MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38c41cc8ae7a37a03db5919d8972d76fd7c8aced886fd25c1ef912927e5d8df6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38c41cc8ae7a37a03db5919d8972d76fd7c8aced886fd25c1ef912927e5d8df6
SHA3-384 hash: 4c6bfae2e70fb27fce2f58ba48ce4851faef0f1cc13595b21e7538a97964899af8c14470fb6a3102f0a559d0dd724840
SHA1 hash: 48f4be93a4595ae56f4b37e0b65e727b3bbc0660
MD5 hash: c92ae00736f9a249533c980d7f5a5d5c
humanhash: johnny-sink-earth-enemy
File name:PO221000004931-pdf.wsf
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:75'822 bytes
First seen:2026-02-04 09:30:41 UTC
Last seen:Never
File type:
MIME type:text/xml
ssdeep 768:v/Yp4KapwUZxkZBsaCZ8QYJWH9JZcKV2pMCfobuDCCurJPwk1gvhqUBi/y6+vi:v/NKapLmsa28Pk3+w2ptfNuZ1d6AyPi
Threatray 2'511 similar samples on MalwareBazaar
TLSH T10873A330CB552FD56D7737B9AB02755881F983810D321D91FEA80609763EC98BEAF2D8
TrID 44.4% (.WSF) Windows Script File (8000/1/2)
27.7% (.SMI/SMIL) Synchronized Multimedia Integration Language (5001/2/2)
27.7% (.XML) Generic XML (ASCII) (5000/1)
Magika txt
Reporter abuse_ch
Tags:RemcosRAT wsf

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.GT.VB.EmoooDldr.14.4D8F6468.9279.3357.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69830c2f9a60ec70d92cae93
Tags:
obfuscate xtreme sage
Verdict:
Malicious
Labled as:
GT:VB.EmoooDldr.14
Link:
https://www.hybrid-analysis.com/sample/38c41cc8ae7a37a03db5919d8972d76fd7c8aced886fd25c1ef912927e5d8df6
Verdict:
Malicious
File Type:
wsf
First seen:
2026-02-04T00:40:00Z UTC
Last seen:
2026-02-05T05:57:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan.Script.SAgent.gen Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/38c41cc8ae7a37a03db5919d8972d76fd7c8aced886fd25c1ef912927e5d8df6/results?tab=lookup
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1863121
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected Remcos RAT
Early bird code injection technique detected
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a MSI (Microsoft Installer) remotely
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queues an APC in another process (thread injection)
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Unusual module load detection (module proxying)
Uses ping.exe to check the status of other devices and networks
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1863121 Sample: PO221000004931-pdf.wsf Startdate: 04/02/2026 Architecture: WINDOWS Score: 100 72 cee-tyla-06.ydns.eu 2->72 74 Classic6637.6637.6637.657e 2->74 76 8 other IPs or domains 2->76 82 Suricata IDS alerts for network traffic 2->82 84 Found malware configuration 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 13 other signatures 2->88 9 powershell.exe 18 2->9         started        12 wscript.exe 1 2->12         started        14 powershell.exe 13 2->14         started        16 powershell.exe 2->16         started        signatures3 process4 signatures5 126 Early bird code injection technique detected 9->126 128 Suspicious powershell command line found 9->128 130 Obfuscated command line found 9->130 138 6 other signatures 9->138 18 msiexec.exe 6 10 9->18         started        23 msiexec.exe 9->23         started        25 conhost.exe 9->25         started        132 VBScript performs obfuscated calls to suspicious functions 12->132 134 Wscript starts Powershell (via cmd or directly) 12->134 136 Uses ping.exe to check the status of other devices and networks 12->136 140 3 other signatures 12->140 27 powershell.exe 14 18 12->27         started        37 2 other processes 12->37 29 powershell.exe 15 14->29         started        31 conhost.exe 14->31         started        33 powershell.exe 16->33         started        35 conhost.exe 16->35         started        process6 dnsIp7 78 cee-tyla-06.ydns.eu 217.64.148.157, 49698, 49699, 59713 OBE-EUROPEObenetworkEuropeSE Sweden 18->78 66 C:\Users\user\AppData\Local\Temp\TH6E6.tmp, MS-DOS 18->66 dropped 68 C:\Users\user\AppData\Local\Temp\TH687.tmp, MS-DOS 18->68 dropped 70 C:\Users\user\AppData\Local\Temp\TH667.tmp, MS-DOS 18->70 dropped 90 Detected Remcos RAT 18->90 92 Obfuscated command line found 18->92 94 Writes to foreign memory regions 18->94 96 Maps a DLL or memory area into another process 18->96 39 RmClient.exe 2 18->39         started        42 RmClient.exe 1 18->42         started        56 3 other processes 18->56 98 Found hidden mapped module (file has been removed from disk) 23->98 100 Unusual module load detection (module proxying) 23->100 102 Switches to a custom stack to bypass stack traces 23->102 80 zantrum.life 192.124.216.133, 443, 49691, 49697 EMBANK-ASRU Russian Federation 27->80 104 Found suspicious powershell code related to unpacking or dynamic code loading 27->104 44 conhost.exe 27->44         started        106 Early bird code injection technique detected 29->106 108 Installs a MSI (Microsoft Installer) remotely 29->108 46 msiexec.exe 29->46         started        48 msiexec.exe 29->48         started        50 msiexec.exe 33->50         started        52 msiexec.exe 33->52         started        54 conhost.exe 37->54         started        file8 signatures9 process10 signatures11 110 Tries to steal Mail credentials (via file registry) 39->110 112 Tries to harvest and steal browser information (history, passwords, etc) 39->112 114 Unusual module load detection (module proxying) 39->114 116 Tries to steal Instant Messenger accounts or passwords 42->116 118 Tries to steal Mail credentials (via file / registry access) 42->118 120 Detected Remcos RAT 46->120 122 Installs a MSI (Microsoft Installer) remotely 46->122 58 msiexec.exe 46->58         started        60 msiexec.exe 50->60         started        124 Obfuscated command line found 56->124 62 conhost.exe 56->62         started        64 reg.exe 1 1 56->64         started        process12
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/38c41cc8ae7a37a03db5919d8972d76fd7c8aced886fd25c1ef912927e5d8df6
Verdict:
Malware
YARA:
4 match(es)
Tags:
Html T1059.005 VBScript WScript.Shell WSF File
Link:
https://app.malva.re/file/c92ae00736f9a249533c980d7f5a5d5c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38c41cc8ae7a37a03db5919d8972d76fd7c8aced886fd25c1ef912927e5d8df6/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/38c41cc8ae7a37a03db5919d8972d76fd7c8aced886fd25c1ef912927e5d8df6
Threat name:
Script-WScript.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2026-02-04 01:35:06 UTC
File Type:
Text (XML)
Extracted files:
1
AV detection:
9 of 36 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hdcbzsfopi32apnvsgoys4wxn7l4rlhnrbx5exa67ejje7s5rx3a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
48caa1c5b9a6b41f64e6f01f74a6ed1623459c064235f772d832153274944fe2
RemcosRAT
4d69e1c88a9ca803fd7f02395dc2f3a737c32a13fe6ee801cb908fb075cd0e86
RemcosRAT
551863be2e92aa2d319a92cda72bc2123233ee3a7e965ee691fd70d88c21d772
RemcosRAT
5dfcdc1c491fbf2f7f2fbac6bbf27b84be652583b66b252c46e8ed86577c3c60
RemcosRAT
67fd31f9b85ca5e31e0851c8a5f8f2f36343d884aa3dd7f26d4aa6c5d02b28fe
RemcosRAT
803d4ec06466ca32c6f4e2dd79d42d8b6b33b858d393f59f3cce2794981d41f8
RemcosRAT
841bd3307cb1a34c5f6a907217bd09c5e4d9e7500e2863a8cd956793014d5f2e
RemcosRAT
dd6d8363c2761f77948a54be192dbbe563d2da9dd8f922102547631ccbd05ebb
RemcosRAT
eadedc1029829676460e4a64eabd39a11f3753767c000d48cc55a584a5e5a143
RemcosRAT
error
RemcosRAT
+ 2'501 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:cee-tyla-06 collection discovery persistence privilege_escalation rat
Link:
https://tria.ge/reports/260204-lg6gvab17g/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Use of msiexec (install) with remote resource
Badlisted process makes network request
Detected Nirsoft tools
NirSoft MailPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
cee-tyla-06.ydns.eu:59713
cee-tyla-006-bkk.ydns.eu:63477
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/38c41cc8ae7a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/38c41cc8ae7a37a03db5919d8972d76fd7c8aced886fd25c1ef912927e5d8df6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments