MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cd854191967af9ed91f754e88853c195473540a5234a598b8e9dcf69242e48f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	2cd854191967af9ed91f754e88853c195473540a5234a598b8e9dcf69242e48f
SHA3-384 hash:	ec5b315ef462d36a641e3e305d736c47215714e096c2de89f8510cd8b7484fe00c961547891c88fa2774a4fdf0a01309
SHA1 hash:	b234861feae61cebe06f78db503a85e3f6c63b07
MD5 hash:	8b8bba173ff1e9db02e517edbf84e2ac
humanhash:	winner-stream-carpet-saturn
File name:	Products Order Pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'647'616 bytes
First seen:	2025-06-17 06:06:31 UTC
Last seen:	2025-07-07 14:03:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7e26f134a5e34bee2532d753267fe55f (1 x RemcosRAT, 1 x DBatLoader)
ssdeep	24576:aC8QIbD6eCzbvnXS3us1id+qcaAFBVtHw0h2qx401O19aO8YMCp2oQPvLNOQP+n:aC2Dqa+s1idYx9Hw0fw9+YXpdQl+
TLSH	T10875DFAA71BD3C37D2872871EC0EC69C781475201F25A6A15AF94F687F3A281F41A35F
TrID	53.5% (.EXE) InstallShield setup (43053/19/16) 17.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 13.0% (.EXE) Win64 Executable (generic) (10522/11/4) 5.6% (.EXE) Win32 Executable (generic) (4504/4/1) 2.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
dhash icon	f8d8d0f0c0d0c0c0 (11 x AveMariaRAT, 10 x AgentTesla, 9 x Formbook)
Reporter	abuse_ch
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

436

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

Products Order Pdf.exe

Verdict:

Malicious activity

Analysis date:

2025-06-17 07:13:00 UTC

Tags:

remcos rat delphi auto-reg

Link:

https://app.any.run/tasks/fc1258be-a84a-4283-9bac-61686ed2c1ec

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/9794/

Detection(s):

Win.Trojan.Modiloader-10042434-0

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Launching a process

Creating a file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Searching for the window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Verdict:

Malicious

Labled as:

TrojanDownloader/ModiLoader.a

Link:

https://www.hybrid-analysis.com/sample/2cd854191967af9ed91f754e88853c195473540a5234a598b8e9dcf69242e48f

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/30dfca1a-7996-4740-b49a-d633695d721e

Result

Threat name:

Remcos, DBatLoader

Detection:

malicious

Classification:

rans.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1716146

Signature

Allocates many large memory junks

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates autostart registry keys with suspicious names

Detected Remcos RAT

Early bird code injection technique detected

Found malware configuration

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Creation with Colorcpl

Yara detected DBatLoader

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2cd854191967af9ed91f754e88853c195473540a5234a598b8e9dcf69242e48f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2cd854191967af9ed91f754e88853c195473540a5234a598b8e9dcf69242e48f/

Threat name:

Win32.Trojan.ModiLoader

Status:

Malicious

First seen:

2025-06-17 05:50:31 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ftmfigizm6xz5wi7ovhirbj4dfkhgvakki2klgfy5hopnesc4shq._file

Verdict:

malicious

Label(s):

dbatloader

remcos

Similar samples:

error

RemcosRAT

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader discovery persistence trojan

Link:

https://tria.ge/reports/250617-gvpzssdr8v/

Behaviour

Modifies registry class

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Adds Run key to start application

Executes dropped EXE

ModiLoader Second Stage

ModiLoader, DBatLoader

Modiloader family

Verdict:

Malicious

Tags:

Win.Trojan.Modiloader-10042434-0

YARA:

n/a

Link:

https://app.threat.zone/submission/70365f64-046b-474d-8b6c-9893c467184c

Unpacked files

SH256 hash:

2cd854191967af9ed91f754e88853c195473540a5234a598b8e9dcf69242e48f

MD5 hash:

8b8bba173ff1e9db02e517edbf84e2ac

SHA1 hash:

b234861feae61cebe06f78db503a85e3f6c63b07

Link:

https://www.unpac.me/results/a1b26848-da1e-4520-a2b0-71f07ce593f0/

Malware family:

DBatLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2cd854191967/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.72

Link:

https://yomi.yoroi.company/submissions/2cd854191967af9ed91f754e88853c195473540a5234a598b8e9dcf69242e48f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	nuso Create hunting rule
Author:	Michelle Khalil
Description:	This rule detects unpacked nuso malware samples.

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/9794/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
RAS_API	Uses Remote Access	rasapi32::RasDialA
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::FindFirstFileA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::PeekMessageW user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample