MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 343a0ffbd5b9eb887a4fb642b6a508e49d75338c94c18404c0c4818b21ab1951. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RemcosRAT
Vendor detections: 13
| SHA256 hash: | 343a0ffbd5b9eb887a4fb642b6a508e49d75338c94c18404c0c4818b21ab1951 |
|---|---|
| SHA3-384 hash: | b078f944862776b0bd9fadbb065cab2968972e00a296a697131b918d8af2a179f307755f666c05f2cfa706dce8b34587 |
| SHA1 hash: | 56010647b3d71e2ff2cbc51383be45c005e10755 |
| MD5 hash: | 852dbeb154c98f0fc493a64e1a6b2a47 |
| humanhash: | william-emma-mango-social |
| File name: | 343a0ffbd5b9eb887a4fb642b6a508e49d75338c94c18404c0c4818b21ab1951 |
| Download: | download sample |
| Signature | RemcosRAT |
| File size: | 1'226'240 bytes |
| First seen: | 2025-12-08 15:57:21 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger) |
| ssdeep | 24576:lQh2bZCnRveYepqMKDmfC4KOSSn2p6tCMGN:uIARveYkqM3fC41p2TN |
| TLSH | T13945E01A36DA4190E1BB8B34EFBA4A1447F4BA17CA32C75FA15605FDCB1638561233B3 |
| TrID | 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
| Magika | pebin |
| Reporter |  adrian__luca |
| Tags: | exe RemcosRAT |
Intelligence
File Origin
# of uploads :
1
# of downloads :
61
Origin country :
HUVendor Threat Intelligence
No detections
Malware family:
redline
ID:
1
File name:
2to1ep.exe
Verdict:
Malicious activity
Analysis date:
2025-11-29 04:27:33 UTC
Tags:
auto metasploit framework python stealer miner github credentialflusher possible-phishing stealc evasion xenorat rat purecrypter clickfix clipper diamotrix discord metastealer redline phishing httpdebugger tool anti-evasion vidar blankgrabber lumma njrat bladabindi nanocore pyinstaller snake keylogger cryptowall ransomware telegram networm amus wannacry cryptolocker lokibot screenshot susp-powershell ims-api generic quasar autohotkey neshta cobaltstrike backdoor remote xworm xmrig koadic donutloader loader purelogs koistealer remcos guloader agenttesla tinynuke asyncrat svc rhadamanthys havoc coinminer masslogger muckstealer
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Detection(s):
Verdict:
Malicious
Score:
93.3%
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-27T09:33:00Z UTC
Last seen:
2025-11-27T10:51:00Z UTC
Hits:
~10
Gathering data
Score:
100%
Verdict:
Malware
File Type:
PE
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Threat name:
Win32.Backdoor.Remcos
Status:
Malicious
First seen:
2025-11-28 04:47:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
17 of 24 (70.83%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
purecrypter
remcos
Result
Malware family:
n/a
Score:
7/10
Tags:
discovery
Behaviour
System Location Discovery: System Language Discovery
.NET Reactor proctector
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
7d1cc6c6774669872f14a75de73e3e785ef6d063a0c4c817d147e2078d77a61a
MD5 hash:
8445f7f856e34e9303600d717579a6c6
SHA1 hash:
28a54b1d1f14812e3c5fe68cf779c9117c098091
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
INDICATOR_EXE_Packed_DotNetReactor
Parent samples :
3cf22298d51538e4c37de996647c085369b9760381ee876225897ea56ca049b9
326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054
c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb
e344fe526e15e7a798d965e12fa66bbae99c620e2bac85cea2cf39da91e1c2a9
cdefe4487062cf4feeee912c4842224c9f9ee066574205d31efa87aee71f2073
f73987513db8c06902182a46cd5d43b8d1fbcc8cb167b0b3c7ad45b6f482b64c
b02b279161596d4cfb6a031d2354460ab7d4918b0963f24a24560c2014ca9251
f8aa02fae887ea80156c2e8be3940405bfc612434d7efae60320a802a9d15a93
9cc00b1af48acb7af7f3c53d0a1adbe928d4bda26273dd955120ca138bdf2eca
73b63721491b5e5a01059fa28d122d5002710964e3e1ed13450d39e716abf968
d1dac84e05c1f6d563953e4966b4a15dda5ad228298cb9ffaa904108a1e03409
6e2f8c1a53a04332f9e7df00b6b0fc583e7c1dd20d570f503b57294c5e6b977f
a6cb841d8ae8fdf6631fa2e8235f07b946cc38fd08a67e542cdc697506faf462
7f686552b74e86a919d7c4ef8eee991bdc70a3558d886a70ed8a879ecb9781af
2f4de4bd0ba8bff96a2b2f8fe3703d0bea4dac48f6442cbd75677b3da8a4bb4f
db64be725daa15a212f1915938a94b30193123965c66ab4fbf1cbd41643a4e2f
641380dbf40445ebdda6a4fbf21ad32c7e9903fc5ec1c92081e77fc1716e58f0
51e8bfd578ae4e51206ad57e2bf501067e84ee7d0307ada70a1f3a35d907a1bd
6b43ebd7427305bd0d27f813d8a8e7d3c2fbd81a1d150d9d71be3b36461ed9c5
cd100ddc8f101788f2f74afcf44e9cbfcd41139431901c8783505f551986b2a7
1428f464af6827605e046bb527b1f0bef17827bfc495bc61bb663789ea93cd95
7abc66114083c1af5345a564369c5a9a57ede5dc4f8018c679d6fa2073781c19
594c365596c21b70b4e929a54e88f0abdc2f8641956817881418a57508484912
343a0ffbd5b9eb887a4fb642b6a508e49d75338c94c18404c0c4818b21ab1951
2ce473b1702af7cd8c8a391fcaf6e4d6b8687100ee6518e52a02adfc86735dee
e05eeb1ac0c6722a64e69f2fad8dba483cfdfe97a60f2bd123c4fb33715c419f
2f6fa9fa9d46eda7bb675550fff9ce2b075ac46bdbf95a2e3e46aa72b06aa84c
9729a8886a3c9c58f6aff691fa8a812531d7504b1060fe9092206cb39f6ab860
7ab3bc53197f4ab531bf0f24e2ad22f1f199a6f3225099506a49d57f03868dbe
ec831b1de5e2d9c38a3ebd096ef9af1425abc2a866cb042a31600d98c64b5740
326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054
c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb
e344fe526e15e7a798d965e12fa66bbae99c620e2bac85cea2cf39da91e1c2a9
cdefe4487062cf4feeee912c4842224c9f9ee066574205d31efa87aee71f2073
f73987513db8c06902182a46cd5d43b8d1fbcc8cb167b0b3c7ad45b6f482b64c
b02b279161596d4cfb6a031d2354460ab7d4918b0963f24a24560c2014ca9251
f8aa02fae887ea80156c2e8be3940405bfc612434d7efae60320a802a9d15a93
9cc00b1af48acb7af7f3c53d0a1adbe928d4bda26273dd955120ca138bdf2eca
73b63721491b5e5a01059fa28d122d5002710964e3e1ed13450d39e716abf968
d1dac84e05c1f6d563953e4966b4a15dda5ad228298cb9ffaa904108a1e03409
6e2f8c1a53a04332f9e7df00b6b0fc583e7c1dd20d570f503b57294c5e6b977f
a6cb841d8ae8fdf6631fa2e8235f07b946cc38fd08a67e542cdc697506faf462
7f686552b74e86a919d7c4ef8eee991bdc70a3558d886a70ed8a879ecb9781af
2f4de4bd0ba8bff96a2b2f8fe3703d0bea4dac48f6442cbd75677b3da8a4bb4f
db64be725daa15a212f1915938a94b30193123965c66ab4fbf1cbd41643a4e2f
641380dbf40445ebdda6a4fbf21ad32c7e9903fc5ec1c92081e77fc1716e58f0
51e8bfd578ae4e51206ad57e2bf501067e84ee7d0307ada70a1f3a35d907a1bd
6b43ebd7427305bd0d27f813d8a8e7d3c2fbd81a1d150d9d71be3b36461ed9c5
cd100ddc8f101788f2f74afcf44e9cbfcd41139431901c8783505f551986b2a7
1428f464af6827605e046bb527b1f0bef17827bfc495bc61bb663789ea93cd95
7abc66114083c1af5345a564369c5a9a57ede5dc4f8018c679d6fa2073781c19
594c365596c21b70b4e929a54e88f0abdc2f8641956817881418a57508484912
343a0ffbd5b9eb887a4fb642b6a508e49d75338c94c18404c0c4818b21ab1951
2ce473b1702af7cd8c8a391fcaf6e4d6b8687100ee6518e52a02adfc86735dee
e05eeb1ac0c6722a64e69f2fad8dba483cfdfe97a60f2bd123c4fb33715c419f
2f6fa9fa9d46eda7bb675550fff9ce2b075ac46bdbf95a2e3e46aa72b06aa84c
9729a8886a3c9c58f6aff691fa8a812531d7504b1060fe9092206cb39f6ab860
7ab3bc53197f4ab531bf0f24e2ad22f1f199a6f3225099506a49d57f03868dbe
ec831b1de5e2d9c38a3ebd096ef9af1425abc2a866cb042a31600d98c64b5740
SH256 hash:
343a0ffbd5b9eb887a4fb642b6a508e49d75338c94c18404c0c4818b21ab1951
MD5 hash:
852dbeb154c98f0fc493a64e1a6b2a47
SHA1 hash:
56010647b3d71e2ff2cbc51383be45c005e10755
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | CP_Script_Inject_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | Detects attempts to inject code into another process across PE, ELF, Mach-O binaries |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DetectEncryptedVariants |
|---|---|
| Author: | Zinyth |
| Description: | Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded |
| Rule name: | FreddyBearDropper |
|---|---|
| Author: | Dwarozh Hoshiar |
| Description: | Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip. |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | iexplorer_remcos |
|---|---|
| Author: | iam-py-test |
| Description: | Detect iexplorer being taken over by Remcos |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer |
|---|---|
| Author: | ditekSHen |
| Description: | detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | NETexecutableMicrosoft |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_detect_tls_callbacks |
|---|
| Rule name: | pe_imphash |
|---|
| Rule name: | RANSOMWARE |
|---|---|
| Author: | ToroGuitar |
| Rule name: | Remcos |
|---|---|
| Author: | kevoreilly |
| Description: | Remcos Payload |
| Rule name: | REMCOS_RAT_variants |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | ThreadControl__Context |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | Windows_Trojan_Remcos_b296e965 |
|---|---|
| Author: | Elastic Security |
| Reference: | https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set |
| Rule name: | win_remcos_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.remcos. |
| Rule name: | win_remcos_rat_unpacked |
|---|---|
| Author: | Matthew @ Embee_Research |
| Description: | Detects strings present in remcos rat Samples. |
| Rule name: | win_remcos_w0 |
|---|---|
| Author: | Matthew @ Embee_Research |
| Description: | Detects strings present in remcos rat Samples. |
| Rule name: | yarahub_win_remcos_rat_unpacked_aug_2023 |
|---|---|
| Author: | Matthew @ Embee_Research |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.