MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4337290c0f38bd812f247315283f3981301b4e9687b9301a5b6ebc640e5c777a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash: 4337290c0f38bd812f247315283f3981301b4e9687b9301a5b6ebc640e5c777a
SHA3-384 hash: fc6746df233f12136b16cb4013e776b24a537445bbed1cc84e8a2b37e10d578b638f5e92d85e251f5a722987ff8b311d
SHA1 hash: 71d244af6b9d8ece471a7d879ebb66176a937a04
MD5 hash: a15ab51656f70702676510eaf207f117
humanhash: harry-seven-uniform-potato
File name:Payment Invoices and bank documents.exe
Download: download sample
Signature RemcosRAT
File size:508'744 bytes
First seen:2026-07-15 23:49:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9be4f90f50c714bc00cc8beb2e137299 (6 x RemcosRAT)
ssdeep 12288:MBQEiPvu2LeiRsz8eq3AAwP1mPgTqekfri:MBeP9LrsweqFwPCCqS
TLSH T12CB40201FF9A58E9E866C07599BBC62315317E4C0A65B62F1718BF2FBE31C80D93A744
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon f96c6c7064ccbcbc (4 x RemcosRAT)
Reporter threatcat_ch
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:Ceyloneseres
Issuer:Ceyloneseres
Algorithm:sha256WithRSAEncryption
Valid from:2026-05-30T23:52:00Z
Valid to:2027-05-30T23:52:00Z
Serial number: 40fd520a9ffb51bf0eae24760f7280bbf39bd691
Thumbprint Algorithm:SHA256
Thumbprint: 88477de3dae3fd6672e8cfff3a8ee9d58d698be46aa7a8b509e7a5032df7c466
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
1
# of downloads :
182
Origin country :
CH CH
Vendor Threat Intelligence
Verdict:
Malicious
Score:
70%
Tags:
injection obfusc crypt
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-07-15T13:44:00Z UTC
Last seen:
2026-07-17T21:38:00Z UTC
Hits:
~1000
Result
Threat name:
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
AI detected suspicious PE / MSI digital signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (creates a PE file in dynamic memory)
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain checking for user administrative privileges
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Unusual module load detection (module proxying)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1943210 Sample: Payment Invoices and bank d... Startdate: 16/07/2026 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Antivirus detection for dropped file 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 15 other signatures 2->49 7 Payment Invoices and bank documents.exe 1 46 2->7         started        process3 file4 25 C:\Users\user\AppData\Local\...\System.dll, PE32+ 7->25 dropped 51 Hides threads from debuggers 7->51 53 Found direct / indirect Syscall (likely to bypass EDR) 7->53 11 Payment Invoices and bank documents.exe 6 70 7->11         started        signatures5 process6 dnsIp7 35 45.225.135.94, 2404, 49746, 49747 RACKSPHEREHOSTINGSAPA Switzerland 11->35 37 107.174.146.3, 49745, 80 AS-COLOCROSSING-HostPapaUS United States 11->37 39 127.0.0.1 unknown unknown 11->39 27 C:\Users\user\AppData\Local\Temp\THFF9.tmp, PE32+ 11->27 dropped 29 C:\Users\user\AppData\Local\Temp\THFF6D.tmp, PE32+ 11->29 dropped 31 C:\Users\user\AppData\Local\Temp\THFC28.tmp, PE32+ 11->31 dropped 33 66 other malicious files 11->33 dropped 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 57 Modifies the context of a thread in another process (thread injection) 11->57 59 Maps a DLL or memory area into another process 11->59 61 4 other signatures 11->61 16 svchost.exe 3 11->16         started        19 svchost.exe 3 11->19         started        21 svchost.exe 3 11->21         started        23 35 other processes 11->23 file8 signatures9 process10 signatures11 41 Unusual module load detection (module proxying) 16->41
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 64 Exe x64
Threat name:
Win64.Backdoor.Remcos
Status:
Malicious
First seen:
2026-07-15 18:54:19 UTC
File Type:
PE+ (Exe)
Extracted files:
19
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:remcos botnet:jesus christ rat
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Family: Remcos
Malware Config
C2 Extraction:
45.225.135.94:2404
Unpacked files
SH256 hash:
4337290c0f38bd812f247315283f3981301b4e9687b9301a5b6ebc640e5c777a
MD5 hash:
a15ab51656f70702676510eaf207f117
SHA1 hash:
71d244af6b9d8ece471a7d879ebb66176a937a04
SH256 hash:
a0a6431feb4e09018d99acdc02f2139fbacd68420b0f84d4b22a9e091aaac707
MD5 hash:
48452d7f73a0e73b62a16b4c88068a60
SHA1 hash:
ef5a3edd25cf3cf664e93c38fbe9034ce652d117
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 4337290c0f38bd812f247315283f3981301b4e9687b9301a5b6ebc640e5c777a

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments