MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 523244595addcb7df7d7b152cb020e7536e19adebd4a8a3c10db0d9c421d927e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 523244595addcb7df7d7b152cb020e7536e19adebd4a8a3c10db0d9c421d927e
SHA3-384 hash: 15a9dd14a92b19b66d757370be854fe479d490214f178366d4facceaea7033b6248dea19594bca87510cdb42921763d8
SHA1 hash: 036335fd826da5822918932a3bb9b7ba07cc4dcf
MD5 hash: 96a71057c8fbcb34ae82a7ce6f9d8742
humanhash: four-kilo-spring-utah
File name:96a71057c8fbcb34ae82a7ce6f9d8742.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:893'314 bytes
First seen:2025-06-22 08:20:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8b4d0760d426c9138154c52a7dcc4339 (5 x Rhadamanthys, 5 x HijackLoader, 2 x SheetRAT)
ssdeep 24576:ZvxJLjjZ3pR5OT4pcRYRFxJg55cKYIvcPG1zQpoudegM:9Lj1Xwk77gd1z/nT
TLSH T1C315E119E7E804F8E4B7A2748D634A12F772BC4907719B9F23E456562F233918E3E361
TrID 92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
415
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
bomb.exe.bin
Verdict:
Malicious activity
Analysis date:
2025-06-22 00:38:35 UTC
Tags:
hausbomber loader python github stealer autoit lumma screenconnect rmm-tool payload ta558 apt stegocampaign reverseloader xworm quasar rat evasion remote bittorrent mozi botnet remcos auto coinminer miner neshta arch-scr trox ngrok ftp irc smokeloader smoke dcrat smtp snake keylogger agenttesla exfiltration telegram xred backdoor generic phorpiex discord
Link:
https://app.any.run/tasks/8ad992ef-8636-43cc-8f7b-86b2c42327dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10461/
Detection(s):
Win.Trojan.Remcos-9841897-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6857bcfa32ed47a3a8d67cae
Tags:
downloader dropper remcos virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug base64 crypto fingerprint fingerprint keylogger microsoft_visual_cc overlay overlay packed packer_detected rat rat remcos remcos windows
Link:
https://www.filescan.io/uploads/6857bd643faf8fcd7d3a97ee/reports/b744f151-2d63-4b0a-82ee-dad7a276d1f9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/523244595addcb7df7d7b152cb020e7536e19adebd4a8a3c10db0d9c421d927e
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ccabe7f3-cc81-4856-80ff-de33457f75ca
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1720182
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Drops PE files with a suspicious file extension
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/523244595addcb7df7d7b152cb020e7536e19adebd4a8a3c10db0d9c421d927e
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/96a71057c8fbcb34ae82a7ce6f9d8742
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/523244595addcb7df7d7b152cb020e7536e19adebd4a8a3c10db0d9c421d927e/
Threat name:
Win64.Trojan.Dacic
Create hunting rule
Status:
Malicious
First seen:
2025-06-19 22:52:41 UTC
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kizeiwk23xfx356xwfjmwaqoou3odgw6xvfiupaq3mgzyqq5sj7a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
error
RemcosRAT
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250622-j9ztnazzbv/
Behaviour
Suspicious use of SetWindowsHookEx
Verdict:
Malicious
Tags:
Win.Trojan.Remcos-9841897-0
YARA:
n/a
Link:
https://app.threat.zone/submission/77ba0889-3625-4ba4-b3ac-3540b599c83e
Unpacked files
SH256 hash:
523244595addcb7df7d7b152cb020e7536e19adebd4a8a3c10db0d9c421d927e
MD5 hash:
96a71057c8fbcb34ae82a7ce6f9d8742
SHA1 hash:
036335fd826da5822918932a3bb9b7ba07cc4dcf
Link:
https://www.unpac.me/results/186575c7-5f0a-4205-92bd-09ed5a36aeee/
SH256 hash:
33404bd398ece0c201f19f7bb6545132b65cc84f82d5846e22d71c2e3033d471
MD5 hash:
3a3863bdecce02c4ce3f65f929e95e25
SHA1 hash:
3fb692fc63fd6aa61a22dffc638990fe504a211b
Detections:
win_remcos_auto
Create hunting rule
win_remcos_w0
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
Link:
https://www.unpac.me/results/186575c7-5f0a-4205-92bd-09ed5a36aeee/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/523244595addcb7df7d7b152cb020e7536e19adebd4a8a3c10db0d9c421d927e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:icarus
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked icarus malware samples.
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 523244595addcb7df7d7b152cb020e7536e19adebd4a8a3c10db0d9c421d927e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3568477/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/10461/

Comments