MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 319b75ccfd07cc7aaed69cd1e1363846480ef7b8ee532f0cc13e7631c1bfae9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 30 File information Comments

SHA256 hash: 319b75ccfd07cc7aaed69cd1e1363846480ef7b8ee532f0cc13e7631c1bfae9a
SHA3-384 hash: 753f71128c975c6864263dfd42997140f8a605f386bbe2f10d93ffbeae28acf3fccd13fab0432553507f7e29ba3ce7d1
SHA1 hash: 465fbb6d799dadc8a851e76b325649bed61818d9
MD5 hash: ce163245770bfa3d5e039aa2bf5b44ff
humanhash: hotel-nineteen-nebraska-west
File name:319b75ccfd07cc7aaed69cd1e1363846480ef7b8ee532f0cc13e7631c1bfae9a
Download: download sample
Signature RemcosRAT
File size:423'912 bytes
First seen:2026-07-07 14:19:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (419 x GuLoader, 63 x RemcosRAT, 50 x AgentTesla)
ssdeep 6144:spkXGhE4TrIg1+MoMRAjKOvF72AJOufkPYrz90hY0YPOOHSZX:JiTrIg1+eaj57kPY/OWrOOyZX
TLSH T17294F1883F68ED0BD5E48C344DB4FA2B92B89DA04D87B702DB623D4CBD397C47949616
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 61f09aa8b2bc9800 (2 x GuLoader, 1 x RemcosRAT)
Reporter adrian__luca
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:Soggier
Issuer:Soggier
Algorithm:sha256WithRSAEncryption
Valid from:2026-04-30T10:05:44Z
Valid to:2027-04-30T10:05:44Z
Serial number: 6aceb432e9b9dcd815cc00755bd2647de4ca59cd
Thumbprint Algorithm:SHA256
Thumbprint: e91ab7656dcbc8b0d4f0d2f135c73738b0e7e57a552458e5d58f4c28bfc2f594
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
1
# of downloads :
51
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
GuLoader NSIS
Details
Verdict:
Malicious
Score:
90.2%
Tags:
injection obfusc virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Restart of the analyzed sample
Changing a file
Launching a service
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Setting a keyboard event handler
Connection attempt to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug installer installer installer-heuristic microsoft_visual_cc nsis reconnaissance signed
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-11T01:55:00Z UTC
Last seen:
2026-07-08T10:36:00Z UTC
Hits:
~1000
Gathering data
Threat name:
Win32.Malware.Heuristic
Status:
Malicious
First seen:
2026-06-11 05:38:17 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
19 of 36 (52.78%)
Threat level:
  2/5
Result
Malware family:
Score:
  10/10
Tags:
family:guloader family:remcos botnet:remotehost adware discovery downloader persistence rat spyware
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Contacts third-party web service commonly abused for C2
Loads dropped DLL
Family: Guloader,Cloudeye
Family: Remcos
Malware Config
C2 Extraction:
204.10.160.254:2404
Unpacked files
SH256 hash:
319b75ccfd07cc7aaed69cd1e1363846480ef7b8ee532f0cc13e7631c1bfae9a
MD5 hash:
ce163245770bfa3d5e039aa2bf5b44ff
SHA1 hash:
465fbb6d799dadc8a851e76b325649bed61818d9
SH256 hash:
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
MD5 hash:
a4dd044bcd94e9b3370ccf095b31f896
SHA1 hash:
17c78201323ab2095bc53184aa8267c9187d5173
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_NSIS_Nullsoft_Installer
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:Disable_Defender
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:NSIS
Author:kevoreilly
Description:NSIS Integrity Check function
Rule name:pe_detect_tls_callbacks
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:Remcos
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Rule name:Remcos_unpacked_PulseIntel
Author:PulseIntel
Description:Remcos Payload
Rule name:Sus_All_Windows_PE_Malware
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Trojan_Remcos_921ef449
Author:Elastic Security
Rule name:Windows_Trojan_Remcos_b296e965
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Author:Matthew @ Embee_Research

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments