MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4245e415209b1f13c215b623c3ccf1020d1e01e7ac9084a2f20d7a1abf79834a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4245e415209b1f13c215b623c3ccf1020d1e01e7ac9084a2f20d7a1abf79834a
SHA3-384 hash: 67468228bfc13e90daeaacbb1d38ae4a7f5753642efbe20b8ce8a89a45187e3cc9c615599f2f03f1478202ec3feb67df
SHA1 hash: 28dd2cbcc4133f59d7d40ed749c60959f3bded3a
MD5 hash: 0406ab994d545dd3ba296e093696654b
humanhash: failed-sad-violet-mockingbird
File name:Orden de compra -CL95647.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:918'386 bytes
First seen:2025-09-27 12:32:18 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 24576:83AgGxLID9cGupoHu4QpwHJ6gyrkYLWDWAlxsI:8QgGq6kjF/lp
Threatray 1'539 similar samples on MalwareBazaar
TLSH T199157CEA2DC25FA70A541FEB72F11DEF1E819291F649E16879917CE0632213C4F3869C
Magika batch
Reporter abuse_ch
Tags:bat RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Orden de compra -CL95647.bat
Verdict:
Malicious activity
Analysis date:
2025-09-27 12:35:13 UTC
Tags:
rat remcos auto-startup remote evasion susp-powershell
Link:
https://app.any.run/tasks/6f89fb34-4869-448e-80dd-0377c4064e49

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29247/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d7d96491dd51f6514f254c
Tags:
obfuscate autorun xtreme shell
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/4245e415209b1f13c215b623c3ccf1020d1e01e7ac9084a2f20d7a1abf79834a
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-09-26T14:16:00Z UTC
Last seen:
2025-09-26T14:16:00Z UTC
Hits:
~100
Detections:
Trojan.PowerShell.AmsiBypass.sb PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Tesre.gen Trojan.Win32.Shellcode.sb Trojan.BAT.Agent.sb HEUR:Trojan.PowerShell.Tesre.sb Backdoor.Win32.Remcos.e
Link:
https://opentip.kaspersky.com/4245e415209b1f13c215b623c3ccf1020d1e01e7ac9084a2f20d7a1abf79834a/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1785167
Signature
.NET source code contains a sample name check
.NET source code references suspicious native API functions
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected Remcos RAT
Disable UAC(promptonsecuredesktop)
Drops script or batch files to the startup folder
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1785167 Sample: Orden de compra -CL95647.bat Startdate: 27/09/2025 Architecture: WINDOWS Score: 100 106 laxreal10.duckdns.org 2->106 108 api.ipify.org 2->108 110 api.findip.net 2->110 118 Suricata IDS alerts for network traffic 2->118 120 Found malware configuration 2->120 122 Malicious sample detected (through community Yara rule) 2->122 126 15 other signatures 2->126 10 cmd.exe 1 2->10         started        13 cmd.exe 1 2->13         started        15 cmd.exe 1 2->15         started        17 17 other processes 2->17 signatures3 124 Uses dynamic DNS services 106->124 process4 dnsIp5 132 Suspicious powershell command line found 10->132 20 cmd.exe 1 10->20         started        22 conhost.exe 10->22         started        25 cmd.exe 1 13->25         started        27 conhost.exe 13->27         started        29 cmd.exe 1 15->29         started        31 conhost.exe 15->31         started        104 127.0.0.1 unknown unknown 17->104 33 cmd.exe 1 17->33         started        35 cmd.exe 1 17->35         started        37 30 other processes 17->37 signatures6 process7 signatures8 39 cmd.exe 3 20->39         started        128 Suspicious powershell command line found 22->128 42 cmd.exe 2 25->42         started        44 cmd.exe 2 29->44         started        46 cmd.exe 2 33->46         started        48 cmd.exe 2 35->48         started        50 cmd.exe 37->50         started        52 cmd.exe 37->52         started        54 cmd.exe 37->54         started        56 11 other processes 37->56 process9 signatures10 130 Suspicious powershell command line found 39->130 58 2 other processes 39->58 63 2 other processes 42->63 65 2 other processes 44->65 67 2 other processes 46->67 69 2 other processes 48->69 71 2 other processes 50->71 73 2 other processes 52->73 75 2 other processes 54->75 77 22 other processes 56->77 process11 dnsIp12 112 laxreal10.duckdns.org 217.114.215.132, 49720, 49729, 49730 KEYWEB-ASDE Germany 58->112 114 api.findip.net 172.67.214.3, 443, 49723 CLOUDFLARENETUS United States 58->114 116 api.ipify.org 172.67.74.152, 443, 49722 CLOUDFLARENETUS United States 58->116 100 5 other malicious files 58->100 dropped 134 Drops script or batch files to the startup folder 58->134 136 Found hidden mapped module (file has been removed from disk) 58->136 138 Maps a DLL or memory area into another process 58->138 142 5 other signatures 58->142 79 RmClient.exe 58->79         started        82 RmClient.exe 58->82         started        84 RmClient.exe 58->84         started        86 C:\Users\user\AppData\Roaming\...\79e7.bat, ASCII 63->86 dropped 88 C:\Users\user\AppData\Roaming\...\b219.bat, ASCII 65->88 dropped 90 C:\Users\user\AppData\Roaming\...\c4b0.bat, ASCII 67->90 dropped 92 C:\Users\user\AppData\Roaming\...\28f3.bat, ASCII 69->92 dropped 94 C:\Users\user\AppData\Roaming\...\40d4.bat, ASCII 71->94 dropped 96 C:\Users\user\AppData\Roaming\...\6e8f.bat, ASCII 73->96 dropped 98 C:\Users\user\AppData\Roaming\...\5edb.bat, ASCII 75->98 dropped 102 11 other malicious files 77->102 dropped 140 Detected Remcos RAT 77->140 file13 signatures14 process15 signatures16 144 Tries to steal Instant Messenger accounts or passwords 79->144 146 Tries to steal Mail credentials (via file / registry access) 79->146 148 Tries to harvest and steal browser information (history, passwords, etc) 82->148
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4245e415209b1f13c215b623c3ccf1020d1e01e7ac9084a2f20d7a1abf79834a
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4245e415209b1f13c215b623c3ccf1020d1e01e7ac9084a2f20d7a1abf79834a/
Verdict:
Malicious
Threat:
Trojan.Win32.Remcos
Link:
https://tip.neiki.dev/file/4245e415209b1f13c215b623c3ccf1020d1e01e7ac9084a2f20d7a1abf79834a
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-27 12:33:34 UTC
File Type:
Text
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ijc6ifjatmprhqqvwyr4hthraigr4aphvsiijixsbv5bvp3zqnfa._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
remcos
Create hunting rule
Similar samples:
15ddcaed4f9a9e7ef07e4f64b3850a76b0d8ac74971d770b936c6bce3e415e6b
RemcosRAT
1eeefad3b4af3c0592006bbf93b5ef9c958d72470aa26bb2c042f5e3966eb059
RemcosRAT
b22d450f1a3799f1c1d1ab6a655a8f9987b32d7d15b254fd586fb4aab34a9d65
RemcosRAT
b9ddd7911daf8a8d71a31e87bdf7cc96ae29c53b28ba508f7a4b48e6fe081a96
RemcosRAT
c21c7cc14b61c0426a6c6fe79bb99c72cebfee16c9f6fd08195ad8800a26c6b7
RemcosRAT
ccf51177e35672532087c0035850fa3c3842a99d39f0d93275f9cf383534fe78
RemcosRAT
d50825f42162126cafad375cfe5995b2a0b632a5238ed9b66d929613e2ec7020
RemcosRAT
d96e82d980a8872cb39e5ab834e00ea41f4572321f2e5c5a5aab71d3d03f3458
RemcosRAT
error
RemcosRAT
+ 1'529 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader discovery execution loader
Link:
https://tria.ge/reports/250927-pqvngsck4v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Drops startup file
Badlisted process makes network request
Detects DonutLoader
DonutLoader
Donutloader family
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4245e415209b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4245e415209b1f13c215b623c3ccf1020d1e01e7ac9084a2f20d7a1abf79834a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked remcos malware samples.
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Remcos_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Remcos Payload
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29247/

Comments