MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d0f6fd7bc98088001e550fed82caa73063fbbde486dbb933b40db23741674dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 20


Intelligence 20 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d0f6fd7bc98088001e550fed82caa73063fbbde486dbb933b40db23741674dd
SHA3-384 hash: 3fb9481c04ccf6c72cd0fda83ac4114e21ebd1aa3553d3b58bed61054fd5c74fc0f4495d8b9556e98de89b93668576b0
SHA1 hash: d175e91768051747bf70555dec285aa9d9e425b7
MD5 hash: facd7423cf6a58496c8c2d203edd3835
humanhash: chicken-island-fruit-fix
File name:SecuriteInfo.com.Win32.DropperX-gen.21195.2511
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:927'232 bytes
First seen:2025-03-18 04:30:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:TpNPC+V1DhOMVADXHrM4ZGQRr885Q4lahP:TpBLhLVADI4ZuIQ4l
Threatray 624 similar samples on MalwareBazaar
TLSH T1971523795696EC67C92607780521E3F117B4EF9CE822D323BACDEDE3BD4136824292D4
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 886443434b83cbe2 (17 x AgentTesla, 7 x Formbook, 4 x SnakeKeylogger)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
526
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.DropperX-gen.21195.2511
Verdict:
Malicious activity
Analysis date:
2025-03-18 05:24:01 UTC
Tags:
remcos rat autorun-sched autorun-reg remote stealer
Link:
https://app.any.run/tasks/990c724b-00a8-4653-ada5-9d983a024bf1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d906ba08116ce42572017f
Tags:
remcos virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Creating a file
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected remcos
Link:
https://www.filescan.io/uploads/67d8f70f0a7899f3579b08e9/reports/c641e38a-f502-492e-abf4-ed14afb546e3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/3d0f6fd7bc98088001e550fed82caa73063fbbde486dbb933b40db23741674dd
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fa350f69-223b-408d-ae0b-c1694ee8e79c
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1641260
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1641260 Sample: SecuriteInfo.com.Win32.Drop... Startdate: 18/03/2025 Architecture: WINDOWS Score: 100 100 geoplugin.net 2->100 108 Suricata IDS alerts for network traffic 2->108 110 Found malware configuration 2->110 112 Malicious sample detected (through community Yara rule) 2->112 114 11 other signatures 2->114 10 SecuriteInfo.com.Win32.DropperX-gen.21195.2511.exe 7 2->10         started        14 GNwqsPlT.exe 2->14         started        16 remcos.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 90 C:\Users\user\AppData\RoamingbehaviorgraphNwqsPlT.exe, PE32 10->90 dropped 92 C:\Users\...behaviorgraphNwqsPlT.exe:Zone.Identifier, ASCII 10->92 dropped 94 C:\Users\user\AppData\Local\...\tmp2C28.tmp, XML 10->94 dropped 96 SecuriteInfo.com.W....21195.2511.exe.log, ASCII 10->96 dropped 136 Contains functionality to bypass UAC (CMSTPLUA) 10->136 138 Contains functionalty to change the wallpaper 10->138 140 Contains functionality to steal Chrome passwords or cookies 10->140 146 4 other signatures 10->146 21 SecuriteInfo.com.Win32.DropperX-gen.21195.2511.exe 2 3 10->21         started        25 powershell.exe 23 10->25         started        27 powershell.exe 23 10->27         started        35 2 other processes 10->35 142 Multi AV Scanner detection for dropped file 14->142 144 Injects a PE file into a foreign processes 14->144 29 GNwqsPlT.exe 14->29         started        31 schtasks.exe 14->31         started        37 3 other processes 16->37 102 127.0.0.1 unknown unknown 18->102 33 remcos.exe 18->33         started        39 4 other processes 18->39 file6 signatures7 process8 file9 86 C:\ProgramData\remcos.exe, PE32 21->86 dropped 88 C:\ProgramData\remcos.exe:Zone.Identifier, ASCII 21->88 dropped 124 Detected Remcos RAT 21->124 126 Creates autostart registry keys with suspicious names 21->126 41 remcos.exe 5 21->41         started        128 Loading BitLocker PowerShell Module 25->128 44 conhost.exe 25->44         started        46 conhost.exe 27->46         started        48 conhost.exe 31->48         started        50 conhost.exe 35->50         started        52 conhost.exe 37->52         started        54 conhost.exe 39->54         started        56 conhost.exe 39->56         started        signatures10 process11 signatures12 130 Multi AV Scanner detection for dropped file 41->130 132 Adds a directory exclusion to Windows Defender 41->132 134 Injects a PE file into a foreign processes 41->134 58 remcos.exe 41->58         started        63 powershell.exe 41->63         started        65 powershell.exe 41->65         started        67 schtasks.exe 41->67         started        process13 dnsIp14 104 172.245.93.118, 45990, 49721, 49724 AS-COLOCROSSINGUS United States 58->104 106 geoplugin.net 178.237.33.50, 49725, 80 ATOM86-ASATOM86NL Netherlands 58->106 98 C:\ProgramData\remcos\logs.dat, data 58->98 dropped 148 Detected Remcos RAT 58->148 150 Writes to foreign memory regions 58->150 152 Maps a DLL or memory area into another process 58->152 154 Installs a global keyboard hook 58->154 69 recover.exe 58->69         started        72 recover.exe 58->72         started        74 recover.exe 58->74         started        76 WMIADAP.exe 58->76         started        156 Loading BitLocker PowerShell Module 63->156 78 conhost.exe 63->78         started        80 WmiPrvSE.exe 63->80         started        82 conhost.exe 65->82         started        84 conhost.exe 67->84         started        file15 signatures16 process17 signatures18 116 Tries to steal Mail credentials (via file registry) 69->116 118 Tries to harvest and steal browser information (history, passwords, etc) 69->118 120 Tries to steal Instant Messenger accounts or passwords 72->120 122 Tries to steal Mail credentials (via file / registry access) 72->122
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3d0f6fd7bc98088001e550fed82caa73063fbbde486dbb933b40db23741674dd
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3d0f6fd7bc98088001e550fed82caa73063fbbde486dbb933b40db23741674dd/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-03-18 04:31:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=huhw7v54taeiaapfkd7nqlfkomdd7o66jbw3xez3idnsg5awotoq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
4cfc84d46074142fa3204777ac1a0cbd7ea155fcaf0739388df5d098abf8d7f4
RemcosRAT
51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c
RemcosRAT
b3a40331524394846d2782f1e52e1410ce1681283f8c715373bab73c84fa30ec
RemcosRAT
b81f074c11d54ccc1947cbe1c42fbbb9cbc338c7bbd18d7ca2e6903755d3126f
RemcosRAT
ea3d846cce6aa910a7ff04f5908946c735f94c41576c4cf44ced9c6304491861
RemcosRAT
error
RemcosRAT
f96d8c627027bb1530f7e499e6e86c8f6b1724a2edab6e4faeaf10fea74be0ae
RemcosRAT
+ 614 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:goldenfile collection discovery execution persistence rat
Link:
https://tria.ge/reports/250318-e5e68sxrt3/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
172.245.93.118:45990
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/48035ade-0fcc-414a-b3c4-40d27bfacad6
Unpacked files
SH256 hash:
3d0f6fd7bc98088001e550fed82caa73063fbbde486dbb933b40db23741674dd
MD5 hash:
facd7423cf6a58496c8c2d203edd3835
SHA1 hash:
d175e91768051747bf70555dec285aa9d9e425b7
Link:
https://www.unpac.me/results/594dde5c-3d66-4ba7-b893-c1e524254e40/
SH256 hash:
f842476d74838d1b27e538f3f864788a1cacb924e43f82b4a54308c7224ee146
MD5 hash:
be1c72385dc471ed6a7f8b60bfbd649e
SHA1 hash:
0e02a1e1033150e1592ad05e3e93bd95ccf76702
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/594dde5c-3d66-4ba7-b893-c1e524254e40/
Parent samples :
b81f074c11d54ccc1947cbe1c42fbbb9cbc338c7bbd18d7ca2e6903755d3126f
3d0f6fd7bc98088001e550fed82caa73063fbbde486dbb933b40db23741674dd
c822084a8f1aa34346264bea15d6af68a8c1bd85a3eb2a80b5cd00085da29f24
4b4beec1e12d797f9b269b73d71d6561538ff45c502f4e67e9d9357b3786cbeb
e5ee0f86a7365463f8a0bdd3591624c214c8db88abf861d06d1fbd342a6fbfd1
SH256 hash:
2d5fb729a4382508dabbf1913be25a3f490d8ac42624c3ef510e1ccbfae58418
MD5 hash:
8b300e72859b0a9d2baea6c946102d18
SHA1 hash:
302b41d25b511ec07d4a9b6f027f0c2a82c13152
Detections:
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/594dde5c-3d66-4ba7-b893-c1e524254e40/
SH256 hash:
9f3c7318e26078cae22c9d2bd97f45e6ac80fbcb345533a644823f661e444327
MD5 hash:
a1796f767efc1de9c37e443cd5fc33f1
SHA1 hash:
7fa30b17cc0497a258c220e2b62f27b87c6de7eb
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/594dde5c-3d66-4ba7-b893-c1e524254e40/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3d0f6fd7bc98/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d0f6fd7bc98088001e550fed82caa73063fbbde486dbb933b40db23741674dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Remcos_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Remcos Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments