MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cce5506593907c3db78282849ed41729ca7cf737e1d38cb82dc10e27d92ff16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 18

Intelligence 18 IOCs YARA 25 File information Comments

SHA256 hash:	4cce5506593907c3db78282849ed41729ca7cf737e1d38cb82dc10e27d92ff16
SHA3-384 hash:	49e6633f0280793d30c7d16ae7a447015bebc3023526a7f5b745b264d3593222c3623b95ca0dee8bc7c0a9e044ed49b0
SHA1 hash:	8d6518f2ea260d9835c3ed7190808fc263ed010a
MD5 hash:	88ad99bd08e94b721914d8368c3a259b
humanhash:	lake-don-blossom-oxygen
File name:	J-230512-31246_-_111553_-_31246.pif.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	902'656 bytes
First seen:	2026-05-21 14:16:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'991 x AgentTesla, 19'898 x Formbook, 12'331 x SnakeKeylogger)
ssdeep	24576:qQ/EymH4hro8jGqj56ulEJ8v+FgFOfY823:3yHGrhGqdFlECv+CX
Threatray	1'448 similar samples on MalwareBazaar
TLSH	T18E1523E2A199E407E9861BF00932E3751775AE4CA517E323FED93DF73852F2424482C9
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	TomU
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Remcos RoboSki

Details

Remcos

a version number and verbose configuration settings

RoboSki

a decrypted ReZer0 component and possibly a decryption component

RoboSki

a Base64 + XOR/Sub-decrypted component, its associated key, a mutex, a filename, and ReZer0 configuration parameters including: a load type, a download URL and filename (if configured), an interval (if configured), and varying flags

Link:

https://research.acce.ciphertechsolutions.com/results/8a6c6e7a-79c9-4f4b-ba49-62b4a88a4735/

Malware family:

remcos

ID:

File name:

mensajes.zip

Verdict:

Malicious activity

Analysis date:

2024-09-27 06:41:39 UTC

Tags:

attachments attc-unc rat remcos evasion exfiltration smtp stealer

Link:

https://app.any.run/tasks/fec2e30f-eef9-449e-851c-ba3bb8a4c0fe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/67289/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a0f1c6333e785de369c6cf9

Tags:

infosteal remcos

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a file

Sending a custom TCP request

Forced shutdown of a system process

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed remcos snakekeylogger

Link:

https://www.filescan.io/uploads/6a0f1965875badc3b39095d0/reports/83a6f752-7b7f-408a-bbda-872f4dfee3c7/overview

Verdict:

Malicious

Labled as:

ser.MSILheracles.Generic

Link:

https://www.hybrid-analysis.com/sample/4cce5506593907c3db78282849ed41729ca7cf737e1d38cb82dc10e27d92ff16

Verdict:

Malicious

File Type:

exe x32

First seen:

2024-09-19T03:39:00Z UTC

Last seen:

2026-05-22T00:02:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/4cce5506593907c3db78282849ed41729ca7cf737e1d38cb82dc10e27d92ff16/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/3fccbc44-7913-46a8-bc0b-2bab7bbf422b

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4cce5506593907c3db78282849ed41729ca7cf737e1d38cb82dc10e27d92ff16

Gathering data

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/4cce5506593907c3db78282849ed41729ca7cf737e1d38cb82dc10e27d92ff16/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2024-09-19 10:07:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jthfkbszhed4hw3yfauet3kbokokpt3tpyotrs4c3qioe7ms74la._file

Verdict:

malicious

Label(s):

nirsoft

unc_loader_037

admintool_mailpassview

remcos

RemcosRAT

5fe247828f3087cbede022c3db3c57ac8c0bb0138ea8e3424021afc4e314d076

RemcosRAT

9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8

RemcosRAT

cda34c7ddc45a0ac67f0f3745b91686c285bc86f108c5c2deb36c1c3a0fb5a4f

RemcosRAT

d26670d5f425962b546d10ecd4d148f5884a3f392afe1c5fb4426466d4454c34

RemcosRAT

+ 1'438 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost discovery execution persistence rat

Link:

https://tria.ge/reports/260521-rl8ewse19l/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Uses the VBS compiler for execution

Command and Scripting Interpreter: PowerShell

Family: Remcos

Malware Config

C2 Extraction:

www.drechftankholding.com:2404

Unpacked files

SH256 hash:

4cce5506593907c3db78282849ed41729ca7cf737e1d38cb82dc10e27d92ff16

MD5 hash:

88ad99bd08e94b721914d8368c3a259b

SHA1 hash:

8d6518f2ea260d9835c3ed7190808fc263ed010a

Link:

https://www.unpac.me/results/17705c21-10b9-4a06-bc8c-54604e76722d/

SH256 hash:

879276b0a6a9ed9a14ea05450f75ad6c254a78ba99b7b7292ae39b8aca4abfad

MD5 hash:

a89de4f61bef32a2d8bfbcb15b283f7d

SHA1 hash:

3149a37d44cf5d77045ea86a1f53897b7e93f299

Detections:

win_remcos_auto

win_remcos_w0

Remcos

Link:

https://www.unpac.me/results/17705c21-10b9-4a06-bc8c-54604e76722d/

Parent samples :

c1f36f8ad9a6360ed406ff3e84dd9b9a765e6edea3d9beb7e5c303230001fd13
4ed81a9a25e52a99d76805b081679cfe3628756be4bda6a47e365506c7df3a0c
4cce5506593907c3db78282849ed41729ca7cf737e1d38cb82dc10e27d92ff16
5bf25358184f7ddd5da889cee29f7adb0f8db9aa9c130b8c83a93f616919fb9d

SH256 hash:

d1f4761e2e1e15fe454a70864c3aa1da7d6dc90582222bbd7e6d53d0bbee6f62

MD5 hash:

b08a9c9cb485bd7567bf062922a1e897

SHA1 hash:

3b5781fb115d06bdede80cb6ff627fde1a50d9f5

Link:

https://www.unpac.me/results/17705c21-10b9-4a06-bc8c-54604e76722d/

Parent samples :

e0c6754a29f3aae510a03bbfc2f03a576fa27bdb4915b35649b357912606fffa
b222db5c481e3e1421f07bd35fe5022b912d3e70214c254a00d9e8ec5c382987
2da496c1cdddd81ca1e452eacc38596132cb62883d8b568ee55e2524a054facd
c30bcd2377714775a591adfba9ffcbc833f646bf9669829acf1d0dd0c07e030d
9c7df3a3e8174fcad51ce98aa8875fd72b8e7acadb309ad8b6ac59e8a0c1d65d
39454a1ce8c389d837bb510efe44858712813fd3ef611822af3a1e5b0f64f52a
b4ea9fc8891fce7e255d583efa962256b0dee44df2de28f0e4d4ae8145f0ca5a
019c0bda2cdb00d88ddd70fae9c57490c14b218aa3c2e9f383f75fa415c03168
00bebcf6a27277b5060ea1264725f496a99b7e5d06649e6e8c9c8ad24055ec61
0787749d9897612314975e2943139157efcff4dbf604323d3d950c76b7555719

SH256 hash:

2e687df518f40f4eff2493062bfa9815f5913b0b08460d0da9eb1923c7ee591a

MD5 hash:

a9d7ac113f71d42a6a592af5038fcd9f

SHA1 hash:

df5df12d3938527419ce9046d2d413301f330862

Link:

https://www.unpac.me/results/17705c21-10b9-4a06-bc8c-54604e76722d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4cce5506593907c3db78282849ed41729ca7cf737e1d38cb82dc10e27d92ff16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	iexplorer_remcos Create hunting rule
Author:	iam-py-test
Description:	Detect iexplorer being taken over by Remcos

Rule name:	INDICATOR_EXE_Packed_MPress Create hunting rule
Author:	ditekSHen
Description:	Detects executables built or packed with MPress PE compressor

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	TeslaCryptPackedMalware Create hunting rule

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

Rule name:	win_remcos_w0 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	yarahub_win_remcos_rat_unpacked_aug_2023 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe 4cce5506593907c3db78282849ed41729ca7cf737e1d38cb82dc10e27d92ff16

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/67289/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample