MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 640568c2888a3c8e5736b78a02b6a09b81d7eea3f8a0bdfcb48492fc8c84a90d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 640568c2888a3c8e5736b78a02b6a09b81d7eea3f8a0bdfcb48492fc8c84a90d
SHA3-384 hash: c857302b1c3c92f37bd12b3d9efb528ab0051a227eb6d613131c6b8aba623a4ce11dcf322a67dedd42cd3698626b8892
SHA1 hash: 3520b10b1acefe5fb4bce78f5b53823962a00f31
MD5 hash: 1a822f2251c8aef92d1d80ee30d5301b
humanhash: lithium-stairway-alanine-west
File name:Salary List_pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:625'928 bytes
First seen:2025-09-24 16:20:14 UTC
Last seen:2025-10-09 14:29:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7eae418c7423834ffc3d79b4300bd6fb (54 x GuLoader, 17 x RemcosRAT, 16 x AgentTesla)
ssdeep 12288:9g9uAIuJTtyDVr+PBZzODR08ZG0l3rFt4ok8HJi2KMD/9fX:9g9uhDV4q9LZrF1rtKMD/9fX
Threatray 1'437 similar samples on MalwareBazaar
TLSH T19FD423725322DB43DA61AE354A75E2AB8FFAC53052302D534FB0AEBB70515E24E1C35E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:Asia
Issuer:Asia
Algorithm:sha256WithRSAEncryption
Valid from:2025-08-31T00:24:23Z
Valid to:2026-08-31T00:24:23Z
Serial number: 5b99e25b57858b9be88a704eb6c7ad9a25be1b89
Thumbprint Algorithm:SHA256
Thumbprint: a4e03006f871e31824f71a54fd1793f80b91993e5fdd06a3db8effe7e8a23bc4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SalaryList_pdf.exe
Verdict:
Malicious activity
Analysis date:
2025-09-24 16:31:33 UTC
Tags:
remcos rat auto-reg
Link:
https://app.any.run/tasks/b7d41fed-5d09-40ce-9535-2eb57b227ad6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28842/
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d546e11e4783989051de7d
Tags:
underscore nsis
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Searching for the window
Delayed reading of the file
Sending a custom TCP request
Creating a window
Creating a file
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context installer masquerade microsoft_visual_cc obfuscated overlay signed
Link:
https://www.filescan.io/uploads/68d41d102b7951718db89070/reports/e6b5472c-a851-4611-8bff-e92fc718217a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/640568c2888a3c8e5736b78a02b6a09b81d7eea3f8a0bdfcb48492fc8c84a90d
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-21T21:02:00Z UTC
Last seen:
2025-09-21T21:02:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/640568c2888a3c8e5736b78a02b6a09b81d7eea3f8a0bdfcb48492fc8c84a90d/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4af9884c-1d07-41f4-b24d-ada5d5e3a0e5
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1783422
Signature
AI detected suspicious PE digital signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1783422 Sample: Salary List_pdf.exe Startdate: 24/09/2025 Architecture: WINDOWS Score: 100 70 geoplugin.net 2->70 72 drive.usercontent.google.com 2->72 74 drive.google.com 2->74 92 Suricata IDS alerts for network traffic 2->92 94 Found malware configuration 2->94 96 Antivirus detection for dropped file 2->96 98 13 other signatures 2->98 10 Salary List_pdf.exe 2 46 2->10         started        13 remcos.exe 19 2->13         started        15 remcos.exe 19 2->15         started        17 remcos.exe 19 2->17         started        signatures3 process4 file5 48 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 10->48 dropped 50 C:\Users\user\AppData\Local\...\System.dll, PE32 10->50 dropped 19 Salary List_pdf.exe 2 10 10->19         started        52 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 13->52 dropped 54 C:\Users\user\AppData\Local\...\System.dll, PE32 13->54 dropped 56 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 15->56 dropped 58 C:\Users\user\AppData\Local\...\System.dll, PE32 15->58 dropped 60 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 17->60 dropped 62 C:\Users\user\AppData\Local\...\System.dll, PE32 17->62 dropped process6 dnsIp7 76 drive.usercontent.google.com 142.250.73.129, 443, 49695, 49697 GOOGLEUS United States 19->76 78 drive.google.com 142.250.73.142, 443, 49694, 49696 GOOGLEUS United States 19->78 40 C:\ProgramData\Remcos\remcos.exe, PE32 19->40 dropped 42 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 19->42 dropped 100 Detected Remcos RAT 19->100 102 Creates autostart registry keys with suspicious names 19->102 24 remcos.exe 28 19->24         started        file8 signatures9 process10 file11 44 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 24->44 dropped 46 C:\Users\user\AppData\Local\...\System.dll, PE32 24->46 dropped 104 Antivirus detection for dropped file 24->104 106 Multi AV Scanner detection for dropped file 24->106 108 Found hidden mapped module (file has been removed from disk) 24->108 110 2 other signatures 24->110 28 remcos.exe 24->28         started        signatures12 process13 dnsIp14 80 196.251.83.83, 2404, 49698, 49700 SONIC-WirelessZA Seychelles 28->80 82 geoplugin.net 178.237.33.50, 49699, 80 ATOM86-ASATOM86NL Netherlands 28->82 64 C:\Users\user\AppData\Local\Temp\THE2A5.tmp, MS-DOS 28->64 dropped 66 C:\Users\user\AppData\Local\Temp\THE294.tmp, MS-DOS 28->66 dropped 68 C:\Users\user\AppData\Local\Temp\THE274.tmp, PE32 28->68 dropped 112 Detected Remcos RAT 28->112 114 Writes to foreign memory regions 28->114 116 Maps a DLL or memory area into another process 28->116 33 RmClient.exe 28->33         started        36 RmClient.exe 28->36         started        38 RmClient.exe 28->38         started        file15 signatures16 process17 signatures18 84 Tries to steal Mail credentials (via file registry) 33->84 86 Tries to harvest and steal browser information (history, passwords, etc) 33->86 88 Tries to steal Instant Messenger accounts or passwords 36->88 90 Tries to steal Mail credentials (via file / registry access) 36->90
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/640568c2888a3c8e5736b78a02b6a09b81d7eea3f8a0bdfcb48492fc8c84a90d
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/1a822f2251c8aef92d1d80ee30d5301b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/640568c2888a3c8e5736b78a02b6a09b81d7eea3f8a0bdfcb48492fc8c84a90d/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/640568c2888a3c8e5736b78a02b6a09b81d7eea3f8a0bdfcb48492fc8c84a90d
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2025-09-22 00:00:22 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mqcwrquiri6i4vzww6fafnvatoa5p3vd7cql37fuqsjpzdeevegq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
2be5b104a63deb6addd9d49ffea10cfbefc8c214c2578f4554b6272ca3856899
RemcosRAT
3a11ba9d0fe917eca75c6038281c7bd55dea9ce1e0dc1b478d55e2592e6f846f
RemcosRAT
55d8dc6d475a919fe7ec17bd2575cf0f0a1eec913dba89f9556b69621eec0eb6
RemcosRAT
5dfcdc1c491fbf2f7f2fbac6bbf27b84be652583b66b252c46e8ed86577c3c60
RemcosRAT
67fd31f9b85ca5e31e0851c8a5f8f2f36343d884aa3dd7f26d4aa6c5d02b28fe
RemcosRAT
c90b846cc5845b9f5ad7dd14d88d42e1d7b6093094b672ec679ef232ea694698
RemcosRAT
dd6d8363c2761f77948a54be192dbbe563d2da9dd8f922102547631ccbd05ebb
RemcosRAT
error
RemcosRAT
+ 1'427 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos collection discovery persistence rat
Link:
https://tria.ge/reports/250924-txlrdaar9z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8c38b350-02bf-4c8d-bebf-6f5fe02037aa
Unpacked files
SH256 hash:
640568c2888a3c8e5736b78a02b6a09b81d7eea3f8a0bdfcb48492fc8c84a90d
MD5 hash:
1a822f2251c8aef92d1d80ee30d5301b
SHA1 hash:
3520b10b1acefe5fb4bce78f5b53823962a00f31
Link:
https://www.unpac.me/results/45c240f3-61d2-4de9-93d2-3b50c16fa1f4/
SH256 hash:
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
MD5 hash:
8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 hash:
7cc1caaa747ee16dc894a600a4256f64fa65a9b8
Link:
https://www.unpac.me/results/45c240f3-61d2-4de9-93d2-3b50c16fa1f4/
SH256 hash:
c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188
MD5 hash:
ec9640b70e07141febbe2cd4cc42510f
SHA1 hash:
64a5e4b90e5fe62aa40e7ac9e16342ed066f0306
Link:
https://www.unpac.me/results/45c240f3-61d2-4de9-93d2-3b50c16fa1f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/640568c2888a3c8e5736b78a02b6a09b81d7eea3f8a0bdfcb48492fc8c84a90d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/28842/

Comments