MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bfd0fcebd3e1ec9dcd472c4597165c6787c56ecc77eaa4855c5e918e6812cd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	5bfd0fcebd3e1ec9dcd472c4597165c6787c56ecc77eaa4855c5e918e6812cd3
SHA3-384 hash:	182d5f9698be1cddb0a2c43fc1103a17677a84a87c0d115b6dc276c1db9c2ed15593bc7989e355ea2ddee9e89738009d
SHA1 hash:	2edcedd374d4bb4da12037261d97be688d182b7f
MD5 hash:	0b2a85730c59b021254c94fdf09d86d1
humanhash:	diet-double-uncle-wolfram
File name:	In-House Tariff-1 加比0614.PDF.scr
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'547'776 bytes
First seen:	2026-06-02 06:24:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:C04zhh4FJb7ZGyLaQp8mumceyGVgR9SWc1+jdQeXy5Nu9y7j9k4elUOvMLb:C04F6bxOQpnum1qPOePW6y764eyY0
Threatray	7 similar samples on MalwareBazaar
TLSH	T1286501D037F95B05EAB96B349936DE7407753D28B431F69E06D93B9F387A6018C08B22
TrID	44.6% (.EXE) Win64 Executable (generic) (6522/11/2) 14.0% (.ICL) Windows Icons Library (generic) (2059/9) 13.8% (.EXE) OS/2 Executable (generic) (2029/13) 13.7% (.EXE) Generic Win/DOS Executable (2002/3) 13.6% (.EXE) DOS Executable (generic) (2000/1)
Magika	pebin
dhash icon	69e869494969e869 (1 x Formbook, 1 x RemcosRAT)
Reporter	threatcat_ch
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

155

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

remcos

ID:

File name:

exe

Verdict:

Malicious activity

Analysis date:

2026-06-02 06:27:24 UTC

Tags:

remcos rat stealer mpress

Link:

https://app.any.run/tasks/2b31ec5a-52e3-4730-83d7-6290dc99ec8e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/68749/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.50433.15822.18596.UNOFFICIAL

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a1e775af8676ad4d3603cdd

Tags:

cobalt packed virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

masquerade packed vbnet

Link:

https://www.filescan.io/uploads/6a1e775746e44aecc0c9720d/reports/b7cfc967-b89c-44b9-9eb1-ff9fadec63ee/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/5bfd0fcebd3e1ec9dcd472c4597165c6787c56ecc77eaa4855c5e918e6812cd3

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-06-02T02:50:00Z UTC

Last seen:

2026-06-03T04:57:00Z UTC

Hits:

~1000

Detections:

PDM:Trojan.Win32.Badex.c HEUR:Trojan-PSW.MSIL.Agensla.gen

Link:

https://opentip.kaspersky.com/5bfd0fcebd3e1ec9dcd472c4597165c6787c56ecc77eaa4855c5e918e6812cd3/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/63b0a797-a3e6-410c-b5f6-9582665142a7

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1921457

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to inject threads in other processes

Contains functionality to steal Internet Explorer form passwords

Found malware configuration

Found stalling execution ending in API Sleep call

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes / dynamic malware analysis system (Installed program check)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file registry)

Unusual module load detection (module proxying)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5bfd0fcebd3e1ec9dcd472c4597165c6787c56ecc77eaa4855c5e918e6812cd3

Gathering data

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/5bfd0fcebd3e1ec9dcd472c4597165c6787c56ecc77eaa4855c5e918e6812cd3/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/5bfd0fcebd3e1ec9dcd472c4597165c6787c56ecc77eaa4855c5e918e6812cd3

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2026-06-02 05:58:07 UTC

AV detection:

8 of 38 (21.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lp6q7tv5hypmtxguolcfs4lfyz4hyvxmy57kuscvyxurrzubftjq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

9ba709e3e9389501c7a2dbf36e1d199bb8d878bb232a6bf49abf10d74854748d

RemcosRAT

de696b3d12523ee0ef381888ff9e0cd770aef149043a9e44c3ada239b23c7bf9

RemcosRAT

e252cd399ca7d1102917946ea9cbd9cf4e9d03bf0180d26a43946cafc4b7acb4

RemcosRAT

error

RemcosRAT

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/260602-g6vdnagv5p/

Behaviour

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

5bfd0fcebd3e1ec9dcd472c4597165c6787c56ecc77eaa4855c5e918e6812cd3

MD5 hash:

0b2a85730c59b021254c94fdf09d86d1

SHA1 hash:

2edcedd374d4bb4da12037261d97be688d182b7f

Link:

https://www.unpac.me/results/efb038a1-6d4f-428e-81ff-feb21943f1cc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.94

Link:

https://yomi.yoroi.company/submissions/5bfd0fcebd3e1ec9dcd472c4597165c6787c56ecc77eaa4855c5e918e6812cd3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe 5bfd0fcebd3e1ec9dcd472c4597165c6787c56ecc77eaa4855c5e918e6812cd3

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/68749/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample