MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 352241ec9505c1272f5ad3f2b9891d8f4552d41b968ebacdb619ab5fd7a80cc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 6

Intelligence 6 IOCs YARA 15 File information Comments

SHA256 hash:	352241ec9505c1272f5ad3f2b9891d8f4552d41b968ebacdb619ab5fd7a80cc6
SHA3-384 hash:	b5193c94f2a03a43b0de01806e09b3620162924ac7030a967f9e4a1b8fe50d4a5fc402ea7de96d37301d0834b5f83230
SHA1 hash:	b053c3084900c433606d303d27aa2cc3043a5d63
MD5 hash:	75190ef5e0170e4a79061cf9ec8eb169
humanhash:	social-winner-quiet-video
File name:	§$&()blance500%&00§$&09finalrevised.zip
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'493 bytes
First seen:	2025-07-03 10:28:18 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	24:9lIbwff+qb1o85/1vQTL+5+jAtrsPajOkibhLioccEZCSpThvc8TC0FSnT0bwffj:9lIUnRlaqroP1kiNryZCy3T7SnT0UnE2
TLSH	T12731C96E5651C367C8E62A707BD433071D823522C6B89AFA165C7A902CCB39E79E0428
Magika	zip
Reporter	cocaman
Tags:	payment RemcosRAT Shipping zip

cocaman

Malicious email (T1566.001)
From: "SINOSTEEL SHIPPING & FORWARDING JIANGSU CO.,LTD. <info@server84456.cc>" (likely spoofed)
Received: "from server84456.cc (server84456.cc [192.3.255.161]) "
Date: "2 Jul 2025 08:05:14 +0200"
Subject: "FA25271NAFTAL-KHROUB-OUTSTANDING-29062025165341JUNE 2025 SOA PAYMENT"
Attachment: "§$&()blance500%&00§$&09finalrevised.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	oustanding!§$&()blance500%&00§$&09finalrevised.lnk
File size:	3'163 bytes
SHA256 hash:	292ef9c837eb247376d40aec091bac4b2ca4195d15614895cc4629d4b62d4604
MD5 hash:	dc733f068184e3adba0100f33a8ee55a
MIME type:	application/octet-stream
Signature	RemcosRAT

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Lnk_Zip_1.UNOFFICIAL

Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL

SecuriteInfo.com.Trojan.DownLoader27.44133.18524.18730.UNOFFICIAL

Gathering data

Result

Verdict:

Unknown

File Type:

ZIP File

Link:

https://app.docguard.net/352241ec9505c1272f5ad3f2b9891d8f4552d41b968ebacdb619ab5fd7a80cc6/results/dashboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug base64 dropper evasive masquerade overlay powershell

Link:

https://www.filescan.io/uploads/68665b85714e106cecbac487/reports/bc9d1dcd-0ae3-4317-a5b5-dc9ad1431308/overview

Verdict:

Malware

YARA:

3 match(es)

Tags:

Batch Command DeObfuscated Execution: CMD in LNK Execution: PowerShell in LNK LNK LOLBin LOLBin:powershell.exe Malicious PowerShell PowerShell Call T1059.001 T1059.003 T1202: Indirect Command Execution T1204.002 Zip Archive

Link:

https://app.malva.re/file/75190ef5e0170e4a79061cf9ec8eb169

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/352241ec9505c1272f5ad3f2b9891d8f4552d41b968ebacdb619ab5fd7a80cc6/

Verdict:

Malicious

Threat:

Shortcut.Trojan.Pantera

Link:

https://tip.neiki.dev/file/352241ec9505c1272f5ad3f2b9891d8f4552d41b968ebacdb619ab5fd7a80cc6

Threat name:

Shortcut.Trojan.Pantera

Status:

Malicious

First seen:

2025-07-02 00:45:24 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

21 of 36 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gured3evaxasol222pzltci5r5cvfva3s2hlvtnwdgvv7v5ibtda._file

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/250703-pagfxsw1hs/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/352241ec9505c1272f5ad3f2b9891d8f4552d41b968ebacdb619ab5fd7a80cc6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_Remcos_RAT Create hunting rule
Author:	daniyyell
Description:	Detects Remcos RAT payloads and commands

Rule name:	EXT_EXPL_ZTH_LNK_EXPLOIT_A Create hunting rule
Author:	Peter Girnus
Description:	This YARA file detects padded LNK files designed to exploit ZDI-CAN-25373.
Reference:	https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html

Rule name:	LNK_sospechosos Create hunting rule
Author:	Germán Fernández
Description:	Detecta archivos .lnk sospechosos

Rule name:	PS_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies PowerShell artefacts in shortcut (LNK) files.

Rule name:	SUSP_LNK_PowerShell Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference to powershell inside an lnk file, which is suspicious

Rule name:	SUSP_ZIP_LNK_PhishAttachment Create hunting rule
Author:	ignacior
Description:	Detects suspicius tiny ZIP files with malicious lnk files
Reference:	Internal Research

Rule name:	SUSP_ZIP_LNK_PhishAttachment_Pattern_Jun22_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects suspicious tiny ZIP files with phishing attachment characteristics
Reference:	Internal Research

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)