MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a1d2f7745ee607cfe920c9fbbcb0c2294654e1bf3b20c2a9fca596707c5fb60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a1d2f7745ee607cfe920c9fbbcb0c2294654e1bf3b20c2a9fca596707c5fb60
SHA3-384 hash: 61d1decd643b29de4864da6fb3adaf39f55c07aa4a0a7cd923df26c749ec9a9365dd48a0a96bf6b27d54695921a13845
SHA1 hash: 14740508aad6203d78ac3553f6de9709e4649c57
MD5 hash: 94cdf01ba3b63af3904af85a6a5221e1
humanhash: red-october-seventeen-delta
File name:SecuriteInfo.com.Heur.23637.21374
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:80'896 bytes
First seen:2025-05-27 21:24:48 UTC
Last seen:2025-05-27 22:45:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 68 x LummaStealer, 61 x Rhadamanthys)
ssdeep 1536:frae78zjORCDGwfdCSog01313K7s5geX2m31tfD3uUOT:VahKyd2n316g5LX3rfbOT
Threatray 1'382 similar samples on MalwareBazaar
TLSH T1B9831A0A67F821B7E4B6537899F202539A32B8A15B7957FF22C4C1BD4F236C0A531B17
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
497
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Heur.23637.21374
Verdict:
Malicious activity
Analysis date:
2025-05-27 21:26:01 UTC
Tags:
stegocampaign loader reverseloader remcos rat payload
Link:
https://app.any.run/tasks/83d3ac2b-b623-4ab4-a74e-cb1a45203e65

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5946/
Detection(s):
SecuriteInfo.com.Heur.23637.21374.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68362f0b668438e362e78385
Tags:
dropper shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Connection attempt to an infection source
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
DNS request
Creating a file
Query of malicious DNS domain
Sending a TCP request to an infection source
Launching a file downloaded from the Internet
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context base64 CAB cmd explorer installer lolbin microsoft_visual_cc obfuscated powershell rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/68362dfee336a33801df1d10/reports/1a008620-e247-4352-b2c4-b6185311aee0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/4a1d2f7745ee607cfe920c9fbbcb0c2294654e1bf3b20c2a9fca596707c5fb60
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/982307ff-42f4-4cda-b2af-97f8f02f50da
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1700312
Signature
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell download and load assembly
Sigma detected: Remcos
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1700312 Sample: SecuriteInfo.com.Heur.23637... Startdate: 27/05/2025 Architecture: WINDOWS Score: 100 46 s3-w.us-east-1.amazonaws.com 2->46 48 s3-1-w.amazonaws.com 2->48 50 6 other IPs or domains 2->50 76 Suricata IDS alerts for network traffic 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 16 other signatures 2->82 11 SecuriteInfo.com.Heur.23637.21374.exe 1 3 2->11         started        14 svchost.exe 1 1 2->14         started        signatures3 process4 dnsIp5 44 C:\Users\user\AppData\...\6835fced1c920.vbs, ASCII 11->44 dropped 17 cmd.exe 3 2 11->17         started        62 127.0.0.1 unknown unknown 14->62 file6 process7 process8 19 wscript.exe 1 17->19         started        22 conhost.exe 17->22         started        signatures9 84 Suspicious powershell command line found 19->84 86 Wscript starts Powershell (via cmd or directly) 19->86 88 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->88 90 Suspicious execution chain found 19->90 24 powershell.exe 7 19->24         started        process10 signatures11 92 Suspicious powershell command line found 24->92 94 Found suspicious powershell code related to unpacking or dynamic code loading 24->94 27 powershell.exe 14 25 24->27         started        31 conhost.exe 24->31         started        process12 dnsIp13 56 62.60.226.165, 49715, 80 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 27->56 58 bitbucket.org 104.192.142.25, 443, 49711 AMAZON-AESUS United States 27->58 60 s3-w.us-east-1.amazonaws.com 52.216.169.235, 443, 49713 AMAZON-02US United States 27->60 96 Writes to foreign memory regions 27->96 98 Injects a PE file into a foreign processes 27->98 100 Loading BitLocker PowerShell Module 27->100 33 MSBuild.exe 27->33         started        36 MSBuild.exe 4 15 27->36         started        40 MSBuild.exe 27->40         started        signatures14 process15 dnsIp16 64 Contains functionality to bypass UAC (CMSTPLUA) 33->64 66 Contains functionalty to change the wallpaper 33->66 68 Contains functionality to steal Chrome passwords or cookies 33->68 74 2 other signatures 33->74 52 176.65.134.10, 2404, 49717, 49720 DIOGELO-ASGB Germany 36->52 54 geoplugin.net 178.237.33.50, 49750, 80 ATOM86-ASATOM86NL Netherlands 36->54 42 C:\ProgramData\remcos\registros.dat, data 36->42 dropped 70 Detected Remcos RAT 36->70 72 Installs a global keyboard hook 36->72 file17 signatures18
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4a1d2f7745ee607cfe920c9fbbcb0c2294654e1bf3b20c2a9fca596707c5fb60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a1d2f7745ee607cfe920c9fbbcb0c2294654e1bf3b20c2a9fca596707c5fb60/
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-05-27 21:26:41 UTC
File Type:
PE+ (Exe)
Extracted files:
12
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jios652f5zqhz7usbsp3xsymekkgktq36ozayku7zjmwob6f7nqa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
18c96dbde931aa37ed3e519ce700da01c5d47cb5e1b50116e6d6ba1109d22566
RemcosRAT
394b7bdb5d0f6d9b42b22175e11b04251d1ebdc3e7bdcd6dfa90ca7d8c458397
RemcosRAT
6607d80dd10dfb2832eb14c78fd7402e9c63f6d3d1ac82b113f099d1d6cc80fb
RemcosRAT
77d0a0632b34e8c4e787d8ec1f0ddd584a1ee65aa6591bda6fee71af658e8761
RemcosRAT
9298408e1090d2786659c1a039f305fee49b94fc47700e2124dc4113ebb49da3
RemcosRAT
cf1f146ffa6951e45c24eada8fcef9fae06e8c7613ea0a5438d7bb6b868cadc9
RemcosRAT
e3716110ea1af3d3c25e6aca80b9e899236cf3c03ab3da4fa6271f9580d7cb61
RemcosRAT
error
RemcosRAT
+ 1'372 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/250527-z92w1szj12/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/643b8b5b-2b3a-4ce8-ab98-d2e71aae4d18
Unpacked files
SH256 hash:
4a1d2f7745ee607cfe920c9fbbcb0c2294654e1bf3b20c2a9fca596707c5fb60
MD5 hash:
94cdf01ba3b63af3904af85a6a5221e1
SHA1 hash:
14740508aad6203d78ac3553f6de9709e4649c57
Link:
https://www.unpac.me/results/a596be4a-1f9c-47ec-8690-8482a94c6830/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4a1d2f7745ee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a1d2f7745ee607cfe920c9fbbcb0c2294654e1bf3b20c2a9fca596707c5fb60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 4a1d2f7745ee607cfe920c9fbbcb0c2294654e1bf3b20c2a9fca596707c5fb60

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3553908/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/5946/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments