MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60682c9e70f15ee5e31dc5c054417386098c475be469994ea54b5c56847d4aaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 21


Intelligence 21 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60682c9e70f15ee5e31dc5c054417386098c475be469994ea54b5c56847d4aaf
SHA3-384 hash: 753fab3a38e8eb108d3cd16da1a8688418f3e9de0191b496737ee010206d2d5577d3f3b6fdc49dc95919fae2d88536f4
SHA1 hash: 1107790137d196e095dbf26e00236d2aafc2625b
MD5 hash: b770eebc8414ca8cd86baec766890dd3
humanhash: magnesium-bulldog-seventeen-wisconsin
File name:NEW ORDER No 94300521.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'083'400 bytes
First seen:2025-07-28 06:10:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:gnhzxbBsvnqElwXT6oy/z9T9qm4sLPG93vvJWUmc5xd:Elsv1lweMm1i3Zlnt
Threatray 1'216 similar samples on MalwareBazaar
TLSH T17435DF3036AE9923D9A496F04160E03537B72EDF2429E9DA4ED67CDB3CE0BC11B94917
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 00e425252425e400 (12 x SnakeKeylogger, 9 x Formbook, 2 x DCRat)
Reporter threatcat_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
NEW ORDER No 94300521.exe
Verdict:
Malicious activity
Analysis date:
2025-07-28 06:12:08 UTC
Tags:
remcos rat auto-reg auto-sch-xml netreactor
Link:
https://app.any.run/tasks/f05299b3-bff1-4da1-bfb7-9cdc3e868856

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17270/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68871461af3050dc8d31cfa9
Tags:
spawn shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Creating a file
Creating a process from a recently created file
Connecting to a non-recommended domain
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap evasive expired-cert exploit invalid-signature lolbin masquerade msbuild obfuscated packed packed packed phishing rat rat reconnaissance regsvcs remcos remcos rezer0 roboski schtasks signed stego vbc vbnet windows
Link:
https://www.filescan.io/uploads/6887145c17928df649433d68/reports/5ac09350-ea3e-4514-b664-304b777e253b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/60682c9e70f15ee5e31dc5c054417386098c475be469994ea54b5c56847d4aaf
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9ff31593-ffcb-48ca-9933-fc89dd1f96bd
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1745355
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1745355 Sample: NEW ORDER No 94300521.exe Startdate: 28/07/2025 Architecture: WINDOWS Score: 100 91 geoplugin.net 2->91 97 Suricata IDS alerts for network traffic 2->97 99 Found malware configuration 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 22 other signatures 2->103 10 NEW ORDER No 94300521.exe 7 2->10         started        14 remcos.exe 2->14         started        16 remcos.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 85 C:\Users\user\AppData\...\OpDgsfiWHonfbx.exe, PE32 10->85 dropped 87 C:\Users\user\AppData\Local\...\tmp8FE6.tmp, XML 10->87 dropped 89 C:\Users\...89EW ORDER No 94300521.exe.log, ASCII 10->89 dropped 125 Adds a directory exclusion to Windows Defender 10->125 127 Injects a PE file into a foreign processes 10->127 20 NEW ORDER No 94300521.exe 2 4 10->20         started        24 powershell.exe 23 10->24         started        26 schtasks.exe 1 10->26         started        28 remcos.exe 14->28         started        30 schtasks.exe 14->30         started        32 remcos.exe 16->32         started        34 schtasks.exe 16->34         started        129 Multi AV Scanner detection for dropped file 18->129 36 remcos.exe 18->36         started        38 schtasks.exe 18->38         started        signatures6 process7 file8 75 C:\ProgramData\Remcos\remcos.exe, PE32 20->75 dropped 77 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 20->77 dropped 105 Detected Remcos RAT 20->105 107 Creates autostart registry keys with suspicious names 20->107 40 remcos.exe 5 20->40         started        109 Loading BitLocker PowerShell Module 24->109 43 conhost.exe 24->43         started        45 conhost.exe 26->45         started        47 conhost.exe 30->47         started        49 conhost.exe 34->49         started        51 conhost.exe 38->51         started        signatures9 process10 signatures11 117 Multi AV Scanner detection for dropped file 40->117 119 Found hidden mapped module (file has been removed from disk) 40->119 121 Adds a directory exclusion to Windows Defender 40->121 123 Injects a PE file into a foreign processes 40->123 53 remcos.exe 40->53         started        58 powershell.exe 40->58         started        60 schtasks.exe 40->60         started        process12 dnsIp13 93 172.94.96.90, 49722, 49724, 5999 AS45671-NET-AUWholesaleServicesProviderAU United States 53->93 95 geoplugin.net 178.237.33.50, 49725, 80 ATOM86-ASATOM86NL Netherlands 53->95 79 C:\Users\user\AppData\Local\Temp\TH1E80.tmp, MS-DOS 53->79 dropped 81 C:\Users\user\AppData\Local\Temp\TH1E21.tmp, MS-DOS 53->81 dropped 83 C:\Users\user\AppData\Local\Temp\TH1C6B.tmp, PE32 53->83 dropped 111 Detected Remcos RAT 53->111 113 Maps a DLL or memory area into another process 53->113 62 RmClient.exe 53->62         started        65 RmClient.exe 53->65         started        67 RmClient.exe 53->67         started        73 2 other processes 53->73 115 Loading BitLocker PowerShell Module 58->115 69 conhost.exe 58->69         started        71 conhost.exe 60->71         started        file14 signatures15 process16 signatures17 131 Tries to steal Instant Messenger accounts or passwords 62->131 133 Tries to steal Mail credentials (via file / registry access) 62->133 135 Tries to harvest and steal browser information (history, passwords, etc) 65->135 137 Tries to steal Mail credentials (via file registry) 67->137
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/60682c9e70f15ee5e31dc5c054417386098c475be469994ea54b5c56847d4aaf
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.16 Win 32 Exe x86
Link:
https://app.malva.re/file/b770eebc8414ca8cd86baec766890dd3
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/60682c9e70f15ee5e31dc5c054417386098c475be469994ea54b5c56847d4aaf/
Verdict:
Malicious
Threat:
VHO:Trojan-Spy.MSIL.Noon
Link:
https://tip.neiki.dev/file/60682c9e70f15ee5e31dc5c054417386098c475be469994ea54b5c56847d4aaf
Threat name:
ByteCode-MSIL.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-28 05:49:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mbuczhtq6fpolyy5yxafiqltqyeyyr234ruzstvfjnofnbd5jkxq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
15b92edcf23a5909fe0e197a24cf219a28478c5d4c4c129fbcf776b02ac4dfe0
RemcosRAT
36f0e0b31d5b901268c65a2d5dd8b48a0e9c9b00a329c10be9a7be625fe5d84d
RemcosRAT
5f811f675d487ef9d0cd10ba5f095edadcb38eeeedaa5ec897b3994b954d3212
RemcosRAT
60682c9e70f15ee5e31dc5c054417386098c475be469994ea54b5c56847d4aaf
RemcosRAT
6cc2fb149479570c8f47434b33dba731da0b08b48a609011965c878e34c57a5b
RemcosRAT
89b5724cc6f47227d806e6383d1da6534f28e1d3be5a914c89d3fe2689c6a1f8
RemcosRAT
99816cd2de501f26cb3227491cf3bf407fba47ed12f8b925a993d7c822b031ae
RemcosRAT
error
RemcosRAT
+ 1'206 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos collection discovery execution persistence rat
Link:
https://tria.ge/reports/250728-gxa9eswmt4/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
172.94.96.90:5999
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f246f615-c557-47e7-a055-362d14efa80f
Unpacked files
SH256 hash:
60682c9e70f15ee5e31dc5c054417386098c475be469994ea54b5c56847d4aaf
MD5 hash:
b770eebc8414ca8cd86baec766890dd3
SHA1 hash:
1107790137d196e095dbf26e00236d2aafc2625b
Link:
https://www.unpac.me/results/84674fd0-b2bf-4517-adbc-88261b68d03e/
SH256 hash:
416e08f1041cab9cb51a436fa45160f70ab73e5e24adeaa743faffc1f30e23c2
MD5 hash:
df7d2354e3c992cda79997bf15b8cf73
SHA1 hash:
5726f7ea619b9279aa17fffc8b7a25c244e45b70
Detections:
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/84674fd0-b2bf-4517-adbc-88261b68d03e/
Parent samples :
60682c9e70f15ee5e31dc5c054417386098c475be469994ea54b5c56847d4aaf
6400bf9fe56615568b8bd3ec6967fb72393b9df9a6bba89860ca95d8102afbf8
c7e099c60f551279ad41d2f35a001e14082346f15e312560771dac7302964da9
179fe62017bb17cf9b0ecaf118ec8a3bb14b351b448e6df3c029f29bf4385103
6fd471d3b5a60eb2827287c5b805a12d8e4147c5c2ce85585b3e2748a10e6226
f75c114f83d3d078bd85e7e59cd8a4ed6e8be4a33db6600bd9eda842845ac2fe
e8278d3b9ff9e63c82acee904b0b49ae7b730430df757cc4739416fbe1f6a9af
b32da4c31255e2f5dcf961e35e1757aca22f0c39cf80b3fac1d2a8aa734ae167
SH256 hash:
ae1fde70461732cb60cba56eb52f8d994a141885c6e0b42cd4f8aa12ffbd575d
MD5 hash:
fafe704da4a186372f43d985051cb179
SHA1 hash:
e03fef11d0d38d856bbc278c343c5a7276c96847
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/84674fd0-b2bf-4517-adbc-88261b68d03e/
Parent samples :
44ae98fe4b0b4bd2000ed7ec88e9b7458e04c1abbe64102142c1686ac4ac494b
60682c9e70f15ee5e31dc5c054417386098c475be469994ea54b5c56847d4aaf
c3781a6a49bcffd2b8368caf5de812e0c87a13409b9365cb007f974e0534f5fc
bedc22afe7af1a669be2b39bde9200bef6e90d97e41a172cc326813cf1fc7f25
1bfbdb647f4ddac6b2bd3bf51f2dd64b5cd7c46a3ae6c0fabfaa348852337b14
de22cc3be940674331be243141c5b3e99c375bef12b433c93c17785710647a51
1a9fc74a62360452410deb7b3949e3e1b85a31e2bab04799c3a915cc44762495
955e5034dd0af183bc13ab91e360af48c8872f014c8866c395efaf5726da582a
cd6ead626c8b5df6f95887fba78fd19cd506716eff119c050f8083bb8b7efe87
b3a0bb7276b0ecf1e99aa164ebafa0b9aaa7aa3c4db93f83b255e91f7d273dd9
5edd2f77052549775838fba8e2ae75d7a3e31a5d33861aab3df909d17ab3d45f
2a457ceff9290140853127bd459791a5a17603c116a513da8a499aae112346d5
6d794b8750f424796094f629c8cd1413d7f57b4c15c3d6d32e4865dffe2a7d37
29eeed93c836f8c75b109eae3ed94bd49fc2a7ea73928eb54bc3b296b6839f4f
1df3a2d85ac9bdbfbfae21c062956d5500ae4270bddf5233e72db71527a21585
54f0ad3a45963863d0fac39e1b6028ed64d2a05910dfa68e6a7f2a2dfed0bb72
e6a6e94af36a3ea70e21983ed3fc74131dbc63e26f0ea666346088815da0b14b
502c63a3d257cf149fee7c436b9824c8e347f6a6e0c8a5cda3d73f248d72843e
e8f21c243240c7e4a2c610d72900d48ada2beb65bd4e773a1b595c92213c4275
e5878bccd94a741e99440f14dd526680c2338e9fae4fa56d2a833b9a6d415e56
7702bb9529ed01be7712e195a6a55727e737db57426598d5bd67afe678ce5471
f162e1f50c40cb2fb7be4c5d6f086b11ceffed8e8929497723facad1005ad9b9
744f85439548730d894e2a64557333b4cdbdb6bc3f53c6b3518578ecf8e77406
1ed599fb38456bf745d482dbf044f9ecebca2ee2cc3c10fd66a09af3e5f934a4
caa56d33ca9d08ee531040d6e591b20a8f7bc671a02622ad6fa5f609af5f5a32
dab09542d6d7e13c72380e07671b13d36ae1387a072627e31d874786d05984a1
2c07c563674007a6019abf91469fc308482465c562cf3e19d46db259188a3901
5e46156c4e7a6e522230ebc9fe0d49beae8735286fc528cc70eba453200d88c6
4691b43609f2c69677c8f31d090c9be823f36f28805294b8d5a2f7536eb397c4
SH256 hash:
5659824efc4db5639133fe3d7967191e2dcdfdf79c1a8bf03e5a1981499dd1ce
MD5 hash:
75799c1d9e84afa76992ead559be3682
SHA1 hash:
e0fa08c8ebb980141b8ed1bf0671775d3ca7c205
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/84674fd0-b2bf-4517-adbc-88261b68d03e/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/60682c9e70f1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60682c9e70f15ee5e31dc5c054417386098c475be469994ea54b5c56847d4aaf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 60682c9e70f15ee5e31dc5c054417386098c475be469994ea54b5c56847d4aaf

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/17270/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments