MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 588f35133f3b40ab2b2388337f4350ef394133a743110b48b1a7a065c17ed40d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	588f35133f3b40ab2b2388337f4350ef394133a743110b48b1a7a065c17ed40d
SHA3-384 hash:	43e2c2ce0fde594b73a806c1b84765e285ac3929b3f0956fc20591ca59467fe44ae9fbd8ec021fcc30bfa78da8016244
SHA1 hash:	631ae0dd226a90c758c00e4fa38d2e4c499b4813
MD5 hash:	89fe7834f9d946aae27fb7539a45a848
humanhash:	california-december-yellow-quebec
File name:	Docpac.bat
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'311 bytes
First seen:	2025-11-04 20:57:56 UTC
Last seen:	Never
File type:	bat
MIME type:	text/plain
ssdeep	24:AF958fmoEEGy/V/KpddWg0zdSucpF2k9imumwn8hCkmJRqtPYbDfWJBRHBJQnvnN:ATOfmoEEhNzg0JSlFxvhnmJgtPbvBJyV
TLSH	T17F21AD3CEAA4FCD4036FB5D4467A3E86209C5B23E660376CF9C1089710242DADF3608D
Magika	powershell
Reporter	Anonymous
Tags:	bat RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

Docpac.bat

Verdict:

Malicious activity

Analysis date:

2025-11-04 21:09:35 UTC

Tags:

susp-powershell rat remcos remote api-base64

Link:

https://app.any.run/tasks/2f464327-bbf9-4268-979d-65c24b956c7b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35361/

Verdict:

Suspicious

Score:

50%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690a692b9942f1282ecc1d36

Tags:

obfuscate xtreme shell

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Launching a process

Downloading the file

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 base64 obfuscated powershell powershell

Link:

https://www.filescan.io/uploads/690a697b124d1be830f90a9f/reports/8fc649a2-60ed-4872-8d33-fe2197b01c5b/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/588f35133f3b40ab2b2388337f4350ef394133a743110b48b1a7a065c17ed40d

Verdict:

Malicious

File Type:

ps1

First seen:

2025-11-03T15:06:00Z UTC

Last seen:

2025-11-04T18:47:00Z UTC

Hits:

~100

Detections:

Trojan-Spy.Win64.Agent.sb Trojan.Win32.Inject.sb Trojan.PowerShell.Strion.sb Trojan.MSIL.Agent.sb PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/588f35133f3b40ab2b2388337f4350ef394133a743110b48b1a7a065c17ed40d/results?tab=lookup

Score:

90%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/588f35133f3b40ab2b2388337f4350ef394133a743110b48b1a7a065c17ed40d

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/588f35133f3b40ab2b2388337f4350ef394133a743110b48b1a7a065c17ed40d/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/588f35133f3b40ab2b2388337f4350ef394133a743110b48b1a7a065c17ed40d

Threat name:

Script-PowerShell.Backdoor.Remcos

Status:

Malicious

First seen:

2025-11-04 20:23:09 UTC

File Type:

Text (Batch)

AV detection:

3 of 38 (7.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lchtkez7hnakwkzdrazx6q2q544ucm5himiqwsfru6qglql62qgq._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remcos7_5 rat

Link:

https://tria.ge/reports/251104-zs1mmaymem/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

.NET Reactor proctector

Badlisted process makes network request

Remcos

Remcos family

Malware Config

C2 Extraction:

18.222.233.217:2404

Dropper Extraction:

https://vendasdesistes.com.br/rnk6.txt

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/588f35133f3b40ab2b2388337f4350ef394133a743110b48b1a7a065c17ed40d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/35361/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample