MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bd5345502072fdb537ae2f36daaf4c8b0c36058484bb52887a57fa59381795f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3bd5345502072fdb537ae2f36daaf4c8b0c36058484bb52887a57fa59381795f
SHA3-384 hash: c9728cb9a12eb442e763ce6d8925adb000888e9f3e5f5d983f71d9709c199033565468418d80e42d84246503b07441a9
SHA1 hash: fb2387aa67f3c6d0c44ad10d5410b9e7fdbec642
MD5 hash: ea13fbee24fcd8cc9c7619f47472d1e9
humanhash: low-seventeen-stream-social
File name:eastvillageeatery.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:57'344 bytes
First seen:2026-05-29 13:46:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c0ffd3202ba559b30937f4875cd4b035 (1 x RemcosRAT)
ssdeep 768:id6YcrtoDHUEWBGxsQz7cu1eQ47/TV+lw59m/e/Gt5q3LgbTuemCr1:iIBSzUB2b1eDQw59vUSEHuemCr
Threatray 8 similar samples on MalwareBazaar
TLSH T12543E703BF0640B1D56502F00A452713EFF95DEA0A49A273DB41D500BEFAFA7D8A636E
TrID 30.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
25.8% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
16.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.3% (.EXE) Win64 Executable (generic) (6522/11/2)
Magika pebin
dhash icon 989894b49c9494f0 (61 x RemcosRAT)
Reporter abuse_ch
Tags:exe RemcosRAT upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 a6ccd89558c4b5cd2fec2512b846e14620be2cb3489f85b99203a9e4b9751d6a
File size (compressed) :23'552 bytes
File size (de-compressed) :57'344 bytes
Format:win32/pe
Packed file: a6ccd89558c4b5cd2fec2512b846e14620be2cb3489f85b99203a9e4b9751d6a

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Remcos
Details
Remcos
a version number and verbose configuration settings
Link:
https://research.acce.ciphertechsolutions.com/results/f27773fb-60ba-4563-87d1-ffdf81ec5bf1/
Malware family:
remcos
Create hunting rule
ID:
1
File name:
_3bd5345502072fdb537ae2f36daaf4c8b0c36058484bb52887a57fa59381795f.exe
Verdict:
Malicious activity
Analysis date:
2026-05-29 13:48:45 UTC
Tags:
remcos rat auto-reg
Link:
https://app.any.run/tasks/1070d987-c6bc-47b6-aa2a-cd0486c10194

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68474/
Detection(s):
Win.Malware.Azden-7587127-0
Create hunting rule

Win.Trojan.Remvio-1
Create hunting rule

Win.Malware.Zusy-6832224-0
Create hunting rule

YARA.MALPEDIA_Win_Remcos_Auto.UNOFFICIAL
Create hunting rule

YARA.SEKOIA_Rat_Win_Remcos.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a1998f6c73fda38a80aadee
Tags:
downloader dropper sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching cmd.exe command interpreter
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the User Account Control
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug cmd evasive fingerprint lolbin microsoft_visual_cc rat rat reconnaissance remcos
Link:
https://www.filescan.io/uploads/6a1998f2099ef368af0ccd2c/reports/697a120d-6fab-43dc-92f5-11b6943c83f5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3bd5345502072fdb537ae2f36daaf4c8b0c36058484bb52887a57fa59381795f
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-29T10:55:00Z UTC
Last seen:
2026-05-30T23:07:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Agent.sb Trojan-Downloader.Win32.Dapato.sb HEUR:Backdoor.Win32.Remcos.gen Backdoor.Win32.Remcos.sb Backdoor.Win32.Remcos.f Trojan.Win32.Scar.otsp
Link:
https://opentip.kaspersky.com/3bd5345502072fdb537ae2f36daaf4c8b0c36058484bb52887a57fa59381795f/results?tab=lookup
Gathering data
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1920301
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Remcos RAT
Disables UAC (registry)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1920301 Sample: eastvillageeatery.exe Startdate: 29/05/2026 Architecture: WINDOWS Score: 100 46 eastvillageeatery.de 2->46 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 2 other signatures 2->64 10 eastvillageeatery.exe 1 4 2->10         started        14 eastvillageeatery.exe 2->14         started        16 eastvillageeatery.exe 2->16         started        signatures3 process4 file5 42 C:\Users\user\...\eastvillageeatery.exe, PE32 10->42 dropped 44 C:\...\eastvillageeatery.exe:Zone.Identifier, ASCII 10->44 dropped 76 Detected Remcos RAT 10->76 18 cmd.exe 1 10->18         started        21 cmd.exe 1 10->21         started        signatures6 process7 signatures8 52 Uses ping.exe to sleep 18->52 23 eastvillageeatery.exe 1 18->23         started        27 PING.EXE 1 18->27         started        29 conhost.exe 18->29         started        54 Uses cmd line tools excessively to alter registry or file data 21->54 56 Uses ping.exe to check the status of other devices and networks 21->56 31 reg.exe 1 21->31         started        33 conhost.exe 21->33         started        process9 dnsIp10 48 eastvillageeatery.de 104.21.53.137, 2404 CLOUDFLARENET-CloudflareIncUS Canada 23->48 68 Antivirus detection for dropped file 23->68 70 Multi AV Scanner detection for dropped file 23->70 72 Detected Remcos RAT 23->72 35 cmd.exe 23->35         started        50 127.0.0.1 unknown unknown 27->50 74 Disables UAC (registry) 31->74 signatures11 process12 signatures13 66 Uses cmd line tools excessively to alter registry or file data 35->66 38 conhost.exe 35->38         started        40 reg.exe 1 35->40         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3bd5345502072fdb537ae2f36daaf4c8b0c36058484bb52887a57fa59381795f
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3bd5345502072fdb537ae2f36daaf4c8b0c36058484bb52887a57fa59381795f/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2026-05-29 13:47:36 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hpktivica4x5wu324lzw3kxuzcymgycyjbf3kkehuv72le4bpfpq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
379ce884ab2a4e39bb56560bc8772b7ea44dcd3678d6fabaf62eb3352b1b6018
RemcosRAT
3bd5345502072fdb537ae2f36daaf4c8b0c36058484bb52887a57fa59381795f
RemcosRAT
51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d
RemcosRAT
a6ccd89558c4b5cd2fec2512b846e14620be2cb3489f85b99203a9e4b9751d6a
RemcosRAT
bcef8700452c0969ddfd3f6634567761ed2dfcb8bbc51fe6fde903b1bbf41a66
RemcosRAT
error
RemcosRAT
f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db
RemcosRAT
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery persistence trojan
Link:
https://tria.ge/reports/260529-q3skbscy6y/
Behaviour
Modifies registry key
Runs ping.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
UAC bypass
Unpacked files
SH256 hash:
3bd5345502072fdb537ae2f36daaf4c8b0c36058484bb52887a57fa59381795f
MD5 hash:
ea13fbee24fcd8cc9c7619f47472d1e9
SHA1 hash:
fb2387aa67f3c6d0c44ad10d5410b9e7fdbec642
Detections:
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
Link:
https://www.unpac.me/results/8c7705d8-e5f4-4a9d-bbc6-98083398b27a/
Parent samples :
3bd5345502072fdb537ae2f36daaf4c8b0c36058484bb52887a57fa59381795f
a6ccd89558c4b5cd2fec2512b846e14620be2cb3489f85b99203a9e4b9751d6a
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3bd534550207/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3bd5345502072fdb537ae2f36daaf4c8b0c36058484bb52887a57fa59381795f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:malware_Remcos_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

RemcosRAT

Executable exe a6ccd89558c4b5cd2fec2512b846e14620be2cb3489f85b99203a9e4b9751d6a

RemcosRAT

Executable exe 3bd5345502072fdb537ae2f36daaf4c8b0c36058484bb52887a57fa59381795f

(this sample)

  
Dropped by
SHA256 a6ccd89558c4b5cd2fec2512b846e14620be2cb3489f85b99203a9e4b9751d6a
  
Dropped by
MD5 4a40b6494d80287a5660b2b0fe881ddf
Cape
Cape
https://www.capesandbox.com/analysis/68474/

Comments