MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cc032e33eb281b2fcac95d224c0f8cb37217cb7da66163963af032de1e3f91a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	4cc032e33eb281b2fcac95d224c0f8cb37217cb7da66163963af032de1e3f91a
SHA3-384 hash:	8498f356a9461cd818f6a9bcdfaaee1f09846bbf7cfeb8b98e32148d9cae3b1f2983c338860aa15be5bd90825d32a1c7
SHA1 hash:	b9e4979f4509b15c629522152da708267e0f2d8f
MD5 hash:	8f107cf70bfaaf9d442430d1d274f593
humanhash:	twelve-saturn-foxtrot-alaska
File name:	PO(S4674 Flow 1 2) - -EJ2152 - 2025.9.25.rar
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'580'977 bytes
First seen:	2025-09-25 12:37:16 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	24576:EaP+NoNQvDPa61tOHzhNxOlSrrGFkdnczYAgND4ZBr95at04N1OAtX:/PJQr0ThZrdiGEKVtX
TLSH	T1877533CBFB22883F96F15245495345C2E4A46506A3D3A9229E095FECFF37C4118F6BCA
TrID	58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1) 41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	cocaman
Tags:	rar RemcosRAT

cocaman

Malicious email (T1566.001)
From: ""Ngu Liew" <esme@eddiexie.com>" (likely spoofed)
Received: "from spite.eddiexie.com (spite.eddiexie.com [94.156.175.114]) "
Date: "25 Sep 2025 05:35:29 -0700"
Subject: "New Order inquiry ( 25-09-2025 )"
Attachment: "PO(S4674 Flow 1+2) - -EJ2152 - 2025.9.25.rar"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:	08-009-TA-9036&37AWAJI.pdf
File size:	547'550 bytes
SHA256 hash:	6a8dd48130e893ca6f9de2b880ed9d889fe4b261ebc8bb9fcbfd22026c7722d9
MD5 hash:	c96b4638ca5823e3eb3fab56a7f8d0c5
MIME type:	application/pdf
Signature	RemcosRAT

File name:	SEPTMER ORDER HGH-PO25012 - PTWH SMS EL49.scr
File size:	1'144'832 bytes
SHA256 hash:	242418928ee50cd9d4c70bddf5b9434ee65244aa46376f123f1c59359c281eaa
MD5 hash:	0755252c826a1427e4599d22c5fee3f8
MIME type:	application/x-dosexec
Signature	RemcosRAT

Vendor Threat Intelligence

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68d551c4cc9425144151e5ed

Tags:

remcos virus krypt msil

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 bitmap evasive lolbin masquerade msbuild obfuscated packed packed packed rat rat reconnaissance regsvcs remcos remcos rezer0 roboski schtasks stego vbc windows

Link:

https://www.filescan.io/uploads/68d537c6674d5fd6aa0c67b4/reports/da173ef4-a497-44df-b697-bbc5efd800e8/overview

Verdict:

Suspicious

Labled as:

Mal/DrodRar

Link:

https://www.hybrid-analysis.com/sample/4cc032e33eb281b2fcac95d224c0f8cb37217cb7da66163963af032de1e3f91a

Verdict:

Malicious

File Type:

rar

First seen:

2025-09-25T10:57:00Z UTC

Last seen:

2025-09-25T10:57:00Z UTC

Hits:

~10

Detections:

HEUR:Backdoor.MSIL.Remcos.gen

Link:

https://opentip.kaspersky.com/4cc032e33eb281b2fcac95d224c0f8cb37217cb7da66163963af032de1e3f91a/results?tab=lookup

Verdict:

inconclusive

YARA:

2 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout Rar Archive SOS: 0.25

Link:

https://app.malva.re/file/8f107cf70bfaaf9d442430d1d274f593

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4cc032e33eb281b2fcac95d224c0f8cb37217cb7da66163963af032de1e3f91a/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/4cc032e33eb281b2fcac95d224c0f8cb37217cb7da66163963af032de1e3f91a

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-09-25 12:37:19 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jtadfyz6wka3f7fmsxjcjqhyzm3sc7fx3jtbmoldv4bs3ypd7ena._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos adware collection credential_access discovery execution persistence rat spyware stealer

Link:

https://tria.ge/reports/250925-qml3lsal3x/

Behaviour

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/4cc032e33eb281b2fcac95d224c0f8cb37217cb7da66163963af032de1e3f91a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	win32_dotnet_form_obfuscate Create hunting rule
Author:	Reedus0
Description:	Rule for detecting .NET form obfuscate malware

Rule name:	win32_dotnet_loader Create hunting rule
Author:	Reedus0
Description:	Rule for detecting .NET loader malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 4cc032e33eb281b2fcac95d224c0f8cb37217cb7da66163963af032de1e3f91a

(this sample)

RemcosRAT

exe 242418928ee50cd9d4c70bddf5b9434ee65244aa46376f123f1c59359c281eaa

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 242418928ee50cd9d4c70bddf5b9434ee65244aa46376f123f1c59359c281eaa

Dropping

SHA256 6a8dd48130e893ca6f9de2b880ed9d889fe4b261ebc8bb9fcbfd22026c7722d9

Dropping

MD5 0755252c826a1427e4599d22c5fee3f8

Dropping

MD5 c96b4638ca5823e3eb3fab56a7f8d0c5

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample