MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a60df67162c247c7b02056c1c72acc6556d3c01ee01681157a57fc291d0068b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 18

Intelligence 18 IOCs YARA 4 File information Comments

SHA256 hash:	6a60df67162c247c7b02056c1c72acc6556d3c01ee01681157a57fc291d0068b
SHA3-384 hash:	457cbeb984a1fb95adff2eba63ca817814fe58e9799c93053ff40d1c0d8c6034735f0afc53b38a9747aaf3dd229614a0
SHA1 hash:	016f90ce8cd101eed8b5b6d743b0be7bddad0852
MD5 hash:	a129cf94f07d44fc546ee1917e740e3b
humanhash:	spaghetti-berlin-moon-march
File name:	Payment Notice.pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'536'000 bytes
First seen:	2025-12-03 14:00:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	eb41e5567017c33839f07ebe2eb84cb4 (6 x DBatLoader, 3 x RemcosRAT, 3 x a310Logger)
ssdeep	24576:bbCbz7++IfUFixpw0QB7FqyJgry8OeqXmytZd5xeQqfeWpSHiRTqH:bbiFjbPqyJg+fmQZdveQZWpSGOH
TLSH	T16D65F066A1F08436D127CAB48C16D38A642DBEB43E75A8163BDC3F6C9F356752C26073
TrID	35.4% (.EXE) Win64 Executable (generic) (10522/11/4) 22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.1% (.EXE) Win32 Executable (generic) (4504/4/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

remcos

ID:

File name:

Payment Notice.pdf.exe

Verdict:

Malicious activity

Analysis date:

2025-12-03 14:03:46 UTC

Tags:

rat remcos delphi remote

Link:

https://app.any.run/tasks/64a901a5-b93f-4b9c-a803-19b76b3afdb3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/42291/

Detection(s):

SecuriteInfo.com.TR.Drop.Age.1624064.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=693042b716e6db515e4647ba

Tags:

underscore delphi emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file

Creating a process from a recently created file

Connecting to a non-recommended domain

Connection attempt

Sending a custom TCP request

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug borland_delphi captcha fingerprint installer-heuristic keylogger masquerade modiloader packed remcos zusy

Link:

https://www.filescan.io/uploads/693042b3dde6472541deaee0/reports/36923ebb-dfc0-4766-89e8-5b1b860be819/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/6a60df67162c247c7b02056c1c72acc6556d3c01ee01681157a57fc291d0068b

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-26T01:52:00Z UTC

Last seen:

2025-12-04T03:36:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/6a60df67162c247c7b02056c1c72acc6556d3c01ee01681157a57fc291d0068b/results?tab=lookup

Malware family:

ModiLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/19aab477-63e8-4074-9200-703fe25bf4e1

Result

Threat name:

Remcos, DBatLoader

Detection:

malicious

Classification:

rans.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1825448

Signature

Allocates many large memory junks

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to register a low level keyboard hook

Contains functionalty to change the wallpaper

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Drops PE files to the user root directory

Found malware configuration

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses process hollowing technique

Sigma detected: Execution from Suspicious Folder

Sigma detected: Remcos

Sigma detected: Suspicious Double Extension File Execution

Sigma detected: Suspicious Program Location with Network Connections

Suricata IDS alerts for network traffic

Unusual module load detection (module proxying)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Yara detected DBatLoader

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6a60df67162c247c7b02056c1c72acc6556d3c01ee01681157a57fc291d0068b

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6a60df67162c247c7b02056c1c72acc6556d3c01ee01681157a57fc291d0068b/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2025-11-26 11:51:49 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 36 (77.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=njqn6zywfqshy6ycavwby4vmyzkw2pab5yawqekxuv74feoqa2fq._file

Verdict:

malicious

Label(s):

remcos

dbatloader

Similar samples:

error

RemcosRAT

Result

Malware family:

remcos

Score:

10/10

Tags:

family:modiloader family:remcos botnet:remotehost discovery rat trojan

Link:

https://tria.ge/reports/251203-rbqgbs1phr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Executes dropped EXE

ModiLoader Second Stage

ModiLoader, DBatLoader

Modiloader family

Remcos

Remcos family

Malware Config

C2 Extraction:

91.92.242.170:9337

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/499afe1a-caca-433a-ba84-c3ccd987f023

Unpacked files

SH256 hash:

6a60df67162c247c7b02056c1c72acc6556d3c01ee01681157a57fc291d0068b

MD5 hash:

a129cf94f07d44fc546ee1917e740e3b

SHA1 hash:

016f90ce8cd101eed8b5b6d743b0be7bddad0852

Link:

https://www.unpac.me/results/9c8ec987-cc20-466a-9c93-27cce3e5cfb5/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6a60df67162c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6a60df67162c247c7b02056c1c72acc6556d3c01ee01681157a57fc291d0068b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/42291/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample