MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31ee08e0aad9297988beb54957c0fa5bce2d9b1d0d2c16e4932e247c73c19348. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31ee08e0aad9297988beb54957c0fa5bce2d9b1d0d2c16e4932e247c73c19348
SHA3-384 hash: e7881b2daf8d622a12f6f2394e32a6f477cde1eae53532c2c13409ec31ef0394b78c23e7517504932651e9c493a88660
SHA1 hash: 96a7cad6f78b9d6e663c6795bd6ec278e4cf4c1a
MD5 hash: 24e4486d679162817cba86e80d8f7b9f
humanhash: berlin-yankee-queen-mirror
File name:RFQ-order_ORD138894_19.08.2025 19_18_11_752.com
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:83'968 bytes
First seen:2025-08-21 08:29:53 UTC
Last seen:2025-08-26 09:12:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 1536:rpjMZKCDV5Ame6CUngfLFtxW1iMZv3ygA+03iQmgsmvhiS34ee/:NMrr1yfQAPyQmgs8V3C/
Threatray 369 similar samples on MalwareBazaar
TLSH T15183C507BA4B8DB1C2485B76CD9F40880360D7C3F693D61A798AD35E1947FEE8941E8B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
91
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
RE RFQ Doc2806317620 - RFP 6008883563 IKS 3118383390.rar
Verdict:
Malicious activity
Analysis date:
2025-08-21 05:57:32 UTC
Tags:
purecrypter netreactor remcos rat remote
Link:
https://app.any.run/tasks/66fc9699-3031-4b7b-8588-81dafc22ed6a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22741/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a6d93dc2f5296a1a288129
Tags:
autorun spawn virus hype
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connecting to a non-recommended domain
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 masquerade net_reactor obfuscated obfuscated packed
Link:
https://www.filescan.io/uploads/68a6d941a4bdac9f5ba27a99/reports/4c15e2bd-c66f-48bc-9a1e-f384898cacca/overview
Verdict:
Malicious
Labled as:
Trojan.Mardom.IN.Generic
Link:
https://www.hybrid-analysis.com/sample/31ee08e0aad9297988beb54957c0fa5bce2d9b1d0d2c16e4932e247c73c19348
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/85129a87-efef-46b0-a8b5-a3ec0eb9c831
Result
Threat name:
Remcos, PureLog Stealer, ResolverRAT
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1761839
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Drops VBS files to the startup folder
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1761839 Sample: RFQ-order_ORD138894_19.08.2... Startdate: 21/08/2025 Architecture: WINDOWS Score: 100 35 primeline.it.com 2->35 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 15 other signatures 2->61 8 RFQ-order_ORD138894_19.08.2025 19_18_11_752.com.exe 15 5 2->8         started        13 wscript.exe 1 2->13         started        signatures3 process4 dnsIp5 37 primeline.it.com 83.217.209.222, 443, 49686, 49696 INF-NET-ASRU Russian Federation 8->37 29 C:\Users\user\AppData\...\DeclaringTypes.exe, PE32 8->29 dropped 31 C:\Users\user\AppData\...\DeclaringTypes.vbs, ASCII 8->31 dropped 33 C:\...\DeclaringTypes.exe:Zone.Identifier, ASCII 8->33 dropped 65 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->65 67 Writes to foreign memory regions 8->67 69 Injects a PE file into a foreign processes 8->69 15 InstallUtil.exe 2 4 8->15         started        71 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->71 20 DeclaringTypes.exe 14 2 13->20         started        file6 signatures7 process8 dnsIp9 39 212.162.149.164, 443, 49688, 49689 UNREAL-SERVERSUS Netherlands 15->39 27 C:\ProgramData\remcos\logs.dat, data 15->27 dropped 41 Detected Remcos RAT 15->41 43 Contains functionalty to change the wallpaper 15->43 45 Contains functionality to steal Chrome passwords or cookies 15->45 53 4 other signatures 15->53 22 conhost.exe 15->22         started        47 Multi AV Scanner detection for dropped file 20->47 49 Writes to foreign memory regions 20->49 51 Injects a PE file into a foreign processes 20->51 24 InstallUtil.exe 20->24         started        file10 signatures11 process12 signatures13 63 Detected Remcos RAT 24->63
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/31ee08e0aad9297988beb54957c0fa5bce2d9b1d0d2c16e4932e247c73c19348
Verdict:
inconclusive
YARA:
12 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.47 Win 32 Exe x86
Link:
https://app.malva.re/file/24e4486d679162817cba86e80d8f7b9f
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/31ee08e0aad9297988beb54957c0fa5bce2d9b1d0d2c16e4932e247c73c19348/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-08-20 20:52:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ghxaryfk3euxtcf6wvevpqh2lphc3gy5buwbnzetfyshy46bsnea._file
Verdict:
malicious
Label(s):
purecrypter
Create hunting rule
Similar samples:
0ad0cd40db5e148d8577e7405007c89d2036e81d6fb7401f77ac9def45db097c
RemcosRAT
25f43614b97cd703a214172c4596149f83065fbfc021a64a1d792a0e9c158718
RemcosRAT
53f30e1593c7a75712d21b5f8d5de7ef1849e2bc6e3a8d064efebf1518517b01
RemcosRAT
8e13758a85fedcb0d0251395c4106c8e9cdf5503cfe47468e39767320c0acdec
RemcosRAT
94d0084fb4121ce1d42f363b54ec8aac2caed34bcbbcf952b8c397cd4be32ecd
RemcosRAT
95926de79055494e25750033367473688c20d71842433d41c48cd787b4639131
RemcosRAT
a651e5d14de7d8c4c4d98bd6c57ee765cc446ded3ccc1c302bc51914e26fd8aa
RemcosRAT
b98ea057f9fd6b40c4cc5918f7132a229d959e1c5a78c4553b446221ad110009
RemcosRAT
error
RemcosRAT
+ 359 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection discovery rat
Link:
https://tria.ge/reports/250821-keg6ss1tgt/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Drops startup file
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
212.162.149.164:443
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/72b88863-6be1-42a1-89cf-f4c2adba33b5
Unpacked files
SH256 hash:
31ee08e0aad9297988beb54957c0fa5bce2d9b1d0d2c16e4932e247c73c19348
MD5 hash:
24e4486d679162817cba86e80d8f7b9f
SHA1 hash:
96a7cad6f78b9d6e663c6795bd6ec278e4cf4c1a
Link:
https://www.unpac.me/results/a9e57580-a5ad-4193-94b7-d225d728dba1/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/31ee08e0aad9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31ee08e0aad9297988beb54957c0fa5bce2d9b1d0d2c16e4932e247c73c19348

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 31ee08e0aad9297988beb54957c0fa5bce2d9b1d0d2c16e4932e247c73c19348

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/22741/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments