MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 754da186c4e37abfd6f3a1c6108f567f4c05dd1082a8b139ec7745b108c377b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 18

Intelligence 18 IOCs YARA 22 File information Comments

SHA256 hash:	754da186c4e37abfd6f3a1c6108f567f4c05dd1082a8b139ec7745b108c377b8
SHA3-384 hash:	baecbb47e59adba3f2899c10ca2f27c88e5815d572a2e4470dfa24025d1de8924c36cf93db7ff754a8ec42a7272381a4
SHA1 hash:	1e828355c53992c88e32904803b30f9364bb1d62
MD5 hash:	e4efe7a162949bd28acaa0bae0260242
humanhash:	yellow-white-chicken-johnny
File name:	grace.cmd.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	3'389'952 bytes
First seen:	2025-06-25 13:03:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	49152:dQ8nHzklJf8/8ciQRZf9MukWnib+IxCDOgzh3oynb0hkRxRJgMLm+g775:HTc0ibXlUYynbFVBK
Threatray	1'166 similar samples on MalwareBazaar
TLSH	T1C5F523A9F7744562E2BEA235E0E1411487B0E0517743CF9F1724AAEC2847FA5EE42B73
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	James_inthe_box
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

464

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

rl_754da186c4e37abfd6f3a1c6108f567f4c05dd1082a8b139ec7745b108c377b8

Verdict:

Malicious activity

Analysis date:

2025-06-25 13:04:08 UTC

Tags:

remcos rat auto-startup

Link:

https://app.any.run/tasks/46756bb9-7dc5-4783-9cf2-bb45f1ee6ccb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/11091/

Detection(s):

SecuriteInfo.com.Trojan.Remcos.219.20317.15333.UNOFFICIAL

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=685bf3c7b06783b9ebd75bc7

Tags:

autorun virus spawn msil

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/754da186c4e37abfd6f3a1c6108f567f4c05dd1082a8b139ec7745b108c377b8

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/403eb114-3184-4565-af38-1e53ac5f9066

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/754da186c4e37abfd6f3a1c6108f567f4c05dd1082a8b139ec7745b108c377b8

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

.Net Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/e4efe7a162949bd28acaa0bae0260242

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/754da186c4e37abfd6f3a1c6108f567f4c05dd1082a8b139ec7745b108c377b8/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/754da186c4e37abfd6f3a1c6108f567f4c05dd1082a8b139ec7745b108c377b8

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Malicious

First seen:

2025-06-25 13:03:03 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ovg2dbwe4n5l7vxtuhdbbd2wp5galxiqqkulcopmo5c3ccgdo64a._file

Verdict:

malicious

Label(s):

darkcloudstealer

xworm

remcos

nirsoft

admintool_mailpassview

RemcosRAT

21224cc236d63c5d3d7d3f80be375d3c2408f7a91b08eb6a16d70c7db21106d9

RemcosRAT

2345ba4c97d721f9df926ad1182202564c644ac0e74e10cb9c40c1a671395055

RemcosRAT

49c04ebf5b502cf960b7808dbe53a7e28d2c9302da88c26873149d12b16b3560

RemcosRAT

73d157aceb0cbefa3a24509f157e8b59c40881acd0e3360d026fee5845e19f2c

RemcosRAT

a35234d3e33acbb7e53abaec38ced3a45f6df0ad5ee17ba52b49478d0418f1da

RemcosRAT

c472cfd602e98da9a3e85cc86be8f140cde1aa9a1af299510f40f80d8cd14d5c

RemcosRAT

d5eea8b6b2924e5f41d0562bd73b61267b99e3e7787d83d19ce5dd67f95feb85

RemcosRAT

error

RemcosRAT

+ 1'156 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm collection discovery persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/250625-qa3jtsdr3s/

Behaviour

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Adds Run key to start application

Checks computer location settings

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Detect Xworm Payload

Xworm

Xworm family

Malware Config

C2 Extraction:

enermax-com.cc:4190

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7f926137-75ff-4bb9-9be4-ae7f648d626e

Unpacked files

SH256 hash:

754da186c4e37abfd6f3a1c6108f567f4c05dd1082a8b139ec7745b108c377b8

MD5 hash:

e4efe7a162949bd28acaa0bae0260242

SHA1 hash:

1e828355c53992c88e32904803b30f9364bb1d62

Link:

https://www.unpac.me/results/34de3771-5f76-45a2-bd1a-529b2bbf4a88/

SH256 hash:

8b8e77df458f3736ce4b7d70dc8ac90a9cf4ca1b7e624f43d26a9425849d5dff

MD5 hash:

b815324b11f11ad1c62ccec54244045a

SHA1 hash:

368603ed22df71f3cdf5199de20113f420a1948f

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/34de3771-5f76-45a2-bd1a-529b2bbf4a88/

SH256 hash:

805ba274cf5c00e9063a220d020f14b343e05d2ee68dd1585e528feb6802f38d

MD5 hash:

a8cf91ecf9ad2cfbf40fefc50cb150d4

SHA1 hash:

1c4fd629a6ca739d049a6ce098f4c42030d0a633

Detections:

win_remcos_w0

win_remcos_auto

Remcos

malware_windows_remcos_rat

win_remcos_rat_unpacked

INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer

Link:

https://www.unpac.me/results/34de3771-5f76-45a2-bd1a-529b2bbf4a88/

Parent samples :

eaeac3ce9078d326c6cb1ce660e2c2dd778173dd1ba269f51af84dfbb18a5fb0
754da186c4e37abfd6f3a1c6108f567f4c05dd1082a8b139ec7745b108c377b8

SH256 hash:

78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677

MD5 hash:

f9d2985aa1c41cca281321fffb5ed424

SHA1 hash:

3a7a58d2dcae2762882357ae34d372744b1dbb9d

Link:

https://www.unpac.me/results/34de3771-5f76-45a2-bd1a-529b2bbf4a88/

SH256 hash:

a987b506117b4ba0f11171e8f6858f122f2e8715d18ed8a4d36ab06025444fdf

MD5 hash:

cd66dfd7625b63c12b9f553c9cdee058

SHA1 hash:

418b288e08278c170cbaed2ed711dad20b022e53

Link:

https://www.unpac.me/results/34de3771-5f76-45a2-bd1a-529b2bbf4a88/

SH256 hash:

19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372

MD5 hash:

4e29f75c0c51b9dec76955f0382d9541

SHA1 hash:

4899aa8e3f57339cbaec8faab777897a76fe1c3a

Link:

https://www.unpac.me/results/34de3771-5f76-45a2-bd1a-529b2bbf4a88/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/754da186c4e3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/754da186c4e37abfd6f3a1c6108f567f4c05dd1082a8b139ec7745b108c377b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	iexplorer_remcos Create hunting rule
Author:	iam-py-test
Description:	Detect iexplorer being taken over by Remcos

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_ Create hunting rule
Author:	Michelle Khalil
Description:	This rule detects unpacked remcos malware samples.

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

Rule name:	win_remcos_rat_unpacked Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	win_remcos_w0 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	yarahub_win_remcos_rat_unpacked_aug_2023 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/11091/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample