMiner)
ssdeep 24576:3VNb4DihIwqPP5xW4EsDLCKIbWcJD3y0KT2g8TxkoN5m:Hbu7LRoScxJDi0jxkK5m
TLSH T1921812FAB3C1318EED2B41634BD9A329E2B52E9B3175C5384A07AA3541153F142DB37E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon b1b336b4b2b6d4f0 (1 x RemcosRAT)
Reporter abuse_ch
Tags:exe RemcosRAT zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
498
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
msword.zip
Verdict:
Malicious activity
Analysis date:
2025-08-11 15:44:51 UTC
Tags:
auto-sch lumma stealer auto-startup autoit remcos rat remote
Link:
https://app.any.run/tasks/c7073d54-278a-49b0-8e2d-bffb633dfc2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689a0fd2c633abe3908de972
Tags:
autoit emotet cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Possible injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug installer masquerade microsoft_visual_cc overlay overlay packed
Link:
https://www.filescan.io/uploads/689a0fea2fbe0788fb1d9bf7/reports/f1660091-d304-4a20-a23b-d5ac87c278f9/overview
Verdict:
Malicious
Labled as:
Infostealer/Rhadamanthys
Link:
https://www.hybrid-analysis.com/sample/29698045dbe2e9eaf2f0ff6830417cb112e5af234225b06242e27198c9321204
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1754719
Signature
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Disable UAC(promptonsecuredesktop)
Drops PE files with a suspicious file extension
Found malware configuration
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript called in batch mode (surpress errors)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1754719 Sample: msword.zip.exe Startdate: 11/08/2025 Architecture: WINDOWS Score: 100 65 tkghpbMwpHKkOMCCG.tkghpbMwpHKkOMCCG 2->65 67 me-work.com 2->67 69 geoplugin.net 2->69 83 Suricata IDS alerts for network traffic 2->83 85 Found malware configuration 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 12 other signatures 2->89 11 msword.zip.exe 25 2->11         started        14 wscript.exe 1 2->14         started        17 wscript.exe 2->17         started        signatures3 process4 file5 63 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 11->63 dropped 19 cmd.exe 1 11->19         started        95 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->95 22 GraceTrack.com 14->22         started        24 GraceTrack.com 17->24         started        signatures6 process7 signatures8 91 Drops PE files with a suspicious file extension 19->91 93 Uses schtasks.exe or at.exe to add and modify task schedules 19->93 26 cmd.exe 4 19->26         started        29 conhost.exe 19->29         started        process9 file10 59 C:\Users\user\AppData\Local\Temp\...\This.com, PE32 26->59 dropped 31 This.com 4 19 26->31         started        36 extrac32.exe 18 26->36         started        38 tasklist.exe 1 26->38         started        40 2 other processes 26->40 process11 dnsIp12 71 me-work.com 124.198.132.82, 49685, 49688, 49689 MAXNET-NZ-APAucklandNZ New Zealand 31->71 73 geoplugin.net 178.237.33.50, 49686, 80 ATOM86-ASATOM86NL Netherlands 31->73 53 C:\Users\user\AppData\...behaviorgraphraceTrack.com, PE32 31->53 dropped 55 C:\Users\user\AppData\Local\...behaviorgraphraceTrack.js, ASCII 31->55 dropped 57 C:\ProgramData\remcos\logs.dat, data 31->57 dropped 75 Detected Remcos RAT 31->75 77 Drops PE files with a suspicious file extension 31->77 79 Installs a global keyboard hook 31->79 81 Disable UAC(promptonsecuredesktop) 31->81 42 cmd.exe 2 31->42         started        45 cmd.exe 1 31->45         started        file13 signatures14 process15 file16 61 C:\Users\user\AppData\...behaviorgraphraceTrack.url, MS 42->61 dropped 47 conhost.exe 42->47         started        49 conhost.exe 45->49         started        51 schtasks.exe 1 45->51         started        process17
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/29698045dbe2e9eaf2f0ff6830417cb112e5af234225b06242e27198c9321204
Gathering data
Verdict:
Malicious
Threat:
Backdoor.Agent.UDP
Link:
https://tip.neiki.dev/file/29698045dbe2e9eaf2f0ff6830417cb112e5af234225b06242e27198c9321204
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2025-08-11 15:53:38 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
16 of 37 (43.24%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ffuyaro34lu6v4xq75udaql4wejollzdiis3aysc4jyzrsjscica._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
error
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos defense_evasion discovery execution persistence rat trojan
Link:
https://tria.ge/reports/250811-s6bgbswrt5/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Drops startup file
Executes dropped EXE
Loads dropped DLL
Remcos
Remcos family
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Malware Config
C2 Extraction:
me-work.com:7004
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4c5837d3-88ef-44a4-a28b-b8af1f67fe73
Malware family:
CypherIt
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/29698045dbe2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29698045dbe2e9eaf2f0ff6830417cb112e5af234225b06242e27198c9321204

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments