MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4edeb50b9b757b95e352d4f67827c2e9b32dad7574eaa2438d38822e0cdff459. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4edeb50b9b757b95e352d4f67827c2e9b32dad7574eaa2438d38822e0cdff459
SHA3-384 hash: df8b5538aa95873babb2314659c80b0dd1c0d143d979ca7ca3d5cf808a4e05efdf4766a914d0fb0c79f39dc482af4eb4
SHA1 hash: 336bd368e3be762605aa878bb6d9835ddcf2f595
MD5 hash: 5bdf4572695c2fc4f9ced498e7a976f4
humanhash: cup-uniform-echo-island
File name:4edeb50b9b757b95e352d4f67827c2e9b32dad7574eaa2438d38822e0cdff459
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:945'664 bytes
First seen:2025-10-09 14:59:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:z4z4iQk00JEf7mUoKxhaAlGhAN9xinxkiL:Mz0df6TKLaUGhAN3inxk0
Threatray 4'108 similar samples on MalwareBazaar
TLSH T1F8151201239DF617D0B25BF41C70D3B527759E98A40AD20B8FFBADDBB829B056C4439A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
21e3f272337171effeeb2af5896a4d1b5b330410fde3ae2cd2ee83f2f1533efc.gz
Verdict:
Malicious activity
Analysis date:
2025-09-25 15:40:33 UTC
Tags:
arch-exec remcos rat auto-sch-xml
Link:
https://app.any.run/tasks/b42f7150-a6a4-46ad-bc07-a52b2e885e7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/31778/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d5512ecc9425144151e385
Tags:
kryptik remcos virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Connection attempt
DNS request
Sending an HTTP GET request
Connection attempt to an infection source
Sending a TCP request to an infection source
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68e7eb3dd4a0085473c5bfcd/reports/95ea6a34-abe3-471d-bd1d-fd20e7f7bf01/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/4edeb50b9b757b95e352d4f67827c2e9b32dad7574eaa2438d38822e0cdff459
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-25T04:15:00Z UTC
Last seen:
2025-10-09T04:01:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/4edeb50b9b757b95e352d4f67827c2e9b32dad7574eaa2438d38822e0cdff459/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/03cd0ec1-3ad7-453d-a171-03f075229e4a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4edeb50b9b757b95e352d4f67827c2e9b32dad7574eaa2438d38822e0cdff459
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.51 Win 32 Exe x86
Link:
https://app.malva.re/file/5bdf4572695c2fc4f9ced498e7a976f4
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4edeb50b9b757b95e352d4f67827c2e9b32dad7574eaa2438d38822e0cdff459/
Threat name:
ByteCode-MSIL.Trojan.PureLogStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-25 07:32:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j3plkc43ov5zly2s2t3hqj6c5gzs3llvotvkeq4nhcbc4dg76rmq._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
remcos
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
04791fca99b14d28f631cb796b4607a838f7d344204b5d65335213292c6294e7
RemcosRAT
0ec6222a3efca1282318e4d8580df2f1707d1efe4b24dd5644f5de6c3a97fd44
RemcosRAT
3093077e390786c3463e88ea9520a2423102c90486b250fad40105fbad16285e
RemcosRAT
30df94c4a321c1459296fbbb1efb2bd42e178a64fc0cfce897ec1e1bc27b7e47
RemcosRAT
3799fefd99f0042be2e286b28b2902fd3a7ec31d812694ff7a96f266b11b8003
RemcosRAT
a375f14f98fb9a4242cc2528e0cc369542a197f8ed545a9c6cb445370b00ff29
RemcosRAT
b888ae8492bddf1d7d669510ffcfd67a6ccca5b435bcd81b1f5248f224f45c80
RemcosRAT
d65c7d2e8c2336f34fc84f6f61a9e1e55c58e0fef0bafbd8b45348d16bb8b591
RemcosRAT
dc8e0752010c76c6815c5631eb656e8e8f179be1a794c5f6679e5072d6ffe496
RemcosRAT
ed17eb2e83fcca67ba66de21c6357ed58d2c684793aa0e7364e120c189488a6e
RemcosRAT
+ 4'098 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost discovery execution persistence rat
Link:
https://tria.ge/reports/251009-vfyv2swybv/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Remcos
Remcos family
Malware Config
C2 Extraction:
127.0.0.1:29444
196.251.92.69:29444
nnamoograce.duckdns.org:29444
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/975e88bb-9a9e-45f0-846b-838197928600
Unpacked files
SH256 hash:
4edeb50b9b757b95e352d4f67827c2e9b32dad7574eaa2438d38822e0cdff459
MD5 hash:
5bdf4572695c2fc4f9ced498e7a976f4
SHA1 hash:
336bd368e3be762605aa878bb6d9835ddcf2f595
Link:
https://www.unpac.me/results/b6227085-28c8-4df9-b851-baf5c4493f89/
SH256 hash:
dc71e7bfa37e9a31ac579b4401e1d0ef7b6061a720e02a2d30b90f95770c59a8
MD5 hash:
486cdd4b989843dac0146c207fc8c546
SHA1 hash:
8fd3f8bf76516cfcb29d7b046bbad838bc5b1f1b
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b6227085-28c8-4df9-b851-baf5c4493f89/
SH256 hash:
cdb8ac92c7a341ee1ead563bf7b48a244d580acfb30704043b6d4b24ea5ccf09
MD5 hash:
07ca79c30cd50df8c68d115eebd52475
SHA1 hash:
a70c058086cd6156059b9947aee5bcd3f75f3336
Link:
https://www.unpac.me/results/b6227085-28c8-4df9-b851-baf5c4493f89/
SH256 hash:
bee1b0b11f41f84b72e519992a1addc5a680e1356100ff4bbb4b830f130024a5
MD5 hash:
7407137b7ce04f516af1390b2c8a09ec
SHA1 hash:
b82bd3aaa6b21d37ad2509f45d3df014af161cc7
Detections:
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Link:
https://www.unpac.me/results/b6227085-28c8-4df9-b851-baf5c4493f89/
Parent samples :
eaf004bc6b3be63cb19e34ad0375a1fdad0268aef279469bc135179d19372dbe
d5a570481841b1d87e060de662e0d98cd76f77ecea5e4717085a40b0327c083d
4558b85000c0cb3a7038087f80c606cfd08e724d06532fb95301d8dd564bec91
0874e7b9ba2653207308bad8a2efca4a30690413a4eaeace15a6b4d601a5bb94
1519c35519813943ccd719d66d625a356627b5cfd9e5b21314dafc5c0d6d29c8
270930518df8bcd3b5b642ab17052b292de14ace9e4f7479bb4a988d002af834
4edeb50b9b757b95e352d4f67827c2e9b32dad7574eaa2438d38822e0cdff459
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4edeb50b9b757b95e352d4f67827c2e9b32dad7574eaa2438d38822e0cdff459

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/31778/

Comments