MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66652407eb97ccfbecac8f5d27296bdff89acd7c0d5350a7610ad41863fc8a4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	66652407eb97ccfbecac8f5d27296bdff89acd7c0d5350a7610ad41863fc8a4d
SHA3-384 hash:	c39fe2710bd1fae852b99429d2db11ca9fa40f462f7c6b1797608efb404d1f0a74a7ab9396110c621de9c294e85fb5b1
SHA1 hash:	85b87246499464866ceeab7d20b014c6e5691f56
MD5 hash:	4731b241ab6fb79ddee956397d3088dc
humanhash:	johnny-cola-lion-zulu
File name:	66652407eb97ccfbecac8f5d27296bdff89acd7c0d5350a7610ad41863fc8a4d
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	531'377 bytes
First seen:	2025-09-05 12:30:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b34f154ec913d2d2c435cbd644e91687 (525 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep	12288:G9GrgNuRY6rkfz4+TaCBsUztMKMcd2Bsxepi:G9Grg/69+Brzkcd2B0
TLSH	T1EEB423386B30C56BE96C05310579A6EB1DF7E9285DD0654F0702BE9F783BA81EE05B8C
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	adrian__luca
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

66652407eb97ccfbecac8f5d27296bdff89acd7c0d5350a7610ad41863fc8a4d

Verdict:

Malicious activity

Analysis date:

2025-09-05 14:34:52 UTC

Tags:

remcos rat auto-reg remote

Link:

https://app.any.run/tasks/d6d49ffa-e8bb-4a9a-93a2-a6e3cb6a3c45

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/25317/

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68bad8163e988eb6ab83c26a

Tags:

injection obfusc

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file

Creating a file in the %temp% directory

Delayed reading of the file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

installer microsoft_visual_cc obfuscated overlay packed packer_detected

Link:

https://www.filescan.io/uploads/68badc2aa64010de766e2a9e/reports/ea6e88ea-671b-4957-91bc-891ad256a295/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/66652407eb97ccfbecac8f5d27296bdff89acd7c0d5350a7610ad41863fc8a4d

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-08-13T09:56:00Z UTC

Last seen:

2025-08-13T09:56:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/66652407eb97ccfbecac8f5d27296bdff89acd7c0d5350a7610ad41863fc8a4d/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/120c6a49-2c20-4663-b7f4-2b7bd891e0e1

Score:

91%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/66652407eb97ccfbecac8f5d27296bdff89acd7c0d5350a7610ad41863fc8a4d

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/4731b241ab6fb79ddee956397d3088dc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/66652407eb97ccfbecac8f5d27296bdff89acd7c0d5350a7610ad41863fc8a4d/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2025-08-14 01:43:23 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 36 (63.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mzssib7ls7gpx3fmr5osokll374jvtl4bvjvbj3bblkbqy74rjgq._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:guloader family:remcos discovery downloader persistence rat

Link:

https://tria.ge/reports/250905-p1n9fswqv5/

Behaviour

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds policy Run key to start application

Guloader family

Guloader,Cloudeye

Remcos

Remcos family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ff88d6e7-39f6-49f2-8d74-a9c97d08e1e5

Unpacked files

SH256 hash:

66652407eb97ccfbecac8f5d27296bdff89acd7c0d5350a7610ad41863fc8a4d

MD5 hash:

4731b241ab6fb79ddee956397d3088dc

SHA1 hash:

85b87246499464866ceeab7d20b014c6e5691f56

Link:

https://www.unpac.me/results/14f22576-5127-4d5a-ba95-86f0cf13d681/

SH256 hash:

a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

MD5 hash:

75ed96254fbf894e42058062b4b4f0d1

SHA1 hash:

996503f1383b49021eb3427bc28d13b5bbd11977

Link:

https://www.unpac.me/results/14f22576-5127-4d5a-ba95-86f0cf13d681/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.79

Link:

https://yomi.yoroi.company/submissions/66652407eb97ccfbecac8f5d27296bdff89acd7c0d5350a7610ad41863fc8a4d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/25317/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample