MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ac7d044c280196e619571271b51b3a37280a347405f6362ad239cb62eabf4c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ac7d044c280196e619571271b51b3a37280a347405f6362ad239cb62eabf4c0
SHA3-384 hash: 87e8009980fdae0105bef752130b1c351b37fd220fd6807b48d0ed8ffb7ce466e81ebedbbc65e1dfeb87f7ece6bd2661
SHA1 hash: 218a371006ae1b6e741e00f390d9fb61e35938b2
MD5 hash: 4ac5cd3be403bfe8e6c0af71425e9cb3
humanhash: aspen-wisconsin-arizona-beryllium
File name:4AC5CD3BE403BFE8E6C0AF71425E9CB3.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:31'817'216 bytes
First seen:2026-02-12 04:55:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'852 x AgentTesla, 19'779 x Formbook, 12'303 x SnakeKeylogger)
ssdeep 786432:+xrNziUG4eBUtrRPI/e/rIMcYAjGATjU7SScrUwaKCXD4q:+h2+rRP+eztcJGWjUSB4
Threatray 5 similar samples on MalwareBazaar
TLSH T1336733202152F539F9813970AB07B2965B4A4C5BBBB1D44EA47CB716F2B08776632CF3
TrID 75.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.9% (.EXE) Win64 Executable (generic) (10522/11/4)
4.6% (.EXE) Win32 Executable (generic) (4504/4/1)
2.1% (.ICL) Windows Icons Library (generic) (2059/9)
2.1% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
64.89.163.7:2404

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
64.89.163.7:2404 https://threatfox.abuse.ch/ioc/1742825/

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
EvilCoder PyInstaller XWorm
Details
EvilCoder
extracted components, their filepaths, and possibly registry installation
PyInstaller
a compiled assembly and a Python version
XWorm
a version, a filepath, a mutex, a c2 socket address or a dead-drop resolver URL, and possibly cryptocurrency wallets and a Telegram URL
Link:
https://research.acce.ciphertechsolutions.com/results/eee2fc26-8981-43d4-ae2e-6276cafa077e/
Malware family:
n/a
ID:
1
File name:
_6ac7d044c280196e619571271b51b3a37280a347405f6362ad239cb62eabf4c0.exe
Verdict:
Malicious activity
Analysis date:
2026-02-12 04:57:23 UTC
Tags:
auto-reg discord python auto-startup xworm ims-api generic
Link:
https://app.any.run/tasks/8d2ded2b-c95b-44e0-b42c-a07a6873f4b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698d5d3e2afa47e5c6462d56
Tags:
asyncrat autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Running batch commands
Delayed reading of the file
Creating a file in the %AppData% directory
Connection attempt
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Launching cmd.exe command interpreter
Enabling the 'hidden' option for recently created files
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Blocking the User Account Control
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Enabling autorun
Gathering data
Verdict:
Malicious
Labled as:
MSIL.Cassiopeia.Generic
Link:
https://www.hybrid-analysis.com/sample/6ac7d044c280196e619571271b51b3a37280a347405f6362ad239cb62eabf4c0
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-02-07T18:39:00Z UTC
Last seen:
2026-02-12T12:41:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic Backdoor.Agent.TCP.C&C Trojan.Win32.Agent.sb HEUR:Trojan-Dropper.MSIL.Agent.gen HEUR:Backdoor.MSIL.XWorm.gen HEUR:Backdoor.MSIL.XClient.b
Link:
https://opentip.kaspersky.com/6ac7d044c280196e619571271b51b3a37280a347405f6362ad239cb62eabf4c0/results?tab=lookup
Result
Threat name:
Remcos, XWorm
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1868079
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
AI detected malicious Powershell script
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Delayed program exit found
Detected Remcos RAT
Disables UAC (registry)
Drops PE files with benign system names
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Uses cmd line tools excessively to alter registry or file data
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Yara detected Remcos RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1868079 Sample: 0FNwde2oBz.exe Startdate: 12/02/2026 Architecture: WINDOWS Score: 100 140 keyauth.win 2->140 142 geoplugin.net 2->142 144 discordapp.com 2->144 156 Suricata IDS alerts for network traffic 2->156 158 Found malware configuration 2->158 160 Malicious sample detected (through community Yara rule) 2->160 162 22 other signatures 2->162 13 0FNwde2oBz.exe 2 5 2->13         started        17 rc7injection.exe 2->17         started        19 rc7injection.exe 2->19         started        21 11 other processes 2->21 signatures3 process4 dnsIp5 116 C:\Users\user\Desktop\RC7_UI.exe, PE32 13->116 dropped 118 C:\Users\user\AppData\...\rc7injection.exe, PE32+ 13->118 dropped 128 2 other malicious files 13->128 dropped 192 Creates multiple autostart registry keys 13->192 194 Bypasses PowerShell execution policy 13->194 196 Adds a directory exclusion to Windows Defender 13->196 24 RuntimeBroker.exe 13->24         started        29 rc7injection.exe 246 13->29         started        31 powershell.exe 23 13->31         started        33 RC7_UI.exe 2 13->33         started        120 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 17->120 dropped 122 C:\Users\user\AppData\Local\...\win32pdh.pyd, PE32+ 17->122 dropped 124 C:\Users\user\AppData\...\win32event.pyd, PE32+ 17->124 dropped 130 55 other malicious files 17->130 dropped 35 rc7injection.exe 17->35         started        126 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 19->126 dropped 132 57 other malicious files 19->132 dropped 37 rc7injection.exe 19->37         started        146 geoplugin.net 178.237.33.50 ATOM86-ASATOM86NL Netherlands 21->146 198 Detected Remcos RAT 21->198 200 Changes security center settings (notifications, updates, antivirus, firewall) 21->200 202 Writes to foreign memory regions 21->202 204 Maps a DLL or memory area into another process 21->204 39 svchost.exe 21->39         started        41 cmd.exe 21->41         started        43 4 other processes 21->43 file6 signatures7 process8 dnsIp9 148 64.89.163.7, 49741, 49746, 8888 DIXIE-NETUS United States 24->148 100 C:\Users\user\AppData\Roaming\svchost.exe, PE32 24->100 dropped 102 C:\Users\user\AppData\Local\Temp\cmgcme.exe, PE32 24->102 dropped 104 C:\Users\user\...\python311.dll (copy), PE32+ 24->104 dropped 112 117 other malicious files 24->112 dropped 172 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->172 174 Protects its processes via BreakOnTermination flag 24->174 176 Creates multiple autostart registry keys 24->176 186 2 other signatures 24->186 45 cmgcme.exe 24->45         started        106 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 29->106 dropped 108 C:\Users\user\AppData\Local\...\win32pdh.pyd, PE32+ 29->108 dropped 110 C:\Users\user\AppData\...\win32event.pyd, PE32+ 29->110 dropped 114 55 other malicious files 29->114 dropped 49 rc7injection.exe 29->49         started        178 Loading BitLocker PowerShell Module 31->178 52 conhost.exe 31->52         started        54 WmiPrvSE.exe 31->54         started        56 WerFault.exe 21 16 33->56         started        58 cmd.exe 35->58         started        180 Detected Remcos RAT 39->180 182 Unusual module load detection (module proxying) 39->182 184 Uses cmd line tools excessively to alter registry or file data 41->184 62 2 other processes 41->62 60 conhost.exe 43->60         started        64 3 other processes 43->64 file10 signatures11 process12 dnsIp13 134 C:\ProgramData\Microsoft\runtimebroker.exe, PE32 45->134 dropped 136 C:\Users\user\AppData\Local\...\install.vbs, data 45->136 dropped 206 Detected Remcos RAT 45->206 208 Creates an undocumented autostart registry key 45->208 210 Contains functionalty to change the wallpaper 45->210 212 5 other signatures 45->212 66 wscript.exe 45->66         started        69 cmd.exe 45->69         started        138 discordapp.com 162.159.133.233, 443, 49740, 49743 CLOUDFLARENETUS United States 49->138 71 cmd.exe 49->71         started        73 cmd.exe 49->73         started        75 conhost.exe 58->75         started        file14 signatures15 process16 signatures17 150 Windows Scripting host queries suspicious COM object (likely to drop second stage) 66->150 152 WScript reads language and country specific registry keys (likely country aware script) 66->152 77 cmd.exe 66->77         started        154 Uses cmd line tools excessively to alter registry or file data 69->154 79 reg.exe 69->79         started        82 conhost.exe 69->82         started        84 conhost.exe 71->84         started        process18 signatures19 86 runtimebroker.exe 77->86         started        89 conhost.exe 77->89         started        214 Disables UAC (registry) 79->214 process20 signatures21 164 Antivirus detection for dropped file 86->164 166 Detected Remcos RAT 86->166 168 Writes to foreign memory regions 86->168 170 Maps a DLL or memory area into another process 86->170 91 cmd.exe 86->91         started        94 iexplore.exe 86->94         started        process22 signatures23 188 Uses cmd line tools excessively to alter registry or file data 91->188 96 conhost.exe 91->96         started        98 reg.exe 91->98         started        190 Detected Remcos RAT 94->190 process24
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6ac7d044c280196e619571271b51b3a37280a347405f6362ad239cb62eabf4c0
Gathering data
Verdict:
Malicious
Threat:
Family.REMCOSRAT
Link:
https://tip.neiki.dev/file/6ac7d044c280196e619571271b51b3a37280a347405f6362ad239cb62eabf4c0
Threat name:
Win32.Trojan.Cassiopeia
Create hunting rule
Status:
Malicious
First seen:
2026-02-07 23:34:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nld5argcqamw4ymvoetrwuntunzibi2hibpwgyvneoolmlvl6taa._file
Verdict:
malicious
Label(s):
dotnet_loader_002
Create hunting rule
Similar samples:
b5cb3ed3d89e868cb843cee1bcaf07438a66e01ece7f20eb353d5bf5aa210c06
RemcosRAT
da0917fb34ae6902818960b9e50f66fa779ed8a4b0d80c7d9d96321ad99122e0
RemcosRAT
ef82f249630ddcecd7a7251bc29b7457214e59dab67951b1d85d7c392b0043e4
RemcosRAT
error
RemcosRAT
f68bdbea19951a76b413c3f0dffdb41733d6ccb63a52c6d6e84ec608bf33155c
RemcosRAT
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:xworm botnet:scvhost defense_evasion discovery execution persistence pyinstaller rat spyware stealer trojan
Link:
https://tria.ge/reports/260212-fkalpah15g/
Behaviour
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds policy Run key to start application
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Remcos
Remcos family
UAC bypass
Xworm
Xworm family
Malware Config
C2 Extraction:
64.89.163.7:8888
64.89.163.7:2404
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6ac7d044c280/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ac7d044c280196e619571271b51b3a37280a347405f6362ad239cb62eabf4c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments