MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29ef990e1995feb5e295d3d701fcbb372fdec1a03b04bf84d061b9fb64b904cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29ef990e1995feb5e295d3d701fcbb372fdec1a03b04bf84d061b9fb64b904cb
SHA3-384 hash: 0d5e7b468c5f05cef8ddeb052ecfe9b12fad6b75c75d26851720a598c3288d535cfbf2b7fe61befed78ff466f742ab01
SHA1 hash: 679e56551e23dcb2163e39d64aff05367ee49f41
MD5 hash: 6ee87f01d194f31accb9d09ebb6a541b
humanhash: music-alanine-mountain-triple
File name:H12092025_QCA.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:429'064 bytes
First seen:2025-12-10 10:36:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f91aceea750f765ef2ba5d9988e6a00 (45 x GuLoader, 9 x RemcosRAT, 7 x Loki)
ssdeep 6144:cEh9vQptxgF8gWVRmJll5qZQf/PnhMcKL4/L/lLb0cnQKTdd1eIMMhckf:cRfu8gWXmJ3EQ/nyP4/REcdeIM25f
Threatray 2'438 similar samples on MalwareBazaar
TLSH T13B94C08DAE046CC5DC054031503791FA99F9E9EDD1AB09EA73FBB036D8321463A1DE2B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon ea70dc5c4d68488c (2 x RemcosRAT)
Reporter threatcat_ch
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:Baggrundes
Issuer:Baggrundes
Algorithm:sha256WithRSAEncryption
Valid from:2025-11-11T01:09:40Z
Valid to:2026-11-11T01:09:40Z
Serial number: 21572c3238d18c40bd870532ab2ec7088f0dd1d9
Thumbprint Algorithm:SHA256
Thumbprint: 0026900bf97027c3403ee0b834c668f3d480a0b86b315839e2d841e4169066ad
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
GuLoader NSIS
Details
GuLoader
a c2 URL, a useragent string, and a string XOR key
GuLoader
an XOR decryption key and an extracted component
NSIS
extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/488b6a0c-a905-40c1-bc04-2a0abacb8e98/
Malware family:
remcos
Create hunting rule
ID:
1
File name:
_29ef990e1995feb5e295d3d701fcbb372fdec1a03b04bf84d061b9fb64b904cb.exe
Verdict:
Malicious activity
Analysis date:
2025-12-10 10:38:39 UTC
Tags:
rat remcos auto-reg
Link:
https://app.any.run/tasks/b13c4bc3-fb44-4650-9cab-8c4d82f48991

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44139/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69394d5ba675b653bd0faab7
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Delayed reading of the file
Creating a file
Sending a custom TCP request
Restart of the analyzed sample
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis overlay signed
Link:
https://www.filescan.io/uploads/69394d581eac7b9b76a38a6d/reports/6d17a94a-1ce5-42e0-a52a-b0bb2775dde6/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/29ef990e1995feb5e295d3d701fcbb372fdec1a03b04bf84d061b9fb64b904cb
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-10T02:03:00Z UTC
Last seen:
2025-12-12T06:40:00Z UTC
Hits:
~1000
Detections:
VHO:Trojan-Downloader.Win32.Minix.gen Trojan.Win32.GuLoader.sb PDM:Trojan.Win32.Generic HEUR:Trojan.Win32.GuLoader.gen Trojan-Downloader.Win32.Minix.sb Trojan.NSIS.Makoob.sba
Link:
https://opentip.kaspersky.com/29ef990e1995feb5e295d3d701fcbb372fdec1a03b04bf84d061b9fb64b904cb/results?tab=lookup
Malware family:
Avigilon
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8887147a-a610-4739-944e-fd30ccbda2a9
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1830135
Signature
AI detected suspicious PE digital signature
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Unusual module load detection (module proxying)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/29ef990e1995feb5e295d3d701fcbb372fdec1a03b04bf84d061b9fb64b904cb
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/6ee87f01d194f31accb9d09ebb6a541b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29ef990e1995feb5e295d3d701fcbb372fdec1a03b04bf84d061b9fb64b904cb/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/29ef990e1995feb5e295d3d701fcbb372fdec1a03b04bf84d061b9fb64b904cb
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2025-12-10 07:50:53 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fhxzsdqzsx7llyuv2plqd7f3g4x55qnahmcl7bgqmg47wzfzatfq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0f6af71e4ab5a6475da3d5e7d5b570e62075636506b7f1bec3d0234428d86266
RemcosRAT
3bf4de4054b4f33380f3b184caab29b660a06e499580690e3f656c665464d1e3
RemcosRAT
4504f2ee6ddd3759336ad84917b87ce3bd94efa5ee24c080898a6d0a41b31405
RemcosRAT
551863be2e92aa2d319a92cda72bc2123233ee3a7e965ee691fd70d88c21d772
RemcosRAT
5c1e7e7b83bc21cebd4ce833cac790ddc3c1f5d1c872fd009aed09b541764b91
RemcosRAT
62ea4446b44f3afbe6cc5dcf473d25527e03f7e31a14dc4078f0224fecabf0f5
RemcosRAT
b9dccdd47941cee82eadbe252521ecbe0756cba76b1fea9dab055cef6298e8bb
RemcosRAT
cdd2c8120d61247bbb83f791071f2d99227cb3f0e5129096441ebef1ab014965
RemcosRAT
d7fc23425bb81422770b6202f60d171d252533a4c7040edf4f6f9fefaa16499d
RemcosRAT
error
RemcosRAT
+ 2'428 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection discovery persistence rat
Link:
https://tria.ge/reports/251210-mnxc7ayngv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detected Nirsoft tools
NirSoft MailPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
91.231.222.23:2404
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b366b257-a71b-412a-98a4-1e4208a4233d
Unpacked files
SH256 hash:
29ef990e1995feb5e295d3d701fcbb372fdec1a03b04bf84d061b9fb64b904cb
MD5 hash:
6ee87f01d194f31accb9d09ebb6a541b
SHA1 hash:
679e56551e23dcb2163e39d64aff05367ee49f41
Link:
https://www.unpac.me/results/f5167e31-3d72-493f-90f4-651072646449/
SH256 hash:
f917aef484d1fbb4d723b2e2d3045cb6f5f664e61fbb3d5c577bd1c215de55d9
MD5 hash:
d6f54d2cefdf58836805796f55bfc846
SHA1 hash:
b980addc1a755b968dd5799179d3b4f1c2de9d2d
Link:
https://www.unpac.me/results/f5167e31-3d72-493f-90f4-651072646449/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/29ef990e1995/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29ef990e1995feb5e295d3d701fcbb372fdec1a03b04bf84d061b9fb64b904cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 29ef990e1995feb5e295d3d701fcbb372fdec1a03b04bf84d061b9fb64b904cb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/44139/

Comments