MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c2de026f84a1c98badcd5d253437b9ce5bb6400b11edb40a32cd43d58f79db9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c2de026f84a1c98badcd5d253437b9ce5bb6400b11edb40a32cd43d58f79db9
SHA3-384 hash: 759c999cc68d277764c6da1e8c94cf97471312c1a55c925b09a4432e67d6c7654a8bac473a6e8f403db30823a58eab81
SHA1 hash: 89f24e81388fe9d95a323edc6cc9b922612fcbc8
MD5 hash: e5dab9cca2e5439a08c71b686618e6b4
humanhash: monkey-music-autumn-victor
File name:KIGO_CHEMICAL_ACUERDO_DE_ORDEN_DE_COMPRA.lnk
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'659 bytes
First seen:2025-03-07 15:59:34 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 48:8P4yMaiJvZZOqsW6YxSn9TDuJbf4mIA+5MwJDrOsaEHhfEsVcdCR3ktpdVEsHBIb:8PPd8RZId1ZCVg1OwJGQPfCLPHBOvIA
Threatray 1'681 similar samples on MalwareBazaar
TLSH T1E2718C501DEF11DDF2734B726BECF6FB0566F8A1686EA6F411810A400B71A808C71EB9
Magika lnk
Reporter abuse_ch
Tags:lnk RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67cb1942c8d04e92a4bfccbd
Tags:
obfuscate dropper xtreme
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/4c2de026f84a1c98badcd5d253437b9ce5bb6400b11edb40a32cd43d58f79db9/results/dashboard
Payload URLs
URL
File name
http://87.121.79.103/download/75b466537a394f88abeefc3e0aa9c983.txt
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autorun cmd config-extracted crypto cscript dropper evasive evasive explorer fingerprint keylogger lolbin masquerade obfuscated packed powershell powershell rat remcos remcos windows
Link:
https://www.filescan.io/uploads/67cb181e25afd13301327bdc/reports/4cfc1ad3-190d-4e62-9c2a-5f71488b61de/overview
Verdict:
Malicious
Labled as:
Trojan_Win32_Leonem_rfn
Link:
https://www.hybrid-analysis.com/sample/4c2de026f84a1c98badcd5d253437b9ce5bb6400b11edb40a32cd43d58f79db9
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
IPv4 Dotted Quad URL
A URL was detected referencing a direct IP address, as opposed to a domain name.
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1632064
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Encrypted powershell cmdline option found
Found evasive API chain checking for user administrative privileges
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sample uses process hollowing technique
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Remcos
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Yara detected Powershell decode and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1632064 Sample: KIGO_CHEMICAL_ACUERDO_DE_OR... Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus detection for URL or domain 2->76 78 12 other signatures 2->78 9 cmd.exe 1 2->9         started        12 svchost.exe 2->12         started        process3 dnsIp4 88 Windows shortcut file (LNK) starts blacklisted processes 9->88 90 Suspicious powershell command line found 9->90 92 Encrypted powershell cmdline option found 9->92 15 powershell.exe 17 19 9->15         started        20 conhost.exe 1 9->20         started        62 127.0.0.1 unknown unknown 12->62 signatures5 process6 dnsIp7 64 87.121.79.103 NETERRA-ASBG Bulgaria 15->64 66 172.67.129.178 CLOUDFLARENETUS United States 15->66 48 C:\Users\user\AppData\Local\...\tmpA80C.exe, PE32 15->48 dropped 68 Found suspicious powershell code related to unpacking or dynamic code loading 15->68 70 Powershell drops PE file 15->70 22 tmpA80C.exe 4 29 15->22         started        27 Acrobat.exe 69 15->27         started        file8 signatures9 process10 dnsIp11 54 104.245.145.253 AMANAHA-NEWCA Canada 22->54 56 178.237.33.50 ATOM86-ASATOM86NL Netherlands 22->56 50 C:\ProgramData\remcos\logs.dat, data 22->50 dropped 80 Antivirus detection for dropped file 22->80 82 Multi AV Scanner detection for dropped file 22->82 84 Contains functionality to bypass UAC (CMSTPLUA) 22->84 86 13 other signatures 22->86 29 recover.exe 22->29         started        32 recover.exe 22->32         started        34 recover.exe 22->34         started        39 8 other processes 22->39 36 AcroCEF.exe 101 27->36         started        file12 signatures13 process14 dnsIp15 94 Tries to steal Instant Messenger accounts or passwords 29->94 96 Tries to steal Mail credentials (via file / registry access) 29->96 98 Tries to harvest and steal browser information (history, passwords, etc) 34->98 52 23.209.209.135 TELKOMSEL-ASN-IDPTTelekomunikasiSelularID United States 36->52 41 AcroCEF.exe 36->41         started        100 Tries to steal Mail credentials (via file registry) 39->100 43 chrome.exe 39->43         started        46 msedge.exe 39->46         started        signatures16 process17 dnsIp18 58 172.217.18.1 GOOGLEUS United States 43->58 60 1.1.1.1 CLOUDFLARENETUS Australia 43->60
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4c2de026f84a1c98badcd5d253437b9ce5bb6400b11edb40a32cd43d58f79db9/
Threat name:
Shortcut.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-03-05 21:21:37 UTC
File Type:
Binary
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jqw6ajxyjiojrow42xjfgq33tts3wzaawepnwqfdftkd2whxtw4q._file
Verdict:
malicious
Label(s):
nirsoft
Create hunting rule
remcos
Create hunting rule
Similar samples:
09d220b191634ed6c3b34f516e0cc5ec7ef5cae890d3b3725423b9112ba6846f
RemcosRAT
0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e
RemcosRAT
24af52ae7f3afb9533d3ad2e4a845bdc69dc96388d4b98853b8dd567174a43b2
RemcosRAT
37749c2d24301276a9b1a9d1b39ab49c3037dd9ed6f1f90e895658a5d0ada16f
RemcosRAT
4cfc84d46074142fa3204777ac1a0cbd7ea155fcaf0739388df5d098abf8d7f4
RemcosRAT
74b5890f41f51c96efa8cdeb693fd95ad15e5dc523e7d75e2e101d7cf8b0a36e
RemcosRAT
ad4a934328e699a5065c7c55ab3399d74134b5e97401175948b5296faf98d2a8
RemcosRAT
error
RemcosRAT
+ 1'671 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection discovery execution
Link:
https://tria.ge/reports/250307-tfr7tstj17/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Malware Config
Dropper Extraction:
http://87.121.79.103/download/75b466537a394f88abeefc3e0aa9c983.txt
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4c2de026f84a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c2de026f84a1c98badcd5d253437b9ce5bb6400b11edb40a32cd43d58f79db9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments