MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fc74aa31dd8efffc1ea7bf27af20fbd76f30ee09f7b821e8b0d761f4ae641c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fc74aa31dd8efffc1ea7bf27af20fbd76f30ee09f7b821e8b0d761f4ae641c3
SHA3-384 hash: ef191ccb94c8162a5c214cc3e804d902a38cc69e6a44222ef06c8feac68684c40f1c850ea9c110bf25d8bb4f11085bf9
SHA1 hash: e6b2c228d76ba897b2b36f3c872e8345e00c0b68
MD5 hash: 62bd1f1acc0481f683983307cb3c453a
humanhash: mars-neptune-beer-september
File name:Jeblikkets.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:752'616 bytes
First seen:2026-04-13 07:42:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f4639a0b3116c2cfc71144b88a929cfd (117 x GuLoader, 55 x Formbook, 40 x VIPKeylogger)
ssdeep 12288:EXyWmdPEZJ7SyplVheVyeEjYmSagwO8EqLq31bwixW:EXrmdPud3VheVOYb2D5ixW
TLSH T1E3F4F1897B409BB7C22547364FC787A1173DEC606B929B2B3296F35E2F7226156433C8
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 81e0f4f8e662b0b0 (2 x GuLoader, 2 x RemcosRAT)
Reporter lowmal3
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:Unblighted
Issuer:Unblighted
Algorithm:sha256WithRSAEncryption
Valid from:2026-03-25T02:41:35Z
Valid to:2027-03-25T02:41:35Z
Serial number: 0d4710c3c9d6936cd9eaf0988d49d0de1604a24c
Thumbprint Algorithm:SHA256
Thumbprint: c5a77afb57bd6506f7d7ab219c64e5beb9d5bf7f8d400bec41d04b6f3a8d284d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
GuLoader NSIS
Details
GuLoader
a c2 URL, a useragent string, and a string XOR key
GuLoader
an XOR decryption key and an extracted component
NSIS
extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/e36ee04d-462e-4df8-9e25-b13c8347ebeb/
Malware family:
remcos
Create hunting rule
ID:
1
File name:
_7fc74aa31dd8efffc1ea7bf27af20fbd76f30ee09f7b821e8b0d761f4ae641c3.exe
Verdict:
Malicious activity
Analysis date:
2026-04-13 07:42:49 UTC
Tags:
auto-reg rat remcos
Link:
https://app.any.run/tasks/6df5e497-6df8-41dd-900b-6024b835c337

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/61329/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.87166445.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69dc9e6945787c53e5393bb1
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a file in the %temp% directory
Delayed reading of the file
Restart of the analyzed sample
Gathering data
Verdict:
Suspicious
Labled as:
Agent.WIMD
Link:
https://www.hybrid-analysis.com/sample/7fc74aa31dd8efffc1ea7bf27af20fbd76f30ee09f7b821e8b0d761f4ae641c3
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-12T20:39:00Z UTC
Last seen:
2026-04-15T05:08:00Z UTC
Hits:
~1000
Detections:
Trojan.NSIS.Makoob.sbb Trojan.NSIS.Makoob.sba Trojan-Downloader.Win32.Minix.sb UDS:DangerousObject.Multi.Generic Trojan.Win32.GuLoader.sb PDM:Trojan.Win32.Generic HEUR:Trojan.Win32.GuLoader.gen
Link:
https://opentip.kaspersky.com/7fc74aa31dd8efffc1ea7bf27af20fbd76f30ee09f7b821e8b0d761f4ae641c3/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/766b7d82-ad7f-43fe-9a0d-e75845afd756
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1897217
Signature
AI detected suspicious PE digital signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Creates autostart registry keys with suspicious names
Detected Remcos RAT
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1897217 Sample: Jeblikkets.exe Startdate: 13/04/2026 Architecture: WINDOWS Score: 100 70 drive.usercontent.google.com 2->70 72 drive.google.com 2->72 88 Suricata IDS alerts for network traffic 2->88 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 8 other signatures 2->94 10 Jeblikkets.exe 2 34 2->10         started        14 remcos.exe 23 2->14         started        16 remcos.exe 2->16         started        signatures3 process4 file5 58 C:\Users\user\AppData\Local\...\System.dll, PE32 10->58 dropped 100 Tries to detect virtualization through RDTSC time measurements 10->100 102 Unusual module load detection (module proxying) 10->102 104 Switches to a custom stack to bypass stack traces 10->104 18 Jeblikkets.exe 2 10 10->18         started        23 Jeblikkets.exe 10->23         started        60 C:\Users\user\AppData\Local\...\System.dll, PE32 14->60 dropped 25 remcos.exe 6 14->25         started        27 remcos.exe 14->27         started        62 C:\Users\user\AppData\Local\...\System.dll, PE32 16->62 dropped 29 remcos.exe 16->29         started        31 remcos.exe 16->31         started        signatures6 process7 dnsIp8 74 drive.google.com 142.250.190.238, 443, 49702, 49710 GOOGLEUS United States 18->74 76 drive.usercontent.google.com 142.250.65.65, 443, 49703, 49711 GOOGLEUS United States 18->76 54 C:\ProgramData\Remcos\remcos.exe, PE32 18->54 dropped 56 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 18->56 dropped 96 Detected Remcos RAT 18->96 98 Creates autostart registry keys with suspicious names 18->98 33 remcos.exe 23 18->33         started        37 Jeblikkets.exe 18->37         started        39 remcos.exe 25->39         started        41 remcos.exe 29->41         started        file9 signatures10 process11 file12 52 C:\Users\user\AppData\Local\...\System.dll, PE32 33->52 dropped 80 Antivirus detection for dropped file 33->80 82 Multi AV Scanner detection for dropped file 33->82 84 Contains functionality to steal Internet Explorer form passwords 33->84 86 3 other signatures 33->86 43 remcos.exe 4 10 33->43         started        48 remcos.exe 33->48         started        signatures13 process14 dnsIp15 78 130.12.182.112, 2404, 49714, 49715 DATAHOPDatahop-SixDegreesGB Canada 43->78 64 C:\Users\user\AppData\...\Login Data.tmp, SQLite 43->64 dropped 66 C:\Users\user\AppData\...\Login Data.tmp, SQLite 43->66 dropped 68 C:\Users\user\...\Login Data For Account.tmp, SQLite 43->68 dropped 106 Detected Remcos RAT 43->106 108 Tries to harvest and steal browser information (history, passwords, etc) 43->108 50 remcos.exe 43->50         started        file16 signatures17 process18
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7fc74aa31dd8efffc1ea7bf27af20fbd76f30ee09f7b821e8b0d761f4ae641c3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7fc74aa31dd8efffc1ea7bf27af20fbd76f30ee09f7b821e8b0d761f4ae641c3/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/7fc74aa31dd8efffc1ea7bf27af20fbd76f30ee09f7b821e8b0d761f4ae641c3
Threat name:
Win32.Trojan.Qwexlafiba
Create hunting rule
Status:
Malicious
First seen:
2026-04-13 00:04:24 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p7duviy53dx77qpkppzhv4qpxv3pgdxat55yehulbv3b6sxgihbq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
error
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:remotehost discovery downloader persistence rat spyware stealer
Link:
https://tria.ge/reports/260413-jjwz3sez8n/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Contacts third-party web service commonly abused for C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Malware Config
C2 Extraction:
130.12.182.112:2404
Unpacked files
SH256 hash:
7fc74aa31dd8efffc1ea7bf27af20fbd76f30ee09f7b821e8b0d761f4ae641c3
MD5 hash:
62bd1f1acc0481f683983307cb3c453a
SHA1 hash:
e6b2c228d76ba897b2b36f3c872e8345e00c0b68
Link:
https://www.unpac.me/results/bb1e8011-278c-4fb1-9c6f-87ab871aaf94/
SH256 hash:
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
MD5 hash:
192639861e3dc2dc5c08bb8f8c7260d5
SHA1 hash:
58d30e460609e22fa0098bc27d928b689ef9af78
Link:
https://www.unpac.me/results/bb1e8011-278c-4fb1-9c6f-87ab871aaf94/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7fc74aa31dd8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7fc74aa31dd8efffc1ea7bf27af20fbd76f30ee09f7b821e8b0d761f4ae641c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 7fc74aa31dd8efffc1ea7bf27af20fbd76f30ee09f7b821e8b0d761f4ae641c3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/61329/

Comments