MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5775f78e49d3cc327678941c043fb5df1f79183482fbc4782a02e811ba8732d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 20


Intelligence 20 IOCs YARA 30 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5775f78e49d3cc327678941c043fb5df1f79183482fbc4782a02e811ba8732d4
SHA3-384 hash: 48408c3a82025aeeacdc1b5d8db4919f458f8a61e2860abcfee7371f4ebbf38d93dd7b859762ad04df044e773c3aa128
SHA1 hash: 2d166aae1eee6c91d36489c1c35ff5b668e8900f
MD5 hash: 2d4b3389dc9521983f2ca72271b65a9a
humanhash: enemy-sweet-mobile-artist
File name:Order Drawing.pif
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:901'656 bytes
First seen:2025-10-21 05:53:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:ZHAnqfwdM7RXCC9P8ROXXKiANSMHGuWHc4w3y:ZHAUIC9UROX6iATHb4wC
Threatray 1'625 similar samples on MalwareBazaar
TLSH T1BE15230E1BEDC805E8A36FF62872D67047B8BCDDC460CA57CFDA1DAB7C2A5021265781
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
_5775f78e49d3cc327678941c043fb5df1f79183482fbc4782a02e811ba8732d4.exe
Verdict:
Malicious activity
Analysis date:
2025-10-21 06:03:56 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/f9cb59ed-15b4-4431-9e57-3b731df37607

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33581/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f7201e3edd081eba4044d7
Tags:
injection packed shell lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Connecting to a non-recommended domain
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Launching a process
Reading critical registry keys
Launching a service
Forced shutdown of a system process
Stealing user critical data
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
explorer lolbin masquerade obfuscated overlay packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68f720463a79800405ed96a5/reports/37439508-71e3-401d-9471-125c97c8430b/overview
Verdict:
Malicious
Labled as:
Trojan.PasswordStealer.Generic
Link:
https://www.hybrid-analysis.com/sample/5775f78e49d3cc327678941c043fb5df1f79183482fbc4782a02e811ba8732d4
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-21T03:12:00Z UTC
Last seen:
2025-10-21T03:43:00Z UTC
Hits:
~10
Detections:
Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb HEUR:Trojan-PSW.MSIL.Agensla.gen Trojan-Dropper.Win32.Injector Trojan.MSIL.Crypt.sb PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/5775f78e49d3cc327678941c043fb5df1f79183482fbc4782a02e811ba8732d4/results?tab=lookup
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d5948b68-84f9-4e19-8ed9-862dd85ec307
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1798891
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to determine the online IP of the system
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1798891 Sample: Order Drawing.pif.exe Startdate: 21/10/2025 Architecture: WINDOWS Score: 100 37 Suricata IDS alerts for network traffic 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 22 other signatures 2->43 7 Order Drawing.pif.exe 4 2->7         started        process3 file4 27 C:\Users\user\...\Order Drawing.pif.exe.log, ASCII 7->27 dropped 53 Adds a directory exclusion to Windows Defender 7->53 11 Order Drawing.pif.exe 4 3 7->11         started        16 powershell.exe 23 7->16         started        signatures5 process6 dnsIp7 35 196.251.86.85, 2404, 49718, 49719 SONIC-WirelessZA Seychelles 11->35 29 C:\Users\user\AppData\Local\Temp\TH73D8.tmp, MS-DOS 11->29 dropped 31 C:\Users\user\AppData\Local\Temp\TH731C.tmp, MS-DOS 11->31 dropped 33 C:\Users\user\AppData\Local\Temp\TH72AD.tmp, PE32 11->33 dropped 55 Detected Remcos RAT 11->55 57 Maps a DLL or memory area into another process 11->57 18 RmClient.exe 1 11->18         started        21 RmClient.exe 2 11->21         started        23 RmClient.exe 1 11->23         started        59 Loading BitLocker PowerShell Module 16->59 25 conhost.exe 16->25         started        file8 signatures9 process10 signatures11 45 Tries to steal Instant Messenger accounts or passwords 18->45 47 Tries to steal Mail credentials (via file / registry access) 18->47 49 Tries to steal Mail credentials (via file registry) 21->49 51 Tries to harvest and steal browser information (history, passwords, etc) 21->51
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5775f78e49d3cc327678941c043fb5df1f79183482fbc4782a02e811ba8732d4
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.39 Win 32 Exe x86
Link:
https://app.malva.re/file/2d4b3389dc9521983f2ca72271b65a9a
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5775f78e49d3cc327678941c043fb5df1f79183482fbc4782a02e811ba8732d4/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/5775f78e49d3cc327678941c043fb5df1f79183482fbc4782a02e811ba8732d4
Threat name:
ByteCode-MSIL.Trojan.XWorm
Create hunting rule
Status:
Malicious
First seen:
2025-10-21 05:55:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k527pdsj2pgde5tysqoaip5v34pxsgbuql54i6bkalubdouhglka._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
remcos
Create hunting rule
admintool_mailpassview
Create hunting rule
nirsoft
Create hunting rule
Similar samples:
3d291ac83b4d8f072c8998a788d1ce213445e1ade6b6e9b5751863c10826df44
RemcosRAT
44b4e8fd5f88de4ef6a49b7d42e9b31c226f66346db7f73d3ad8aaf1074c7f12
RemcosRAT
5756bb7dd6781086bfa7c5af6786f9792c895f29900f37eb92284ab38224c8f8
RemcosRAT
724d81eb1abf92eb7520ca1534f9c10fb83a5743a2f8ce956e94e0a9af725f8d
RemcosRAT
915bbdf3cf472b1eb3ce2e4a3859214867cd885899b7c26bc13561709e122920
RemcosRAT
b5c978f16a11c1bc6589e5b4b78d08fec1cea4cf2df5df9c67b1eda26e485f6d
RemcosRAT
c00ac7db911562a04b55c3ba2f92d7dd8b3ef36991c60536ae04fc86b73cb928
RemcosRAT
c734213b41e4d5eda359c15b3bbcf546a2d7a77308085cd136d3742816aeb667
RemcosRAT
d2ed08a124a2e2da4446c03d4487083a7078d901dff790c2ae0a8e61005a1eaf
RemcosRAT
error
RemcosRAT
+ 1'615 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos collection discovery execution rat
Link:
https://tria.ge/reports/251021-gvlx5s1qel/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
196.251.86.85:2404
Unpacked files
SH256 hash:
5775f78e49d3cc327678941c043fb5df1f79183482fbc4782a02e811ba8732d4
MD5 hash:
2d4b3389dc9521983f2ca72271b65a9a
SHA1 hash:
2d166aae1eee6c91d36489c1c35ff5b668e8900f
Link:
https://www.unpac.me/results/84455b29-1c70-4626-8f22-9ec8fd52246c/
SH256 hash:
6f6db5633fd026acbea80701ab558fbb29fa2a9508b152891a43454751039dd1
MD5 hash:
cbdc167a5f0da5305940da3c346fac02
SHA1 hash:
4224ea1e06a32399cc1e0a6aff756ebb5e984f52
Link:
https://www.unpac.me/results/84455b29-1c70-4626-8f22-9ec8fd52246c/
SH256 hash:
cc2856a5d3f6c1845c71bedac407c8c8d15ed129c9654327483812e354241671
MD5 hash:
4213caf36051e3aadc5c15a91bc90936
SHA1 hash:
a223193e19d60873c750ea91196bcb9fea2bd8a8
Detections:
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/84455b29-1c70-4626-8f22-9ec8fd52246c/
Parent samples :
5775f78e49d3cc327678941c043fb5df1f79183482fbc4782a02e811ba8732d4
0de24f8a4cdec9878e38074054d42aa45e0d35366835683d7ecdcadfce145406
SH256 hash:
ee65d032c61e38337a530c9a04af48943307d3b07b7036b667d9859257bc331a
MD5 hash:
7b2001910e398fa10005e05779fc70e9
SHA1 hash:
abed3e5e5a2fa9d84dc3062d1f51287316e91640
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/84455b29-1c70-4626-8f22-9ec8fd52246c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5775f78e49d3cc327678941c043fb5df1f79183482fbc4782a02e811ba8732d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Remcos_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Remcos Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 5775f78e49d3cc327678941c043fb5df1f79183482fbc4782a02e811ba8732d4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33581/

Comments