MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 576ac760ec2be7d545c01b834dfa888a824f54fc8d68518a64a198e8c30a29aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 20


Intelligence 20 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 576ac760ec2be7d545c01b834dfa888a824f54fc8d68518a64a198e8c30a29aa
SHA3-384 hash: f8f223efb1495d1e0521851eb5ed165d3cdcb6199a202b0961ac8d258351f48e91d17c28ad455cfaf0eced2f9ccfb3a9
SHA1 hash: b831b2a5d38e0b876f54ea747db442ba15cd2cec
MD5 hash: f578ffa05a1819048057042d032c127f
humanhash: kansas-oscar-hawaii-zulu
File name:ORDER774056948584757373DHDUEUR48348485URUE448EURURU448ERUE4458.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:953'352 bytes
First seen:2025-08-06 11:07:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:G2Ni5ZMhM21OvP+V5UK1suCM/MnD1xVD15Eokc3GRH1h:lI5ADkIbeu8RxVZ5Eo3Gfh
Threatray 4'147 similar samples on MalwareBazaar
TLSH T1E61523413A69CA57E0ADBB750534E3300335AFDEE901E29E5FEEFC4B34A67D05A00696
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 19016149490dc400 (2 x Formbook, 2 x RemcosRAT)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
ORDER774056948584757373DHDUEUR48348485URUE448EURURU448ERUE4458.bat
Verdict:
Malicious activity
Analysis date:
2025-08-06 11:25:08 UTC
Tags:
rat remcos auto-sch-xml remote
Link:
https://app.any.run/tasks/743d7e35-9fe7-4349-93db-dc29ed3dc501

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19210/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689337781e8a59ee04e6606e
Tags:
virus krypt msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Setting a keyboard event handler
Connection attempt to an infection source
Sending a TCP request to an infection source
Creating a window
Query of malicious DNS domain
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expired-cert invalid-signature lolbin masquerade packed signed squirrel vbnet
Link:
https://www.filescan.io/uploads/6893377e167d60d98ab5bd04/reports/c03c8ec7-6f91-487a-891e-ef6a7315b429/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/576ac760ec2be7d545c01b834dfa888a824f54fc8d68518a64a198e8c30a29aa
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d1c84258-bb14-4fbb-8767-31fbc204cff3
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1751275
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1751275 Sample: ORDER774056948584757373DHDU... Startdate: 06/08/2025 Architecture: WINDOWS Score: 100 50 ego34.duckdns.org 2->50 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 68 10 other signatures 2->68 9 ORDER774056948584757373DHDUEUR48348485URUE448EURURU448ERUE4458.bat.exe 6 2->9         started        13 siJwuPbt.exe 4 2->13         started        signatures3 66 Uses dynamic DNS services 50->66 process4 file5 44 C:\Users\user\AppData\Roaming\siJwuPbt.exe, PE32 9->44 dropped 46 C:\Users\...\siJwuPbt.exe:Zone.Identifier, ASCII 9->46 dropped 48 C:\Users\user\AppData\Local\...\tmp3FCF.tmp, XML 9->48 dropped 70 Uses schtasks.exe or at.exe to add and modify task schedules 9->70 72 Adds a directory exclusion to Windows Defender 9->72 74 Injects a PE file into a foreign processes 9->74 15 ORDER774056948584757373DHDUEUR48348485URUE448EURURU448ERUE4458.bat.exe 2 2 9->15         started        20 powershell.exe 23 9->20         started        22 powershell.exe 23 9->22         started        24 schtasks.exe 1 9->24         started        76 Multi AV Scanner detection for dropped file 13->76 78 Contains functionalty to change the wallpaper 13->78 80 Contains functionality to steal Chrome passwords or cookies 13->80 82 3 other signatures 13->82 26 siJwuPbt.exe 13->26         started        28 schtasks.exe 13->28         started        signatures6 process7 dnsIp8 52 ego34.duckdns.org 192.169.69.26, 49696, 49700, 49701 WOWUS United States 15->52 42 C:\ProgramData\remcos\logs.dat, data 15->42 dropped 54 Detected Remcos RAT 15->54 56 Installs a global keyboard hook 15->56 58 Loading BitLocker PowerShell Module 20->58 30 conhost.exe 20->30         started        32 WmiPrvSE.exe 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        38 conhost.exe 28->38         started        file9 signatures10 process11 process12 40 conhost.exe 38->40         started       
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/576ac760ec2be7d545c01b834dfa888a824f54fc8d68518a64a198e8c30a29aa
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.28 Win 32 Exe x86
Link:
https://app.malva.re/file/f578ffa05a1819048057042d032c127f
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/576ac760ec2be7d545c01b834dfa888a824f54fc8d68518a64a198e8c30a29aa/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-08-05 12:58:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k5vmoyhmfpt5kroadobu36uirkbe6vh4rvufdcteugmorqykfgva._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
0bc4589749f91661e58192bb1200809244d27248e8ee1935baeaaaefd60aa7f6
RemcosRAT
19c2d1f233ea3d256026796196e7067af26534ab46874cf4fdbacb7e73e5922a
RemcosRAT
1b9ffe88ec292067ef1eafeffa284d8fb12a02b0d52f38fbe6834ab7a5c05009
RemcosRAT
1bfc67fda739fb4b9d8ec51ab705c1348396d37eb76be0035183e12b26c7f6ea
RemcosRAT
38bea9d33c9abedb0a1d3cb21b492de123247a0b07647cd0e04ad2ba47fef2dd
RemcosRAT
ac56ec5a81bca833585ad1c052dc5614936523763c87ade64f519b23a4f0b24a
RemcosRAT
error
RemcosRAT
+ 4'137 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:s22 discovery execution persistence rat
Link:
https://tria.ge/reports/250806-m78kkavyfx/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Remcos
Remcos family
Malware Config
C2 Extraction:
ego34.duckdns.org:5040
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6f3e986e-204d-434f-aeea-631137547140
Unpacked files
SH256 hash:
576ac760ec2be7d545c01b834dfa888a824f54fc8d68518a64a198e8c30a29aa
MD5 hash:
f578ffa05a1819048057042d032c127f
SHA1 hash:
b831b2a5d38e0b876f54ea747db442ba15cd2cec
Link:
https://www.unpac.me/results/8f8f5e11-d316-4f41-96a4-01d2d56bb6d7/
SH256 hash:
6231ca045bdb78f90fa4e09e65da692ac4500afff87a00e5772f2a1f3f6b0df5
MD5 hash:
29f1ab351d39eab7ed8eaa2aabc35327
SHA1 hash:
22d8514fc711323c0426c3f5b35c9b37d884c9f3
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/8f8f5e11-d316-4f41-96a4-01d2d56bb6d7/
Parent samples :
95ea7cad1f5295a05a2084c870724c860063568375f9ac5ea4cfcda022486915
0f35ba4092a1137650826b2cd0eff36eeb58a51c09fb1210199948a2b03a48f3
87839de578611fa6fd31f537bf3107e7b7471ee271dc458372ba6efd962f4056
f1072b6f2cef8a84384f1d3d5f64905640d41be85aa4966cbf6ada530be721ac
908ea4e10ff30ea0fb4dd724fdb19e1f9c491b443c90cf0957ed6216ff5d800e
6fd471d3b5a60eb2827287c5b805a12d8e4147c5c2ce85585b3e2748a10e6226
9975b81e9f8b7bf220475765a809c03d9462b60f27a06de2b5d867152aca5dad
abf0f414ebeb55c4ee464be758b9f279cebf0779ff269b7ecfe74267797fd251
ab0e1d7e551816ee2e46dfd74c50906118da48af18c6f8d2d91071310cbb7dbe
e4b64ae324a75568f82dd940c4017726c020051668cbb1832e88f4e806abe4e4
576ac760ec2be7d545c01b834dfa888a824f54fc8d68518a64a198e8c30a29aa
8d472caf596f0d5c7a9d1fc2bfc371f55eca7016ffe249409da702227f60a0a2
7e41a89cc3189d021b07d2c2cdcfbf151f498447e73b3539be37bbfa24586fbe
858a1f71c14ad346a95146debe2df736b00654d971bb884e6932db16404ab973
aace9b82b5a361f9fe0ea0d6d0ea6e141cca7ff9761e0d7a2665fd7752a54ffa
SH256 hash:
ae47a8158fa2c71266c0aa16e43fdc6573ece008c502ab4dfd4d9cd5f328c522
MD5 hash:
7c65863c69835756f6f6d99171e56166
SHA1 hash:
5b6b7dbe66482d5ee781b182014cdb3cf332e539
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/8f8f5e11-d316-4f41-96a4-01d2d56bb6d7/
SH256 hash:
eb4b701be570c33fa2efb8085448defae65176c1355f1da2316ab5c7d282733e
MD5 hash:
121aae7788ba9cbc4f7d50ce5bf9c340
SHA1 hash:
60aa7e626865bd00a9d16fc1c0bdb3d94e34dffd
Detections:
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Link:
https://www.unpac.me/results/8f8f5e11-d316-4f41-96a4-01d2d56bb6d7/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/576ac760ec2b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/576ac760ec2be7d545c01b834dfa888a824f54fc8d68518a64a198e8c30a29aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked remcos malware samples.
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 576ac760ec2be7d545c01b834dfa888a824f54fc8d68518a64a198e8c30a29aa

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/19210/

Comments