MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3703d16f10ecd7ded0bb82164cdd5757d2b992cec36a4d7082beae0af3d7fe26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 20

Intelligence 20 IOCs YARA 5 File information Comments

SHA256 hash:	3703d16f10ecd7ded0bb82164cdd5757d2b992cec36a4d7082beae0af3d7fe26
SHA3-384 hash:	2e51c7850fb1dcfc136b81284a31628a59176a491e4cc1a4f9e6b7ae2439f49f51e39cb383bf8b9c1083e1a9f07331e2
SHA1 hash:	69bad1478fd6ba6dd9109ef5f688022a4e765826
MD5 hash:	38255356e2a23f7e942a7641cd55e9d9
humanhash:	magazine-jupiter-oklahoma-indigo
File name:	3703d16f10ecd7ded0bb82164cdd5757d2b992cec36a4d7082beae0af3d7fe26
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'329'664 bytes
First seen:	2026-06-08 08:35:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'066 x AgentTesla, 20'011 x Formbook, 12'352 x SnakeKeylogger)
ssdeep	24576:DL54TS19PJ2r/p/WcyeOGH3T7KqPPQfzd5/9fOZU+j1z:5449PJ6/BWcLOyLAp9xOZHhz
TLSH	T17F551254320BCE12C8A24BF04860D3B456798D99D816E3179FEABDEFF8BE74539442D2
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/089d5736-b50c-4e4c-930f-79f4d07e1665/

Malware family:

remcos

ID:

File name:

_3703d16f10ecd7ded0bb82164cdd5757d2b992cec36a4d7082beae0af3d7fe26.exe

Verdict:

Malicious activity

Analysis date:

2026-06-08 08:51:42 UTC

Tags:

remcos rat auto-reg netreactor

Link:

https://app.any.run/tasks/8222ce86-e1c5-445a-8da9-28319bae0219

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/69566/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a2680903e9eff6a6b68b3a3

Tags:

virus micro msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Launching a process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6a267f12bf16337e43bb0d87/reports/d5ae3ec1-22c5-4779-9898-1b731818254a/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/3703d16f10ecd7ded0bb82164cdd5757d2b992cec36a4d7082beae0af3d7fe26

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-25T06:39:00Z UTC

Last seen:

2026-06-08T07:43:00Z UTC

Hits:

~10

Detections:

Trojan.MSIL.Crypt.sb Trojan-Dropper.Win32.Injector.sb HEUR:Trojan-Spy.MSIL.Noon.gen Backdoor.Win32.Androm.sb Trojan.Agent.HTTP.C&C PDM:Trojan.Win32.Generic Trojan.MSIL.Inject.sb Trojan.MSIL.Dnoper.sb

Link:

https://opentip.kaspersky.com/3703d16f10ecd7ded0bb82164cdd5757d2b992cec36a4d7082beae0af3d7fe26/results?tab=lookup

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9d727430-ea20-4c0c-b7e5-e2b410f49aa6

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3703d16f10ecd7ded0bb82164cdd5757d2b992cec36a4d7082beae0af3d7fe26

Gathering data

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/3703d16f10ecd7ded0bb82164cdd5757d2b992cec36a4d7082beae0af3d7fe26/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/3703d16f10ecd7ded0bb82164cdd5757d2b992cec36a4d7082beae0af3d7fe26

Threat name:

Win32.Backdoor.FormBook

Status:

Malicious

First seen:

2026-06-08 08:42:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 36 (63.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g4b5c3yq5tl55uf3qilezxkxk7jltewoynve24ecx2xav46x7yta._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:host discovery execution persistence rat

Link:

https://tria.ge/reports/260608-kh4h7saw7r/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Browser Information Discovery

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Adds Run key to start application

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Family: Remcos

Malware Config

C2 Extraction:

93.177.75.2:2467

Unpacked files

SH256 hash:

3703d16f10ecd7ded0bb82164cdd5757d2b992cec36a4d7082beae0af3d7fe26

MD5 hash:

38255356e2a23f7e942a7641cd55e9d9

SHA1 hash:

69bad1478fd6ba6dd9109ef5f688022a4e765826

Link:

https://www.unpac.me/results/8ed8f8ec-5e65-4d3e-821d-91897c8cf701/

SH256 hash:

4eba2713fae97b0b2c884365899f9603fc65ce0aeb741ba6818316e66b635734

MD5 hash:

8351f2c22885d8fc6fdf4a8b247bc011

SHA1 hash:

6e992b14b3978171f434b5ecd78875d856ce9bc5

Link:

https://www.unpac.me/results/8ed8f8ec-5e65-4d3e-821d-91897c8cf701/

SH256 hash:

da5dba78be66da201aa9adcf3e92a997c5744427c6c38f51917609c8850e4a4d

MD5 hash:

13caf94f8e7a8279fd3f0808cf4f8b20

SHA1 hash:

7541977f0b075a96bbb9d28a59241e871bd6d7b5

Link:

https://www.unpac.me/results/8ed8f8ec-5e65-4d3e-821d-91897c8cf701/

SH256 hash:

08591aacfe0eadda6412124cb05450a94f1d6728067f5ab6e463b12a362cb502

MD5 hash:

fc6adf258690c584f56e921df88480d1

SHA1 hash:

e89db086d97bc84015ff59e9a975d8053b925d63

Detections:

win_remcos_auto

win_remcos_w0

Remcos

Link:

https://www.unpac.me/results/8ed8f8ec-5e65-4d3e-821d-91897c8cf701/

Parent samples :

3703d16f10ecd7ded0bb82164cdd5757d2b992cec36a4d7082beae0af3d7fe26
c8ba6b850929e8a3b4dc36c9a983942dcb1fea134f7c3131a2e839cdfc5bb097

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3703d16f10ec/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3703d16f10ecd7ded0bb82164cdd5757d2b992cec36a4d7082beae0af3d7fe26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/69566/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample