MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5376f3fdc59befa0e3af575beb1ca43180a9edceae0a26eba338aa2b1ca37953. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 21

Intelligence 21 IOCs YARA 24 File information Comments

SHA256 hash:	5376f3fdc59befa0e3af575beb1ca43180a9edceae0a26eba338aa2b1ca37953
SHA3-384 hash:	4c670e1d7831a072b20b7f52d94ca9f3b64eea143bf76babced928b196fd846406a2fc7b128be6eebe18aa5082a2cd4f
SHA1 hash:	d93475096b39569d5721719ae4dea75f25de9e28
MD5 hash:	d72666dbb09fc973c2648a1f3699382f
humanhash:	edward-carpet-india-mobile
File name:	RH98766789000000802.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	839'680 bytes
First seen:	2025-10-03 15:01:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	21371b611d91188d602926b15db6bd48 (70 x Formbook, 33 x AgentTesla, 20 x RemcosRAT)
ssdeep	24576:Qf+iN57Gtene3NNlVyg/yExHo7ZFHzRYO/X7p:2LXKtene3NDVNlxHo7ZFHz77
TLSH	T1F70523569AC09DB0E111B330C037CC955E29B830AD1AA62BC76DF5E97C70383F967A5E
TrID	39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6) 38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	threatcat_ch
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RH98766789000000802.exe

Verdict:

Malicious activity

Analysis date:

2025-10-03 15:03:12 UTC

Tags:

auto-startup

Link:

https://app.any.run/tasks/8229c0d5-6c2e-4507-adb3-23a408b3ca22

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/30048/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68dfe57946f20313bf3876b0

Tags:

autorun crypted spawn remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a file

Creating a process from a recently created file

Launching a process

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Connection attempt to an infection source

Sending a TCP request to an infection source

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

autoit compiled-script evasive fingerprint microsoft_visual_cc obfuscated packed packed packed packer_detected threat upx

Link:

https://www.filescan.io/uploads/68dfe59d74e5a28989a0093e/reports/57cae3e8-9ba6-4e85-ba2c-f39bd50d94bc/overview

Verdict:

Malicious

Labled as:

Cerbu.Generic

Link:

https://www.hybrid-analysis.com/sample/5376f3fdc59befa0e3af575beb1ca43180a9edceae0a26eba338aa2b1ca37953

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-03T02:18:00Z UTC

Last seen:

2025-10-05T12:15:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/5376f3fdc59befa0e3af575beb1ca43180a9edceae0a26eba338aa2b1ca37953/results?tab=lookup

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/aab9f79c-3cd0-4e13-ad09-b0fa3c45656c

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1788822

Signature

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Detected Remcos RAT

Drops VBS files to the startup folder

Found malware configuration

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Remcos

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

System process connects to network (likely due to code injection or exploit)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5376f3fdc59befa0e3af575beb1ca43180a9edceae0a26eba338aa2b1ca37953

Verdict:

Malware

YARA:

5 match(es)

Tags:

AutoIt Decompiled Executable PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86

Link:

https://app.malva.re/file/d72666dbb09fc973c2648a1f3699382f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5376f3fdc59befa0e3af575beb1ca43180a9edceae0a26eba338aa2b1ca37953/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/5376f3fdc59befa0e3af575beb1ca43180a9edceae0a26eba338aa2b1ca37953

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2025-10-03 05:11:29 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 36 (77.78%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kn3ph7oftpx2by5pk5n6whfeggakt3oovyfcn25dhcvcwhfdpfjq._file

Verdict:

malicious

Label(s):

remcos

Similar samples:

error

RemcosRAT

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost discovery rat upx

Link:

https://tria.ge/reports/251003-selszsssdx/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

Drops startup file

Executes dropped EXE

Remcos

Remcos family

Malware Config

C2 Extraction:

198.12.126.169:8787

Verdict:

Malicious

Tags:

Remcos

YARA:

n/a

Link:

https://app.threat.zone/submission/6b508049-43b5-4c2b-b0b1-e5e0e8653226

Unpacked files

SH256 hash:

5376f3fdc59befa0e3af575beb1ca43180a9edceae0a26eba338aa2b1ca37953

MD5 hash:

d72666dbb09fc973c2648a1f3699382f

SHA1 hash:

d93475096b39569d5721719ae4dea75f25de9e28

Link:

https://www.unpac.me/results/e1644974-67b9-4d98-9ea7-543d54e46c2f/

SH256 hash:

545671e66fb4496793dc4b1fc5af753c615c6c9fef295a6338d01065b0666876

MD5 hash:

f4ce70b4579d006922c48752b7857afb

SHA1 hash:

bb2547d905dbad0987054de67b48c53e9ef987c4

Detections:

win_remcos_w0

win_remcos_auto

Remcos

malware_windows_remcos_rat

win_remcos_rat_unpacked

INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer

Link:

https://www.unpac.me/results/e1644974-67b9-4d98-9ea7-543d54e46c2f/

Parent samples :

0ce45ef5e6b470b80e4c7079377953db80ecfc5393fb76ee4568fa334c613924
ed17eb2e83fcca67ba66de21c6357ed58d2c684793aa0e7364e120c189488a6e
b8d9098cd559f1cad2b5822c4f41a0e1d105878a95650967539014826a856220
a4469de201ddfb4d5102a3cfeb04974284a9469074ebe6e4859baead0685154a
3e5dc24c78b7e9adf091d621235f04be8b83a31cdcbe635865c4f6453c4b59b9
89294d5c1a033154e10fd604877db9a4b80f48bde81b1c72639fe36fbf0c224a
5376f3fdc59befa0e3af575beb1ca43180a9edceae0a26eba338aa2b1ca37953
4692619ce40d97bef76e23478bb66e119fef350b7ca0024163fdb335b91420fa
e16e382a86bb0930cf4dfa72fea34e7f65948d9ebf669b8282fd9405aea737d5

SH256 hash:

1d1cd6d08a8cc367431da094a6838ba951b0404a31649936be55a501685dcfad

MD5 hash:

0e5b988e13241819bea9604fe8efcb00

SHA1 hash:

ea24a76ec625c17531458e083fad73027d9fda5a

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/e1644974-67b9-4d98-9ea7-543d54e46c2f/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5376f3fdc59b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/5376f3fdc59befa0e3af575beb1ca43180a9edceae0a26eba338aa2b1ca37953

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	iexplorer_remcos Create hunting rule
Author:	iam-py-test
Description:	Detect iexplorer being taken over by Remcos

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

Rule name:	win_remcos_rat_unpacked Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	win_remcos_w0 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	yarahub_win_remcos_rat_unpacked_aug_2023 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe 5376f3fdc59befa0e3af575beb1ca43180a9edceae0a26eba338aa2b1ca37953

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/30048/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample