MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e6721af692e7b971238e4fa55b201006cc77e0e72923d74c44e9746f577f4fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e6721af692e7b971238e4fa55b201006cc77e0e72923d74c44e9746f577f4fb
SHA3-384 hash: 774c39242868b3259d340a15497c196034ec9650d9b3063c8efe9474fc301fd0178cc72bff3be2f01f146b9e7c8bc922
SHA1 hash: 854eb5c6fb420d50e68b754d2cc9863d07fa2429
MD5 hash: fab5eaace9f48ea715e6ab50da6d613a
humanhash: aspen-spring-king-summer
File name:ORDER_70495E0586FM3049538DJ59405DL495953DJ28387575NXA4595069694LAO394943900000112933.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:809 bytes
First seen:2025-05-22 06:26:34 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 24:wqXptXGoLapf3oQq9u/tmIx1iMHf3owy3:x5aF3VPVm2o22
Threatray 4'104 similar samples on MalwareBazaar
TLSH T19C018E14340650E8A7748CEA4AA5B51ABA1DD1C7D302D9EC38C5D1306F24A5F69E6CD4
Magika batch
Reporter smica83
Tags:bat RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
ORDER_70495E0586FM3049538DJ59405DL495953DJ28387575NXA4595069694LAO394943900000112933.bat
Verdict:
Malicious activity
Analysis date:
2025-05-22 08:29:08 UTC
Tags:
rat remcos remote
Link:
https://app.any.run/tasks/a506e7c6-60dc-448a-8c1c-791f8ee3d71a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Script.SNH-gen.413.19036.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682ec69e2f280a98fb43302a
Tags:
shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Launching a process
Creating a file
Creating a window
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive lolbin masquerade timeout wscript
Link:
https://www.filescan.io/uploads/682ec43e985349514e5cc374/reports/389db844-76d1-468b-8906-f41dd35e7270/overview
Verdict:
Suspicious
Labled as:
Trojan/BAT.Agent
Link:
https://www.hybrid-analysis.com/sample/4e6721af692e7b971238e4fa55b201006cc77e0e72923d74c44e9746f577f4fb
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1696629
Signature
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Potential malicious VBS script found (suspicious strings)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected VBS Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1696629 Sample: ORDER_70495E0586FM3049538DJ... Startdate: 22/05/2025 Architecture: WINDOWS Score: 100 71 paste.ee 2->71 73 pki-goog.l.google.com 2->73 75 3 other IPs or domains 2->75 93 Suricata IDS alerts for network traffic 2->93 95 Found malware configuration 2->95 97 Malicious sample detected (through community Yara rule) 2->97 101 15 other signatures 2->101 10 cmd.exe 2 2->10         started        14 cmd.exe 2 2->14         started        16 cmd.exe 2->16         started        signatures3 99 Connects to a pastebin service (likely for C&C) 71->99 process4 file5 65 C:\Windows\Temp\ablactated.vbs, ASCII 10->65 dropped 117 Potential malicious VBS script found (suspicious strings) 10->117 119 Command shell drops VBS files 10->119 18 wscript.exe 1 10->18         started        22 conhost.exe 10->22         started        24 timeout.exe 1 10->24         started        26 wscript.exe 14->26         started        28 conhost.exe 14->28         started        30 timeout.exe 1 14->30         started        32 wscript.exe 16->32         started        34 conhost.exe 16->34         started        36 timeout.exe 1 16->36         started        signatures6 process7 dnsIp8 77 paste.ee 23.186.113.60, 443, 49692, 49693 KLAYER-GLOBALNL Reserved 18->77 103 Suspicious powershell command line found 18->103 105 Wscript starts Powershell (via cmd or directly) 18->105 107 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->107 109 Suspicious execution chain found 18->109 38 powershell.exe 15 16 18->38         started        42 powershell.exe 26->42         started        111 System process connects to network (likely due to code injection or exploit) 32->111 44 powershell.exe 32->44         started        signatures9 process10 dnsIp11 79 ia600705.us.archive.org 207.241.227.165, 443, 49694, 49701 INTERNET-ARCHIVEUS United States 38->79 113 Writes to foreign memory regions 38->113 115 Injects a PE file into a foreign processes 38->115 46 AddInProcess32.exe 2 16 38->46         started        51 cmd.exe 2 38->51         started        53 conhost.exe 38->53         started        55 AddInProcess32.exe 42->55         started        57 conhost.exe 42->57         started        59 AddInProcess32.exe 44->59         started        61 conhost.exe 44->61         started        signatures12 process13 dnsIp14 81 209.54.102.170, 49697, 5070 ASN-QUADRANET-GLOBALUS United States 46->81 83 geoplugin.net 178.237.33.50, 49698, 80 ATOM86-ASATOM86NL Netherlands 46->83 67 C:\ProgramData\remcos\logs.dat, data 46->67 dropped 85 Detected Remcos RAT 46->85 87 Contains functionalty to change the wallpaper 46->87 89 Contains functionality to steal Chrome passwords or cookies 46->89 91 4 other signatures 46->91 69 C:\Users\Public\Downloads\inclusions.bat, data 51->69 dropped 63 conhost.exe 51->63         started        file15 signatures16 process17
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/4e6721af692e7b971238e4fa55b201006cc77e0e72923d74c44e9746f577f4fb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e6721af692e7b971238e4fa55b201006cc77e0e72923d74c44e9746f577f4fb/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-22 00:49:45 UTC
File Type:
Text (Batch)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jztsdl3jfz5zoery4t5flmqbabwmo7qookjd25gej2lun5lx6t5q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0163886674b564ff8973f86966aa5d625ca41f262b04f05b1bc4adf77b3d30ba
RemcosRAT
01e64e728e9cb3b71936e9e728a60bd347a9255a39b925534f3b6c730626b533
RemcosRAT
081c1e5d1c9c59d76a490b45f7062f9cfbf18fa2e5b77f827a4cfb6a5e48b5c2
RemcosRAT
0ac64e3c4051edae7fb30c1381b4406e4e79663e313b4dc0b6af84a460e011b0
RemcosRAT
544d1d3e2717f0f78c332cb3b1e234c5a6dabd2a4aff547aff382d1e802bfdcf
RemcosRAT
7487788fcc5c4477ae8eb50da0babfb0b4bbd12a1bcb640da4d10c19d73ec8d4
RemcosRAT
b202388fc74fa1cbbbd75f498fbd1a0f44a13494d021840fc897690792795d7a
RemcosRAT
baea7827b54884191bbdca46eaab9f83bbbf416de1ad0f22bb3eaab85f4e3328
RemcosRAT
cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80
RemcosRAT
d0e342184c25134c07419b2e7bc94990078fc0c57703d72570cd383da6c37f21
RemcosRAT
error
RemcosRAT
+ 4'094 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:thursday discovery execution persistence rat
Link:
https://tria.ge/reports/250522-g88dashr81/
Behaviour
Delays execution with timeout.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Remcos
Remcos family
Malware Config
C2 Extraction:
209.54.102.170:5070
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/4e6721af692e7b971238e4fa55b201006cc77e0e72923d74c44e9746f577f4fb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments