MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 392e729b28d037014cdd3f76d81c04d2a6eb877b38b10b6422b98c9bdf1fc437. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 392e729b28d037014cdd3f76d81c04d2a6eb877b38b10b6422b98c9bdf1fc437
SHA3-384 hash: 46f21066be220b4d54934169c1ed2888c23910f4368e02a7a9261715c5bf5677d9944b42dee2a36adc5ad52b282b5a9e
SHA1 hash: fb58be988eb987ae1c96ce2e9d25ac605fbe2554
MD5 hash: da84a1063c7578b4be39174e7c8ae51c
humanhash: december-skylark-grey-salami
File name:Invoice_FedEx.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:977'931 bytes
First seen:2025-11-17 07:15:41 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 12288:a0GVvXr6AV1LodmTkkJMZAztq4NI2hQuzagiGzResQoGR5nJjuHlibeE4tWMpD+c:8JXa1YMiZOd2RQoAJKqhbMFrZ8uZ3S2
Threatray 160 similar samples on MalwareBazaar
TLSH T1AB25013D8E689CD6C7EA3352BC2AEF1900B85952D023C769F1D458EA4D39344EE2DD4E
Magika batch
Reporter abuse_ch
Tags:bat FedEx RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Invoice_FedEx.bat
Verdict:
Malicious activity
Analysis date:
2025-11-17 07:24:59 UTC
Tags:
remcos rat remote stealer susp-powershell mpress
Link:
https://app.any.run/tasks/ef720f3c-96c0-4452-bea3-04f904ae0913

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38430/
Detection(s):
SecuriteInfo.com.BAT.Obfus-10.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691acbca434cd67b17c2601c
Tags:
obfuscate xtreme shell
Result
Verdict:
Clean
Maliciousness:

Behaviour
Running batch commands
Launching cmd.exe command interpreter
Creating a file
Launching a process
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 evasive masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/691acbc7fd66011c742cc72f/reports/453d5f80-1b6b-4ea6-8783-41417a434233/overview
Verdict:
Malicious
Labled as:
Trojan/BAT.Obfus
Link:
https://www.hybrid-analysis.com/sample/392e729b28d037014cdd3f76d81c04d2a6eb877b38b10b6422b98c9bdf1fc437
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-16T21:19:00Z UTC
Last seen:
2025-11-19T05:11:00Z UTC
Hits:
~1000
Detections:
Trojan.Win32.Shellcode.sb Trojan.BAT.Agent.sb HEUR:Trojan.PowerShell.Tesre.sb Backdoor.Win32.Remcos.sb Trojan.PowerShell.AmsiBypass.sb PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Tesre.gen
Link:
https://opentip.kaspersky.com/392e729b28d037014cdd3f76d81c04d2a6eb877b38b10b6422b98c9bdf1fc437/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1815091
Signature
.NET source code contains a sample name check
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Found evasive API chain checking for user administrative privileges
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Remcos
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected Powershell decode and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1815091 Sample: Invoice_FedEx.bat Startdate: 17/11/2025 Architecture: WINDOWS Score: 100 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 15 other signatures 2->62 10 cmd.exe 1 2->10         started        process3 signatures4 72 Suspicious powershell command line found 10->72 74 Bypasses PowerShell execution policy 10->74 13 cmd.exe 1 10->13         started        15 conhost.exe 10->15         started        process5 process6 17 cmd.exe 3 13->17         started        signatures7 54 Suspicious powershell command line found 17->54 20 powershell.exe 11 37 17->20         started        25 conhost.exe 17->25         started        process8 dnsIp9 50 172.245.95.9, 49721, 49722, 49723 AS-COLOCROSSINGUS United States 20->50 52 127.0.0.1 unknown unknown 20->52 42 C:\Users\user\AppData\Local\Temp\TH327B.tmp, MS-DOS 20->42 dropped 44 C:\Users\user\AppData\Local\Temp\TH320D.tmp, MS-DOS 20->44 dropped 46 C:\Users\user\AppData\Local\Temp\TH31DD.tmp, PE32+ 20->46 dropped 48 2 other malicious files 20->48 dropped 64 Detected Remcos RAT 20->64 66 Attempt to bypass Chrome Application-Bound Encryption 20->66 68 Tries to harvest and steal browser information (history, passwords, etc) 20->68 70 9 other signatures 20->70 27 RmClient.exe 1 20->27         started        30 RmClient.exe 1 20->30         started        32 RmClient.exe 20->32         started        34 3 other processes 20->34 file10 signatures11 process12 signatures13 76 Tries to steal Instant Messenger accounts or passwords 27->76 78 Tries to steal Mail credentials (via file / registry access) 27->78 80 Tries to harvest and steal browser information (history, passwords, etc) 30->80 82 Tries to steal Mail credentials (via file registry) 32->82 84 Unusual module load detection (module proxying) 32->84 36 WerFault.exe 16 34->36         started        38 msedge.exe 34->38         started        40 conhost.exe 34->40         started        process14
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/392e729b28d037014cdd3f76d81c04d2a6eb877b38b10b6422b98c9bdf1fc437
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/392e729b28d037014cdd3f76d81c04d2a6eb877b38b10b6422b98c9bdf1fc437/
Verdict:
Malicious
Threat:
Backdoor.Win32.Remcos
Link:
https://tip.neiki.dev/file/392e729b28d037014cdd3f76d81c04d2a6eb877b38b10b6422b98c9bdf1fc437
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-17 01:58:43 UTC
File Type:
Text
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hexhfgzi2a3qctg5h53nqhae2ktoxb33hcyqwzbcxggjxxy7yq3q._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
remcos
Create hunting rule
nirsoft
Create hunting rule
admintool_mailpassview
Create hunting rule
Similar samples:
04ed4c7cbfc1c59414207610ad914115c870308143c0b9bb911dcc6cd7a84619
RemcosRAT
0ab443fab4801052dad2c86ca316328d520447ad0dc7246c0235e2eef2e97a1d
RemcosRAT
14e81b50d5d016e3aea5abd7c6264f6ae260d3a4ed0e5de8898c512d3276ee3b
RemcosRAT
24d5c728af9ea56d4148f0d00e443db04621415c3730ab68b6ad8b8b3ec534bf
RemcosRAT
31d5415b69274dbdcca1e80d57d649b9c643b6fc028d0af383f5040375a45870
RemcosRAT
4235c4b9a9b9da916671b5efcd96a137de5a20e203aebfb78feb11d2bf03069e
RemcosRAT
42a95a895792daa5cadf26023d3413a7586b2bb064ef0ea82896d5e6e641e37d
RemcosRAT
8f4cb07a4333f15fa8e585b00ef08ab329fda9fbc3802fdbdf579c194096ba9d
RemcosRAT
c5ac054b0470e6b792c9064c1fa7eb8ddd5867d69752637330cad3294c4b875b
RemcosRAT
error
RemcosRAT
+ 150 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
collection credential_access discovery execution stealer
Link:
https://tria.ge/reports/251117-h31a6seq8y/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Command and Scripting Interpreter: PowerShell
Badlisted process makes network request
Uses browser remote debugging
Detected Nirsoft tools
NirSoft MailPassView
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/392e729b28d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/392e729b28d037014cdd3f76d81c04d2a6eb877b38b10b6422b98c9bdf1fc437

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/38430/

Comments