MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75479214a1966d37e9be5b0c870fe87cfb8325e028634a6be13a15563f85129a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 19


Intelligence 19 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75479214a1966d37e9be5b0c870fe87cfb8325e028634a6be13a15563f85129a
SHA3-384 hash: a283695c42da7a602f8a358af2c5d80513701712cc11ea5ccd245d6bf94f9f686fc92fe91eaef126b1075b4c663e76d5
SHA1 hash: 34aa93bdc5a4fd459eb307eca369676c127f7e96
MD5 hash: 411b32c1cd3e0765455b3e5936cda2ae
humanhash: tango-burger-sweet-oxygen
File name:CIPLICS2 - XG-HAM,DECFS - (FLEX-3158178 ; PO#4500605673 4500605675).scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'074'688 bytes
First seen:2025-04-29 06:39:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:dzLwcSQB9Q3nIsesLdWMPCG+TeqR5hAU+vaCdK:dzLw7QB9Q3IsVLdrPqraU+/dK
Threatray 833 similar samples on MalwareBazaar
TLSH T1B43512652648E407D8A61B786B71F13517BD6DEAB901EA1B9FCA3DEF7C32A010C0D193
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
449
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
CIPLICS2-XG-HAMDECFS-FLEX-3158178PO45006056734500605675.scr.exe
Verdict:
Malicious activity
Analysis date:
2025-04-29 06:42:24 UTC
Tags:
remcos rat auto-reg remote
Link:
https://app.any.run/tasks/e2d18139-8362-4b14-b6de-0961689aa83a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/4935/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681074bdc8b2e86d0ac42f2c
Tags:
spawn lien sage msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Launching a process
Reading critical registry keys
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
entropy masquerade obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/6810741146fe05453ca99fc0/reports/747884da-aaa9-4d3b-acce-994948f75730/overview
Verdict:
Malicious
Labled as:
Genie8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/75479214a1966d37e9be5b0c870fe87cfb8325e028634a6be13a15563f85129a
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef0ecb76-b47d-4c26-806e-d1d98c71c408
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1677033
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1677033 Sample: CIPLICS2 - XG-HAM,DECFS - (... Startdate: 29/04/2025 Architecture: WINDOWS Score: 100 52 geoplugin.net 2->52 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 14 other signatures 2->64 10 CIPLICS2 - XG-HAM,DECFS - (FLEX-3158178 ; PO#4500605673  4500605675).scr.exe 3 2->10         started        13 Adobe-Reader.exe 2 2->13         started        16 Adobe-Reader.exe 2->16         started        signatures3 process4 file5 50 CIPLICS2 - XG-HAM,...605675).scr.exe.log, ASCII 10->50 dropped 18 CIPLICS2 - XG-HAM,DECFS - (FLEX-3158178 ; PO#4500605673  4500605675).scr.exe 2 4 10->18         started        82 Injects a PE file into a foreign processes 13->82 22 Adobe-Reader.exe 13->22         started        24 Adobe-Reader.exe 13->24         started        26 Adobe-Reader.exe 16->26         started        signatures6 process7 file8 46 C:\ProgramData\...\Adobe-Reader.exe, PE32 18->46 dropped 48 C:\...\Adobe-Reader.exe:Zone.Identifier, ASCII 18->48 dropped 66 Creates autostart registry keys with suspicious names 18->66 28 Adobe-Reader.exe 3 18->28         started        31 SIHClient.exe 6 18->31         started        33 Adobe-Reader.exe 22->33         started        signatures9 process10 signatures11 80 Multi AV Scanner detection for dropped file 28->80 35 Adobe-Reader.exe 4 14 28->35         started        process12 dnsIp13 54 104.250.180.178, 49682, 49683, 7902 M247GB United States 35->54 56 geoplugin.net 178.237.33.50, 49684, 80 ATOM86-ASATOM86NL Netherlands 35->56 68 Writes to foreign memory regions 35->68 70 Maps a DLL or memory area into another process 35->70 39 recover.exe 14 35->39         started        42 recover.exe 1 35->42         started        44 recover.exe 1 35->44         started        signatures14 process15 signatures16 72 Tries to steal Mail credentials (via file registry) 39->72 74 Tries to harvest and steal browser information (history, passwords, etc) 39->74 76 Tries to steal Instant Messenger accounts or passwords 42->76 78 Tries to steal Mail credentials (via file / registry access) 42->78
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/75479214a1966d37e9be5b0c870fe87cfb8325e028634a6be13a15563f85129a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75479214a1966d37e9be5b0c870fe87cfb8325e028634a6be13a15563f85129a/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-04-29 06:03:58 UTC
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ovdzeffbszwtp2n6lmgiod7ipt5ygjpafbruu27bhikvmp4fckna._file
Verdict:
malicious
Label(s):
nirsoft
Create hunting rule
unc_loader_037
Create hunting rule
remcos
Create hunting rule
Similar samples:
074efb70a49088638d0e62cc3637a75627afe9286c3f2d024e78ea9f247582fe
RemcosRAT
75479214a1966d37e9be5b0c870fe87cfb8325e028634a6be13a15563f85129a
RemcosRAT
88d5346489cca6b4114b60889108d286c46144507e2011081e0c7080eeb18d03
RemcosRAT
b9e560839e19d9fc3cb727c4dd29a81566162a924b9a8ae5f55523284a243cc7
RemcosRAT
e87f8539ce8ac8dca6a61ab1d1543ef892043dd2793ae52ef893fcdf8f2a92f5
RemcosRAT
e8fa06add1e83397ada8e5d1816a8e9ae2b3f6e86ec3d4a1264436cee4a26e25
RemcosRAT
error
RemcosRAT
+ 823 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection discovery persistence rat
Link:
https://tria.ge/reports/250429-hepvjavzbt/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
104.250.180.178:7902
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bfa98571-563e-4044-bace-46669f0787eb
Unpacked files
SH256 hash:
75479214a1966d37e9be5b0c870fe87cfb8325e028634a6be13a15563f85129a
MD5 hash:
411b32c1cd3e0765455b3e5936cda2ae
SHA1 hash:
34aa93bdc5a4fd459eb307eca369676c127f7e96
Link:
https://www.unpac.me/results/9f355b1e-8031-4adb-8682-68f7738640a8/
SH256 hash:
c09e0e64718e1b45af19885feddc86f902bc18cb5fa5e64dade87ee1c4f0f3f2
MD5 hash:
2e4fe6630c31bbf4ad9558dbdb64ae4d
SHA1 hash:
030852dcab9532308aefb31b1b719416c5840d24
Link:
https://www.unpac.me/results/9f355b1e-8031-4adb-8682-68f7738640a8/
SH256 hash:
94f800ec748b0f879a92036707b941dbed14c3469595661755e9d20fca914a9c
MD5 hash:
0a25e053c88d7743f0ad2b17ed07952b
SHA1 hash:
3eb9efe87f1363161d72194a3d807e6c7ad5c652
Detections:
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/9f355b1e-8031-4adb-8682-68f7738640a8/
Parent samples :
5e47d534bc69265885b633e57144923a33dccc9e6f19aae9b1906057fada4ef8
b9e560839e19d9fc3cb727c4dd29a81566162a924b9a8ae5f55523284a243cc7
e87f8539ce8ac8dca6a61ab1d1543ef892043dd2793ae52ef893fcdf8f2a92f5
75479214a1966d37e9be5b0c870fe87cfb8325e028634a6be13a15563f85129a
ed830a56fa30b98c9b5cfeb01d53bdbbd601df1115a037a5b9346367de382e02
134c8c01c688d2f6a23765c6f917633d2c9f440e6c37753874ddd938862b1ff0
SH256 hash:
59968dd6e3f01af34f05ff787dbdd4fd49b8e1adbc6b210d84be57cf7d94fc36
MD5 hash:
4cf5d037050546b97edf8c517be16e22
SHA1 hash:
fb249903285b47437dae370d546556d14f54b423
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/9f355b1e-8031-4adb-8682-68f7738640a8/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/75479214a196/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75479214a1966d37e9be5b0c870fe87cfb8325e028634a6be13a15563f85129a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 75479214a1966d37e9be5b0c870fe87cfb8325e028634a6be13a15563f85129a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/4935/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments