MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31ceaea6cb2e484b7ff1fdd6dcf0fdd999898548c5b5504e23561acbd1df53a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 20

Intelligence 20 IOCs YARA 4 File information Comments

SHA256 hash:	31ceaea6cb2e484b7ff1fdd6dcf0fdd999898548c5b5504e23561acbd1df53a0
SHA3-384 hash:	b7e01e85f5528aa99d5f4f1fff8949e87e62fb6e8edb772abc057008d4d32a067c31d31177c24d7060de602e8474ff68
SHA1 hash:	335c3d08f52bab55d05f463e2adad1fe8f96978b
MD5 hash:	a4829ee5d4fac80869382053f7f3ebe1
humanhash:	bakerloo-pasta-princess-happy
File name:	31ceaea6cb2e484b7ff1fdd6dcf0fdd999898548c5b5504e23561acbd1df53a0
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'020'416 bytes
First seen:	2025-11-06 11:09:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:UedY38bayeT8re1a+KmR9qEwgQ2t9dDBZJtCNPeUj2b:Uedm8bzeAreUMR95wgQsBxCmUj2b
Threatray	1'746 similar samples on MalwareBazaar
TLSH	T16E25F19C3614F8EEC887D5714EA0DEB4A2246D6AC717C1138AEB1DDFB91CD87DE041A2
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

_31ceaea6cb2e484b7ff1fdd6dcf0fdd999898548c5b5504e23561acbd1df53a0.exe

Verdict:

Malicious activity

Analysis date:

2025-11-06 11:12:54 UTC

Tags:

remcos rat auto-reg

Link:

https://app.any.run/tasks/6053f055-89db-4497-9696-d9c7301309c0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/36055/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690c8272ea0f3e915c238a9e

Tags:

virus micro msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Creating a window

Restart of the analyzed sample

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/31ceaea6cb2e484b7ff1fdd6dcf0fdd999898548c5b5504e23561acbd1df53a0

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-21T23:58:00Z UTC

Last seen:

2025-11-06T22:02:00Z UTC

Hits:

~1000

Detections:

Trojan-Dropper.Win32.Injector.sb Trojan-Dropper.Win32.Injector HEUR:Trojan-PSW.MSIL.Agensla.gen Trojan.MSIL.Crypt.sb PDM:Trojan.Win32.Generic Backdoor.Win32.Androm Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Backdoor.Win32.Remcos.f

Link:

https://opentip.kaspersky.com/31ceaea6cb2e484b7ff1fdd6dcf0fdd999898548c5b5504e23561acbd1df53a0/results?tab=lookup

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/01b3e663-28f2-4de8-a02a-833581d221d9

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/31ceaea6cb2e484b7ff1fdd6dcf0fdd999898548c5b5504e23561acbd1df53a0

Verdict:

inconclusive

YARA:

12 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.70 Win 32 Exe x86

Link:

https://app.malva.re/file/a4829ee5d4fac80869382053f7f3ebe1

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/31ceaea6cb2e484b7ff1fdd6dcf0fdd999898548c5b5504e23561acbd1df53a0/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/31ceaea6cb2e484b7ff1fdd6dcf0fdd999898548c5b5504e23561acbd1df53a0

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2025-10-22 02:58:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 37 (70.27%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ghhk5jwlfzeew77r7xlnz4h53gmytbkiyw2vatrdkynmxuo7koqa._file

Verdict:

malicious

Label(s):

unc_loader_037

remcos

RemcosRAT

31ceaea6cb2e484b7ff1fdd6dcf0fdd999898548c5b5504e23561acbd1df53a0

RemcosRAT

8ee17d796838ff6f4a61fad087b4486f2859a516d290215cdf3d731bc167ab56

RemcosRAT

a5feb7f9ad863058e9c223ff48f3bf9ea0a565dfc13ac15d8a79635be5cb82b2

RemcosRAT

e462d1a4674d1c46ee7c3eba187353dc4c6c40863493e67b3d1ab379714f97bb

RemcosRAT

error

RemcosRAT

f76cfb9f0844f53887f9a67c858e29e3c099d26072afb52a850e04306a93a9fd

RemcosRAT

+ 1'736 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost discovery persistence rat

Link:

https://tria.ge/reports/251106-m93gbsal6w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Remcos

Remcos family

Malware Config

C2 Extraction:

104.250.180.178:7902

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0a49a62a-d319-42df-b026-65d448ef9989

Unpacked files

SH256 hash:

31ceaea6cb2e484b7ff1fdd6dcf0fdd999898548c5b5504e23561acbd1df53a0

MD5 hash:

a4829ee5d4fac80869382053f7f3ebe1

SHA1 hash:

335c3d08f52bab55d05f463e2adad1fe8f96978b

Link:

https://www.unpac.me/results/ac55dadf-359c-43ee-a5d4-94cfde38f89b/

SH256 hash:

9f2bdadb8926bf6157c7487e994ec28657f9415fd2fdf97a5ba82ba12e24046a

MD5 hash:

0e1119a6df48b550ad1353d136297ef3

SHA1 hash:

3f89b2297c1e0a29932eb25741a51538e005d565

Link:

https://www.unpac.me/results/ac55dadf-359c-43ee-a5d4-94cfde38f89b/

SH256 hash:

4bcbeddf9451edcf385044ef84c392806ef29e8c7ed66a24de7102c7ade824eb

MD5 hash:

18729e73bb20b2d2c1fa264afbff3a94

SHA1 hash:

b1d1bda388c281799f038e019f7958dd6ff3dd38

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/ac55dadf-359c-43ee-a5d4-94cfde38f89b/

SH256 hash:

6d0e29ee3a788bd9c6960e1c560572f9bbe5d7ae16e40d7f9237ee2d88d5d536

MD5 hash:

ca5d4ee8a3d4d7b4e6d2b4758f6f6b71

SHA1 hash:

e6204ed9c9a998f19cf0016506bc53dffddf0654

Detections:

win_remcos_w0

win_remcos_auto

Remcos

malware_windows_remcos_rat

win_remcos_rat_unpacked

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Link:

https://www.unpac.me/results/ac55dadf-359c-43ee-a5d4-94cfde38f89b/

Parent samples :

afcb9a98287b5852b6fd25a60e9fdee42c3039054de5150e3a77e18944ec7c80
fb51ffcffd134849ebc6114eacc45a0bd9f2430188fd33064217df5b4cd41508
75a4146af3520c8bb236cfe21ef507eec5f8a082ab20f4dfad55765b6fc04049
ed68e937c49334eb99ff5ca7bb6b7c45645c3335c11f344f460378a5991323a5
27ca89e42083ae8b80f5ebbf9fd9882630af96303f262b7437aab1b2fb8d256a
55d8ae2d11aeb76c2214d735c46917541ac04febc6b2f8ac998d1173b838b5ce
2c7e7bf4cd14456572dd850552354b46e89d511300f5dce48561a4f347f8d4b2
eb27c96a09f6c81ef8baca23b0024fc1c26dd3c9b2fa0a5b728cb56e1e2425af
31ceaea6cb2e484b7ff1fdd6dcf0fdd999898548c5b5504e23561acbd1df53a0

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/31ceaea6cb2e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.91

Link:

https://yomi.yoroi.company/submissions/31ceaea6cb2e484b7ff1fdd6dcf0fdd999898548c5b5504e23561acbd1df53a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/36055/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample