MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75f0a13b548a29be733e8e7dcff844d4b2fc151aa01418b1ab0ed968c17aa040. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash: 75f0a13b548a29be733e8e7dcff844d4b2fc151aa01418b1ab0ed968c17aa040
SHA3-384 hash: 9b6333f3e06fa617cc3a7f40d6837c8243a7467ccf3ff0698c12874d302a049215e8e8ad76ec4cddf9b511509b0ac515
SHA1 hash: 4dcfa720d50f0ca0b5ab3a79184181ebb4d466c4
MD5 hash: 03aa29a77292f081ee247b798967687e
humanhash: green-bluebird-helium-freddie
File name:wegivemebestthingsbetterplaceforme.hta
Download: download sample
Signature RemcosRAT
File size:13'028 bytes
First seen:2026-07-02 12:09:38 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 384:Fb/w5aEhEDxO+gu+EJOnKkeNJ1xW0j03PUsPAqpTg+w:F5EaJmp0jD
Threatray 1'371 similar samples on MalwareBazaar
TLSH T10442F4D8BA24168570FD9E0B158733DE37B0868301C794E3E39D4BBEAB1870625AF578
Magika html
Reporter James_inthe_box
Tags:exe hta RemcosRAT

Intelligence


File Origin
# of uploads :
1
# of downloads :
153
Origin country :
US US
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
70%
Tags:
virus ausiv sage
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Payload URLs
URL
File name
https://blue-paper-f69f.acrypters.workers.dev/FTM0-40PO-AO28-G98E/img_u69eno.png
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm fingerprint powershell
Verdict:
Malicious
File Type:
hta
First seen:
2026-07-01T23:57:00Z UTC
Last seen:
2026-07-03T19:49:00Z UTC
Hits:
~10
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
Html
Threat name:
Document-HTML.Trojan.Kepavll
Status:
Malicious
First seen:
2026-07-02 03:28:31 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection discovery execution rat
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Badlisted process makes network request
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Family: Remcos
Process spawned unexpected child process
Malware Config
C2 Extraction:
141.98.10.150:14641
141.98.10.150:14642
141.98.10.150:14643
141.98.10.150:14644
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MalScript_Tricks
Author:@bartblaze
Description:Identifies tricks often seen in malicious scripts such as moving the window off-screen or resizing it to zero.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments