MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70d1c832e97bcc3a1c2d4803b9dfcce4b67e3bd422f93848a7bb0884c9e3cabe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70d1c832e97bcc3a1c2d4803b9dfcce4b67e3bd422f93848a7bb0884c9e3cabe
SHA3-384 hash: 639c9b8fcef92c2c209e41c1d3f4330c4c6007d8bd151e724ccf65967db67fd002ab3aad4d9623216550324787bad9ff
SHA1 hash: ee8b55562b3baa5f0b953957b603836438dd9dd2
MD5 hash: 0f2163ec01c64b52f314b0562b61786d
humanhash: enemy-don-mirror-solar
File name:0f2163ec01c64b52f314b0562b61786d.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'481'728 bytes
First seen:2025-12-05 16:15:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9c4555569e4cd0e05606fabc204201b5 (2 x RemcosRAT)
ssdeep 24576:GEkPEEYUY5OM1jHmB7FqyJHc6p3Dp+GTJSSfp9jTGzkATCpxch3+NVS:GZMJEPqyJ8u33TJSSR9nuJTuY3SVS
Threatray 170 similar samples on MalwareBazaar
TLSH T1DA65DF6AA1F18436D223DBF98C16938A14397EF43EB56C0537DC3F5C8BB5574282A1A3
TrID 35.4% (.EXE) Win64 Executable (generic) (10522/11/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 1016797969d46c74 (27 x a310Logger, 20 x DBatLoader, 13 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
162.216.243.228:1804

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
162.216.243.228:1804 https://threatfox.abuse.ch/ioc/1668084/

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
remcos
Create hunting rule
ID:
1
File name:
0f2163ec01c64b52f314b0562b61786d.exe
Verdict:
Malicious activity
Analysis date:
2025-12-05 16:17:31 UTC
Tags:
delphi auto-sch remcos rat
Link:
https://app.any.run/tasks/dcea2dc5-08ef-4a32-8fcd-84a59e52a91d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/42668/
Detection(s):
SecuriteInfo.com.TR.Drop.Age.1624064.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6933052319dbae5fa2b30cf1
Tags:
delphi emotet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug borland_delphi fingerprint installer-heuristic keylogger modiloader packed remcos zusy
Link:
https://www.filescan.io/uploads/69330514d12d1c79d429c985/reports/2913d90e-0592-4b1b-88be-9e1b388e40c0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/70d1c832e97bcc3a1c2d4803b9dfcce4b67e3bd422f93848a7bb0884c9e3cabe
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-02T18:38:00Z UTC
Last seen:
2025-12-04T04:17:00Z UTC
Hits:
~10
Detections:
Trojan.Win64.Agentb.sb Backdoor.Remcos.TCP.C&C HEUR:Trojan.Win32.DelfInject.gen HEUR:Trojan.Win32.Convagent.gen Exploit.Win32.BypassUAC.sb Backdoor.Win32.Remcos.f Backdoor.Remcos.HTTP.C&C Trojan.Win32.Inject.sb Backdoor.Win32.Remcos.sb
Link:
https://opentip.kaspersky.com/70d1c832e97bcc3a1c2d4803b9dfcce4b67e3bd422f93848a7bb0884c9e3cabe/results?tab=lookup
Malware family:
ModiLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4d3c073-46c8-48c1-b68d-d65845d2cdf3
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1827372
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1827372 Sample: 0BNZrvOWHd.exe Startdate: 05/12/2025 Architecture: WINDOWS Score: 100 26 somwayz.gleeze.com 2->26 28 geoplugin.net 2->28 34 Suricata IDS alerts for network traffic 2->34 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 9 other signatures 2->40 8 0BNZrvOWHd.exe 2 2->8         started        11 rundll32.exe 3 2->11         started        signatures3 process4 signatures5 50 Uses schtasks.exe or at.exe to add and modify task schedules 8->50 52 Writes to foreign memory regions 8->52 54 Allocates memory in foreign processes 8->54 56 5 other signatures 8->56 13 SndVol.exe 2 6 8->13         started        17 schtasks.exe 1 8->17         started        19 Hxhxyuqlh.exe 11->19         started        process6 dnsIp7 30 somwayz.gleeze.com 162.216.243.228, 1804, 49690 DYNUUS United States 13->30 32 geoplugin.net 178.237.33.50, 49691, 80 ATOM86-ASATOM86NL Netherlands 13->32 58 Detected Remcos RAT 13->58 60 Contains functionalty to change the wallpaper 13->60 62 Contains functionality to steal Chrome passwords or cookies 13->62 70 3 other signatures 13->70 21 conhost.exe 17->21         started        64 Writes to foreign memory regions 19->64 66 Allocates memory in foreign processes 19->66 68 Allocates many large memory junks 19->68 72 3 other signatures 19->72 23 colorcpl.exe 2 19->23         started        signatures8 process9 signatures10 42 Detected Remcos RAT 23->42 44 Contains functionalty to change the wallpaper 23->44 46 Contains functionality to steal Chrome passwords or cookies 23->46 48 3 other signatures 23->48
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/70d1c832e97bcc3a1c2d4803b9dfcce4b67e3bd422f93848a7bb0884c9e3cabe
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/0f2163ec01c64b52f314b0562b61786d
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/70d1c832e97bcc3a1c2d4803b9dfcce4b67e3bd422f93848a7bb0884c9e3cabe/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/70d1c832e97bcc3a1c2d4803b9dfcce4b67e3bd422f93848a7bb0884c9e3cabe
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-12-02 10:06:27 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
29 of 36 (80.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=odi4qmxjppgduhbnjab3tx6m4s3h4o6uel4tqsfhxmeijspdzk7a._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
01bc103ee77df6c8974d2fd4b86a7572f3d6968615a22471e3c18ff98260f1b8
RemcosRAT
1d2b96df0f0f1c65ddbc1bbc1fcb8f498d28caa97d2847e3163424c3a68c9f27
RemcosRAT
4526771f047305b7786699d197976567fe2b20b3c2bd9230d2391ac8436481cb
RemcosRAT
6a60df67162c247c7b02056c1c72acc6556d3c01ee01681157a57fc291d0068b
RemcosRAT
94072c521ed25cefa4643b8b1e741d3bd068fe23e3a73063082fa6f0f89df49a
RemcosRAT
cc7d970b366fac85dffbfef76441a241827cad22ca0797f8c19d5b1bad4b8b89
RemcosRAT
error
RemcosRAT
fade8bb30ea1f831ef50ce0bafcff0983d111fa1dc04809eccb08bd14815e7cd
RemcosRAT
+ 160 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:somy discovery execution persistence rat trojan
Link:
https://tria.ge/reports/251205-tqflsavmbt/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Remcos
Remcos family
Malware Config
C2 Extraction:
somwayz.gleeze.com:1804
Somwayzbackup.ooguy.com:1800
Verdict:
Malicious
Tags:
Remcos
YARA:
n/a
Link:
https://app.threat.zone/submission/b8dea474-fe34-4008-beef-f88eb92439c0
Unpacked files
SH256 hash:
70d1c832e97bcc3a1c2d4803b9dfcce4b67e3bd422f93848a7bb0884c9e3cabe
MD5 hash:
0f2163ec01c64b52f314b0562b61786d
SHA1 hash:
ee8b55562b3baa5f0b953957b603836438dd9dd2
Link:
https://www.unpac.me/results/6355afb4-605b-43d1-9412-6789a1c93b72/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/70d1c832e97b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70d1c832e97bcc3a1c2d4803b9dfcce4b67e3bd422f93848a7bb0884c9e3cabe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/42668/

Comments