MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ca2b8c72520a76c0b5083d11374bacc54148c8ae7a1aebf6eba5d416486697c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 18

Intelligence 18 IOCs YARA 24 File information Comments

SHA256 hash:	4ca2b8c72520a76c0b5083d11374bacc54148c8ae7a1aebf6eba5d416486697c
SHA3-384 hash:	e5b50a1bf2f87e0631cb8ba1b699803a13c86c1c516e58f94d769d67ed9a798ee4bda24ce237fe69a9ebfa64e188e785
SHA1 hash:	d5ee3d7de64260d8e44f68c61325ffc1ece69b84
MD5 hash:	c89217e2ca0cce76f65135557390cedd
humanhash:	hotel-blue-bakerloo-enemy
File name:	4ca2b8c72520a76c0b5083d11374bacc54148c8ae7a1aebf6eba5d416486697c
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	966'144 bytes
First seen:	2025-07-31 11:35:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:jqHsvQApxD3blYCHx/wEhDlg7CCWJjOFY0k:Xnx32cx/wEhRg7CCWJjOFY0k
Threatray	4'150 similar samples on MalwareBazaar
TLSH	T1BE2512043A4AD643C4A51AB11621D1B5237CCF8CA906CE83EFE92DDFB9FEB40A521757
TrID	64.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.3% (.EXE) Win64 Executable (generic) (10522/11/4) 8.8% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 5.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	dcfcd4d4b4b4b4f4 (2 x MassLogger, 1 x Amadey, 1 x Loki)
Reporter	JAMESWT_WT
Tags:	196-251-88-252 exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

4ca2b8c72520a76c0b5083d11374bacc54148c8ae7a1aebf6eba5d416486697c

Verdict:

Malicious activity

Analysis date:

2025-07-31 11:51:01 UTC

Tags:

remcos rat netreactor remote

Link:

https://app.any.run/tasks/c3651e80-0497-48e8-8b9d-58ae0a8c1c95

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/18018/

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=688b5537af3050dc8d32b3fe

Tags:

virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Connection attempt to an infection source

Sending a TCP request to an infection source

Query of malicious DNS domain

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/4ca2b8c72520a76c0b5083d11374bacc54148c8ae7a1aebf6eba5d416486697c

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/54d42e33-f819-42cd-b1fd-8babf9f9f432

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4ca2b8c72520a76c0b5083d11374bacc54148c8ae7a1aebf6eba5d416486697c

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

.Net Executable PE (Portable Executable) SOS: 0.44 Win 32 Exe x86

Link:

https://app.malva.re/file/c89217e2ca0cce76f65135557390cedd

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/4ca2b8c72520a76c0b5083d11374bacc54148c8ae7a1aebf6eba5d416486697c/

Threat name:

ByteCode-MSIL.Trojan.DarkCloud

Status:

Malicious

First seen:

2025-06-09 08:19:51 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jsrlrrzfectwyc2qqpirg5f2zrkbjdek46q25p3oxjouczegnf6a._file

Verdict:

malicious

Label(s):

unc_loader_037

remcos

RemcosRAT

5da646edf1eed3abc74e49e1a9daf4e4e5bedb7a1652ca3311cd7f8bce650bab

RemcosRAT

81e751866842193531d97c41db2569fffd954ebf710564897145a3439e95397b

RemcosRAT

9e706da7b14851b9af90653cd6d55bd08988eb449726300d0e1775668d71490f

RemcosRAT

9f146cf7dbef2543742cf970ce79bf792211b2ffec0426600bab4e556874125b

RemcosRAT

a7ea2f8cf65a2fc6368cbe91431080aa1269cc37de7095a15237d1b411f27d93

RemcosRAT

aaab431dab3880838f6be9e7eec86c82b0631029d4f804e91a39cd46596ca983

RemcosRAT

c8bb23fb898f54fdc987c85a92aa1786c4c376ca40f11a4be496cc67bad8c8a7

RemcosRAT

e462d1a4674d1c46ee7c3eba187353dc4c6c40863493e67b3d1ab379714f97bb

RemcosRAT

fd43d26f1db150f1ce6faa221521e0ac9d32ffc26fc835bdc564ce6d93a5ee84

RemcosRAT

+ 4'140 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost discovery rat

Link:

https://tria.ge/reports/250731-nqp8bshk6z/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Remcos

Remcos family

Malware Config

C2 Extraction:

michikoak51.duckdns.org:2040
michikoak51.duckdns.org:9906
michiko.linkpc.net:9906
michikoak51.duckdns.org:5085

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/95e24b8f-d58d-4ea2-b900-d22b47ecd6bd

Unpacked files

SH256 hash:

4ca2b8c72520a76c0b5083d11374bacc54148c8ae7a1aebf6eba5d416486697c

MD5 hash:

c89217e2ca0cce76f65135557390cedd

SHA1 hash:

d5ee3d7de64260d8e44f68c61325ffc1ece69b84

Link:

https://www.unpac.me/results/028eabbe-edbe-4447-bdb4-4bf82316f931/

SH256 hash:

787cca65dcdff22f3eaa8f169470a8219cd97533729a15880103ef8c5f5b7c7f

MD5 hash:

d27686f8ffccaf1f03a6f603f919d51b

SHA1 hash:

0c6b53955084eeedbc349eb5c901e120dee30d15

Detections:

win_remcos_w0

win_remcos_auto

Remcos

malware_windows_remcos_rat

win_remcos_rat_unpacked

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Link:

https://www.unpac.me/results/028eabbe-edbe-4447-bdb4-4bf82316f931/

SH256 hash:

cdd1fe8cfbed6d89dc051488449202c0b57e6f7fef2a180d872a368935091071

MD5 hash:

836107b15581f2e890e1e6d491bc7cf6

SHA1 hash:

13625a2bea88d2e07353aa07533370d3378d0f52

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/028eabbe-edbe-4447-bdb4-4bf82316f931/

Parent samples :

bfb97f59074a8599fcfc08eba10c56833c28c462564afb335034aa2c87b4376f
c7829cae4b8ccbec8d4bc08d45c44e785b4c006301cbd28c7344d6aeb26b838f
edccf88c03e06f24f077d14cde639f3b2d52d55e77a574086edee60494bd5760
4ca2b8c72520a76c0b5083d11374bacc54148c8ae7a1aebf6eba5d416486697c
89683b224bb5a144fd44d21c13713a7c8a2108f7869dc6def98f254dff322ece

SH256 hash:

d9f46cca03eb5ac6200c498f369d534c60c4e426f3a0d57956d3df40db28a8dc

MD5 hash:

aee152ea3a90b5cb9ce6dd97eec9ca92

SHA1 hash:

ba4783d6c4431db0742dcb37fe7294c73477fb5b

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/028eabbe-edbe-4447-bdb4-4bf82316f931/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4ca2b8c72520/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4ca2b8c72520a76c0b5083d11374bacc54148c8ae7a1aebf6eba5d416486697c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_ Create hunting rule
Author:	Michelle Khalil
Description:	This rule detects unpacked remcos malware samples.

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Remcos_unpacked_PulseIntel Create hunting rule
Author:	PulseIntel
Description:	Remcos Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

Rule name:	win_remcos_rat_unpacked Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	win_remcos_w0 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	yarahub_win_remcos_rat_unpacked_aug_2023 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/18018/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample