MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30c7705fa01e39d97684b46547a73d3e4cc93f1d0909f9cfb0161a538032cecc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30c7705fa01e39d97684b46547a73d3e4cc93f1d0909f9cfb0161a538032cecc
SHA3-384 hash: ed9374ee1509e4f5ff198c9b25b5bfc43e76486ce86be56f492085c2443a4e0999bda556c28dea0e45f38184c399ae0f
SHA1 hash: 37ba1e9c2006cf24e65c810ea3a2d63755404297
MD5 hash: 25029c262c48db9ff12578cfc36d5f53
humanhash: massachusetts-saturn-monkey-hotel
File name:rFedexShippingDocument.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'667'584 bytes
First seen:2025-10-23 14:30:07 UTC
Last seen:2025-10-24 07:27:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 080f6115fbed3f9c6472d51d1ea66846 (8 x a310Logger, 2 x DBatLoader, 1 x XWorm)
ssdeep 24576:EW8UvDw/+5nbjcVMplER4QQPq6ZuVFpR8eB8JqCpxI6zbiejRD0Ec7U7+vnKCZSH:Eiq9yqQm8eyXbiYRbHCnK9
TLSH T1E475D012EE428D3AF02E3539D82BDAD5152D7EE02E14B81E7AFD3A4C6F3D5D32516092
TrID 45.4% (.EXE) Win64 Executable (generic) (10522/11/4)
19.4% (.EXE) Win32 Executable (generic) (4504/4/1)
8.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.7% (.EXE) OS/2 Executable (generic) (2029/13)
8.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter FXOLabs
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
rFedexShippingDocument.exe
Verdict:
Malicious activity
Analysis date:
2025-10-23 14:33:00 UTC
Tags:
auto-sch remcos rat
Link:
https://app.any.run/tasks/6a982bbc-1ed7-4050-8b08-d922ba9044a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33911/
Detection(s):
Porcupine.Win32.Downloader.ModiLoader.AIS.446931.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fa3c363bdc93eb0563818d
Tags:
delphi emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Setting a keyboard event handler
Moving of the original file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context borland_delphi fingerprint keylogger masquerade obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68fa3c26c85c5c569733cbdc/reports/4acfd308-bc86-4ca8-9cf4-78188d7393c7/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/ModiLoader.a
Link:
https://www.hybrid-analysis.com/sample/30c7705fa01e39d97684b46547a73d3e4cc93f1d0909f9cfb0161a538032cecc
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-23T03:54:00Z UTC
Last seen:
2025-10-25T02:06:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/30c7705fa01e39d97684b46547a73d3e4cc93f1d0909f9cfb0161a538032cecc/results?tab=lookup
Malware family:
ModiLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/497eb630-9138-4d64-a3ee-fab0b0a2434a
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/30c7705fa01e39d97684b46547a73d3e4cc93f1d0909f9cfb0161a538032cecc
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/25029c262c48db9ff12578cfc36d5f53
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/30c7705fa01e39d97684b46547a73d3e4cc93f1d0909f9cfb0161a538032cecc/
Threat name:
Win32.Trojan.DBatLoader
Create hunting rule
Status:
Malicious
First seen:
2025-10-23 07:34:40 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gddxax5ady45s5uewrsupjz5hzgmspy5bee7tt5qcynfhabsz3ga._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
error
RemcosRAT
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery execution persistence trojan
Link:
https://tria.ge/reports/251023-rvnrvafp4y/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Network Configuration Discovery: Internet Connection Discovery
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/de16bd6c-5ba2-4878-9b09-73633a036016
Unpacked files
SH256 hash:
30c7705fa01e39d97684b46547a73d3e4cc93f1d0909f9cfb0161a538032cecc
MD5 hash:
25029c262c48db9ff12578cfc36d5f53
SHA1 hash:
37ba1e9c2006cf24e65c810ea3a2d63755404297
Link:
https://www.unpac.me/results/cf780cd7-975c-4741-8234-3c7e5bd02c81/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/30c7705fa01e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30c7705fa01e39d97684b46547a73d3e4cc93f1d0909f9cfb0161a538032cecc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 30c7705fa01e39d97684b46547a73d3e4cc93f1d0909f9cfb0161a538032cecc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33911/

Comments