MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40abc182a584480c59ca25a0a115f441c0c82ccf8e87f195143301027c32000d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40abc182a584480c59ca25a0a115f441c0c82ccf8e87f195143301027c32000d
SHA3-384 hash: e28092a576e04369235e4f08b89ee900bf87ea6f093f14982f408e29e235ba9c57ecedae793b7ed58f44c78c381d5dee
SHA1 hash: bb233adb5718e0b3644921ad89185fb57d65e19e
MD5 hash: d27f3fb138b1220b15e2532e660045b6
humanhash: sodium-blossom-massachusetts-island
File name:Skrmfil.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:770'448 bytes
First seen:2026-04-13 14:56:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f4639a0b3116c2cfc71144b88a929cfd (117 x GuLoader, 55 x Formbook, 40 x VIPKeylogger)
ssdeep 12288:OXyWmdPEZJ7SyplVh6bhND2mDb8AhPuMUryFW8JkygqYNbwixL:OXrmdPud3Vh6bhhbhWMUrr8JkyYWixL
TLSH T1EDF4F1897B409BB6C26943364FD78391133DEC606BD1971B7292F39E2F72261A6473C8
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 81e0f4f8e662b0b0 (2 x GuLoader, 2 x RemcosRAT)
Reporter lowmal3
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:intercessionary
Issuer:intercessionary
Algorithm:sha256WithRSAEncryption
Valid from:2026-03-22T01:06:46Z
Valid to:2027-03-22T01:06:46Z
Serial number: 02cb24ca69a0aaec4117f658523952c39dc7c92e
Thumbprint Algorithm:SHA256
Thumbprint: 1b0a9b6ce75f214470efab568c0f05c1f5a445200ca8d3ebbc6519cfb364973e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
GuLoader NSIS
Details
GuLoader
a c2 URL, a useragent string, and a string XOR key
GuLoader
an XOR decryption key and an extracted component
NSIS
extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/75bdefdf-02e5-49b1-bed7-985d919dd058/
Malware family:
remcos
Create hunting rule
ID:
1
File name:
_40abc182a584480c59ca25a0a115f441c0c82ccf8e87f195143301027c32000d.exe
Verdict:
Malicious activity
Analysis date:
2026-04-13 14:57:45 UTC
Tags:
rat remcos auto-reg
Link:
https://app.any.run/tasks/4903f492-57d2-4bc6-8b4f-70c8dcb36b39

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61404/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69dd042af68adfe100396c27
Tags:
injection obfusc virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Sending a custom TCP request
Creating a file in the %temp% directory
Delayed reading of the file
Unauthorized injection to a recently created process
Restart of the analyzed sample
DNS request
Connection attempt
Sending an HTTP GET request
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug installer installer installer-heuristic microsoft_visual_cc nsis signed soft-404
Link:
https://www.filescan.io/uploads/69dd04255ea31bc68a266873/reports/47f3dfb3-293d-4478-a9ff-a42f78e0ef43/overview
Verdict:
Suspicious
Labled as:
Agent.WIMD
Link:
https://www.hybrid-analysis.com/sample/40abc182a584480c59ca25a0a115f441c0c82ccf8e87f195143301027c32000d
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-13T03:18:00Z UTC
Last seen:
2026-04-15T12:49:00Z UTC
Hits:
~1000
Detections:
VHO:Trojan.NSIS.Makoob.gen Trojan.Win32.GuLoader.sb Trojan.NSIS.Makoob.sbb Trojan.NSIS.Makoob.sba Trojan-Dropper.Win32.Injector.sb Backdoor.Win32.Remcos.sb PDM:Trojan.Win32.Generic HEUR:Trojan.Win32.Makoob.gen Trojan-Downloader.Win32.Minix.sb
Link:
https://opentip.kaspersky.com/40abc182a584480c59ca25a0a115f441c0c82ccf8e87f195143301027c32000d/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1abea1e1-d02c-4988-bd64-5654cfbd5625
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1897494
Signature
AI detected suspicious PE digital signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Creates autostart registry keys with suspicious names
Detected Remcos RAT
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1897494 Sample: Skrmfil.exe Startdate: 13/04/2026 Architecture: WINDOWS Score: 100 70 drive.usercontent.google.com 2->70 72 drive.google.com 2->72 88 Suricata IDS alerts for network traffic 2->88 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 8 other signatures 2->94 10 Skrmfil.exe 2 33 2->10         started        14 remcos.exe 22 2->14         started        16 remcos.exe 22 2->16         started        signatures3 process4 file5 58 C:\Users\user\AppData\Local\...\System.dll, PE32 10->58 dropped 102 Tries to detect virtualization through RDTSC time measurements 10->102 104 Unusual module load detection (module proxying) 10->104 106 Switches to a custom stack to bypass stack traces 10->106 18 Skrmfil.exe 2 10 10->18         started        23 Skrmfil.exe 10->23         started        60 C:\Users\user\AppData\Local\...\System.dll, PE32 14->60 dropped 108 Found direct / indirect Syscall (likely to bypass EDR) 14->108 25 remcos.exe 14->25         started        27 remcos.exe 14->27         started        62 C:\Users\user\AppData\Local\...\System.dll, PE32 16->62 dropped 29 remcos.exe 6 16->29         started        31 remcos.exe 16->31         started        signatures6 process7 dnsIp8 74 drive.google.com 142.251.210.46, 443, 49697, 49699 GOOGLEUS United States 18->74 76 drive.usercontent.google.com 142.251.211.193, 443, 49698, 49700 GOOGLEUS United States 18->76 54 C:\ProgramData\Remcos\remcos.exe, PE32 18->54 dropped 56 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 18->56 dropped 96 Detected Remcos RAT 18->96 98 Creates autostart registry keys with suspicious names 18->98 33 remcos.exe 22 18->33         started        37 Skrmfil.exe 18->37         started        100 Found direct / indirect Syscall (likely to bypass EDR) 25->100 39 remcos.exe 25->39         started        41 remcos.exe 29->41         started        file9 signatures10 process11 file12 52 C:\Users\user\AppData\Local\...\System.dll, PE32 33->52 dropped 80 Antivirus detection for dropped file 33->80 82 Multi AV Scanner detection for dropped file 33->82 84 Contains functionality to steal Internet Explorer form passwords 33->84 86 4 other signatures 33->86 43 remcos.exe 4 10 33->43         started        48 remcos.exe 33->48         started        signatures13 process14 dnsIp15 78 130.12.182.113, 2404, 49702, 49704 DATAHOPDatahop-SixDegreesGB Canada 43->78 64 C:\Users\user\AppData\...\Login Data.tmp, SQLite 43->64 dropped 66 C:\Users\user\AppData\...\Login Data.tmp, SQLite 43->66 dropped 68 C:\Users\user\...\Login Data For Account.tmp, SQLite 43->68 dropped 110 Detected Remcos RAT 43->110 112 Tries to harvest and steal browser information (history, passwords, etc) 43->112 50 remcos.exe 43->50         started        file16 signatures17 process18
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/40abc182a584480c59ca25a0a115f441c0c82ccf8e87f195143301027c32000d
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40abc182a584480c59ca25a0a115f441c0c82ccf8e87f195143301027c32000d/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/40abc182a584480c59ca25a0a115f441c0c82ccf8e87f195143301027c32000d
Threat name:
Win32.Trojan.Qwexlafiba
Create hunting rule
Status:
Malicious
First seen:
2026-04-13 07:35:29 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=icv4davfqreaywokewqkcfpuihamqlgpr2d7dfiugmaqe7bsaagq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
error
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:remotehost discovery downloader persistence rat spyware stealer
Link:
https://tria.ge/reports/260413-sbbtlsh16m/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Contacts third-party web service commonly abused for C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Family: Guloader,Cloudeye
Family: Remcos
Malware Config
C2 Extraction:
130.12.182.113:2404
Unpacked files
SH256 hash:
40abc182a584480c59ca25a0a115f441c0c82ccf8e87f195143301027c32000d
MD5 hash:
d27f3fb138b1220b15e2532e660045b6
SHA1 hash:
bb233adb5718e0b3644921ad89185fb57d65e19e
Link:
https://www.unpac.me/results/40ed9832-de9a-48a4-93d3-be1399ddf789/
SH256 hash:
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
MD5 hash:
192639861e3dc2dc5c08bb8f8c7260d5
SHA1 hash:
58d30e460609e22fa0098bc27d928b689ef9af78
Link:
https://www.unpac.me/results/40ed9832-de9a-48a4-93d3-be1399ddf789/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/40abc182a584/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40abc182a584480c59ca25a0a115f441c0c82ccf8e87f195143301027c32000d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 40abc182a584480c59ca25a0a115f441c0c82ccf8e87f195143301027c32000d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/61404/

Comments