MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 464da3f078966db3e365cd99e319ed09c1e2181bfad974bb317283477f7ec301. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 464da3f078966db3e365cd99e319ed09c1e2181bfad974bb317283477f7ec301
SHA3-384 hash: 238fe02b5fc087a595df08cc90ef331ab46fdcfe7120269188e8b83cbb244d80ff83e2650289154492a4ba2a514fb93b
SHA1 hash: dff0e9b3957f7c8c4feb885d7a26f7ea926ed7fa
MD5 hash: e16b9d9abe8e3117a0685cb98e188edf
humanhash: item-social-social-fillet
File name:USD_Chsuss_29072025.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:744'448 bytes
First seen:2025-08-04 06:48:35 UTC
Last seen:2025-08-04 13:33:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c2880e9b7aca17f0477468157ba0621d (1 x RemcosRAT)
ssdeep 12288:7LnGROWJXt/5gx2mFqEhG7VfZKkCfIqMusiSj/iIKzyY453x:PGEet/5gRFNuFZKRfIqMuDS+z74
Threatray 315 similar samples on MalwareBazaar
TLSH T182F47E666E90483EDC2385F8DC3577D96429BD212FA5A95A3EF93D0C0B37B4E2427183
TrID 45.4% (.EXE) Win64 Executable (generic) (10522/11/4)
19.4% (.EXE) Win32 Executable (generic) (4504/4/1)
8.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.7% (.EXE) OS/2 Executable (generic) (2029/13)
8.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 0b34341919342228 (1 x RemcosRAT)
Reporter threatcat_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
58
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
USD_Chsuss_29072025.exe
Verdict:
Malicious activity
Analysis date:
2025-08-04 06:50:57 UTC
Tags:
delphi rat remcos
Link:
https://app.any.run/tasks/a60bd570-68d9-46f9-b977-d7c0b97733de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18689/
Detection(s):
Win.Trojan.Modiloader-10042434-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689057f40b4775fb2135df6f
Tags:
delphi emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for the window
Creating a file in the Windows subdirectories
Sending an HTTP GET request
Moving of the original file
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context borland_delphi fingerprint keylogger obfuscated
Link:
https://www.filescan.io/uploads/689057f473b8ef6f4afd326f/reports/e054351b-153e-4bef-9063-48fbf997a897/overview
Verdict:
Malicious
Labled as:
TrojanDownloader.ModiLoader_AGen
Link:
https://www.hybrid-analysis.com/sample/464da3f078966db3e365cd99e319ed09c1e2181bfad974bb317283477f7ec301
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/751b6ff6-e337-49ab-b9a6-1fd031082520
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1749647
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1749647 Sample: USD_Chsuss_29072025.exe Startdate: 04/08/2025 Architecture: WINDOWS Score: 100 29 macapugas.info 2->29 31 geoplugin.net 2->31 39 Suricata IDS alerts for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 8 other signatures 2->45 8 USD_Chsuss_29072025.exe 3 2->8         started        12 rundll32.exe 3 2->12         started        signatures3 process4 dnsIp5 33 macapugas.info 66.29.153.194, 443, 49716, 49717 ADVANTAGECOMUS United States 8->33 47 Uses schtasks.exe or at.exe to add and modify task schedules 8->47 49 Writes to foreign memory regions 8->49 51 Allocates memory in foreign processes 8->51 53 4 other signatures 8->53 14 SndVol.exe 4 14 8->14         started        18 schtasks.exe 1 8->18         started        20 conhost.exe 8->20         started        22 Nshwnhje.exe 12->22         started        signatures6 process7 dnsIp8 35 93.127.160.198, 2021, 49719 ASMUNDA-ASSC Germany 14->35 37 geoplugin.net 178.237.33.50, 49720, 80 ATOM86-ASATOM86NL Netherlands 14->37 63 Contains functionality to bypass UAC (CMSTPLUA) 14->63 65 Detected Remcos RAT 14->65 67 Contains functionalty to change the wallpaper 14->67 75 3 other signatures 14->75 24 conhost.exe 18->24         started        69 Writes to foreign memory regions 22->69 71 Allocates memory in foreign processes 22->71 73 Allocates many large memory junks 22->73 77 2 other signatures 22->77 26 colorcpl.exe 2 22->26         started        signatures9 process10 signatures11 55 Contains functionality to bypass UAC (CMSTPLUA) 26->55 57 Detected Remcos RAT 26->57 59 Contains functionalty to change the wallpaper 26->59 61 2 other signatures 26->61
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/464da3f078966db3e365cd99e319ed09c1e2181bfad974bb317283477f7ec301
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/e16b9d9abe8e3117a0685cb98e188edf
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/464da3f078966db3e365cd99e319ed09c1e2181bfad974bb317283477f7ec301/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/464da3f078966db3e365cd99e319ed09c1e2181bfad974bb317283477f7ec301
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-08-04 05:01:59 UTC
File Type:
PE (Exe)
Extracted files:
69
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=izg2h4dyszw3hy3fzwm6ggpnbha6ega37lmxjozrokbuo736ymaq._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
1c3b14c9497ed65dc59cb71694816ea30ddbb60b87cd9791c75292cca243b895
RemcosRAT
366c234f5366bcc4e2205909b81c843e50836fa2cb23821b48a16248769d1295
RemcosRAT
49a31099ab0d8ed001ad0a05f46ddd334b5834730470a14327ec7ed6f5cf6187
RemcosRAT
5873a0eef8276f4e58d62fe27e7bb5c68bb36b149bc7769f49e26f7dc7ccf7d7
RemcosRAT
682c54c4bb8caf47217cbd3cfc256404f550c8104b9498da6fba55f35494e7f5
RemcosRAT
6ed930e66c11ce56d4dbfb657f505e7205a63f6b026357786006bb7762eac5d0
RemcosRAT
78c40d88491b5fc84ab86b0d2e0c3acae2a6cd35cf1026e8ae35513b746965df
RemcosRAT
error
RemcosRAT
+ 305 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery execution persistence trojan
Link:
https://tria.ge/reports/250804-hlhd2afk71/
Behaviour
Scheduled Task/Job: Scheduled Task
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
Win.Trojan.Modiloader-10042434-0 Remcos
YARA:
n/a
Link:
https://app.threat.zone/submission/3dbb702b-93af-4a95-99bd-0355dbc505eb
Unpacked files
SH256 hash:
464da3f078966db3e365cd99e319ed09c1e2181bfad974bb317283477f7ec301
MD5 hash:
e16b9d9abe8e3117a0685cb98e188edf
SHA1 hash:
dff0e9b3957f7c8c4feb885d7a26f7ea926ed7fa
Link:
https://www.unpac.me/results/19635ef6-4ae5-4b89-b6b2-d15b95191d86/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/464da3f07896/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 464da3f078966db3e365cd99e319ed09c1e2181bfad974bb317283477f7ec301

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/18689/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::PeekMessageW
user32.dll::CreateWindowExA

Comments