MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79550414ab0554d42cf6478dc85df5b86deacbe26ff6fb1c7dbfc058fd520390. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	79550414ab0554d42cf6478dc85df5b86deacbe26ff6fb1c7dbfc058fd520390
SHA3-384 hash:	f27897f8a8ccf22807f46f29950d7f2492f7088e9fcf99e7f652180e16e0dff7de79e67b4ea61f7e95092f39e74420f9
SHA1 hash:	062cd3ca3571db9429bc7cba4f9ac980f420ff75
MD5 hash:	e4d0d348b5a9732bbd5c1c6800f75b45
humanhash:	batman-six-spaghetti-iowa
File name:	CFS KEE-ISF - SO#4622- HBL#6810974399.xls.scr
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'070'080 bytes
First seen:	2025-12-02 02:31:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:fm9Qlt/8wfCzEklqa5hv6KZzkW/Ka+WV49BI3hw7Pq2sz:fmkl1a556wzkuj9u9BI3hw7ze
Threatray	82 similar samples on MalwareBazaar
TLSH	T1663523943258D413D8555EF01A20D2F2A77AAEAEE821C2079FC57F9FB9FE7504A02353
TrID	56.5% (.EXE) Win64 Executable (generic) (10522/11/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	threatcat_ch
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

129

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

CFS KEE-ISF - SO#4622- HBL#6810974399.xls.scr

Verdict:

No threats detected

Analysis date:

2025-12-02 02:32:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e20d6088-4e87-4a67-859c-9f6b564ffab0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/42085/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=692e4fb0264b106bd645c6ef

Tags:

underscore virus krypt msil

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

masquerade packed vbnet

Link:

https://www.filescan.io/uploads/692e4fad3cf0944cdda858b0/reports/7b90786b-f9ae-4e11-b162-b7fa0b8a2151/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/79550414ab0554d42cf6478dc85df5b86deacbe26ff6fb1c7dbfc058fd520390

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-12-01T22:59:00Z UTC

Last seen:

2025-12-04T00:18:00Z UTC

Hits:

~1000

Detections:

Trojan-Dropper.Win32.Injector.sb PDM:Trojan.Win32.Badex.c HEUR:Backdoor.MSIL.Remcos.gen Trojan.MSIL.Taskun.sb Trojan.MSIL.Crypt.sb Backdoor.Win32.Remcos.sb

Link:

https://opentip.kaspersky.com/79550414ab0554d42cf6478dc85df5b86deacbe26ff6fb1c7dbfc058fd520390/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/b23b141c-a946-42a7-bfd9-b8d37ba08f31

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1824064

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Unusual module load detection (module proxying)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/79550414ab0554d42cf6478dc85df5b86deacbe26ff6fb1c7dbfc058fd520390

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.44 Win 64 Exe x64

Link:

https://app.malva.re/file/e4d0d348b5a9732bbd5c1c6800f75b45

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/79550414ab0554d42cf6478dc85df5b86deacbe26ff6fb1c7dbfc058fd520390/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/79550414ab0554d42cf6478dc85df5b86deacbe26ff6fb1c7dbfc058fd520390

Threat name:

Win64.Backdoor.Remcos

Status:

Malicious

First seen:

2025-12-02 02:07:32 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

18 of 23 (78.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pfkqifflavknilhwi6g4qxpvxbw6vs7cn73pwhd5x7afr7ksaoia._file

Verdict:

malicious

Label(s):

unc_loader_037

remcos

RemcosRAT

242418928ee50cd9d4c70bddf5b9434ee65244aa46376f123f1c59359c281eaa

RemcosRAT

d076158f2f53f5d2b109631721820941ebbc4c7fbbb9b480e48e6b38235ecc44

RemcosRAT

e710b54964053441596c34b3d478d6784b314ffd8bacec9def124050b2a86f04

RemcosRAT

error

RemcosRAT

+ 72 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/251202-c1drhavqcz/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Remcos family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a6e76522-90e6-4512-bd9d-210b5fd15a40

Unpacked files

SH256 hash:

79550414ab0554d42cf6478dc85df5b86deacbe26ff6fb1c7dbfc058fd520390

MD5 hash:

e4d0d348b5a9732bbd5c1c6800f75b45

SHA1 hash:

062cd3ca3571db9429bc7cba4f9ac980f420ff75

Link:

https://www.unpac.me/results/7c4a65cb-988c-49a2-8303-144dbf3521ca/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/79550414ab05/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe 79550414ab0554d42cf6478dc85df5b86deacbe26ff6fb1c7dbfc058fd520390

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/42085/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample