MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ffe8a4132d889f1f228f07b2dae7bb1c0d84f5df0a77491ca51349af83319af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 5 File information Comments

SHA256 hash:	7ffe8a4132d889f1f228f07b2dae7bb1c0d84f5df0a77491ca51349af83319af
SHA3-384 hash:	c22e7adb30d40194cf72f0a6d38ac0a7bd599479a697fdcf74bef57de1697494f00363a1cefa95ea0a354a7271107d58
SHA1 hash:	9475b18303602da833b9194fb879832f44d83737
MD5 hash:	a9407605a9dcaf475578c8746aec7894
humanhash:	table-blue-red-fix
File name:	7ffe8a4132d889f1f228f07b2dae7bb1c0d84f5df0a77491ca51349af83319af
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	161'280 bytes
First seen:	2025-05-26 10:48:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	3072:UObg+A2ptEFimxeQa7EEXjIYxJbw341DkvyB9tVTf8pHz1ZdGr:tZAytoimxet7XXVxRw3b6BnN8pz1ZdG
Threatray	4'110 similar samples on MalwareBazaar
TLSH	T188F35B28A7DD866BC1EE66B9F4A114940BF1C217E2CBF74699C8E9F118C73407D061BE
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	185-241-208-118 exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

404

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

7ffe8a4132d889f1f228f07b2dae7bb1c0d84f5df0a77491ca51349af83319af

Verdict:

Malicious activity

Analysis date:

2025-05-26 10:49:27 UTC

Tags:

rat remcos remote

Link:

https://app.any.run/tasks/348315be-b7bd-40a5-80a7-b2d590911782

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6834483a668438e362e6fb60

Tags:

packed micro abel

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Launching a process

Sending an HTTP GET request

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

base64 obfuscated

Link:

https://www.filescan.io/uploads/683446ff2d1d8b12425d621d/reports/21c546cd-5d2e-4445-8ffd-8bc3cf888c14/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/7ffe8a4132d889f1f228f07b2dae7bb1c0d84f5df0a77491ca51349af83319af

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eb345e0b-cac0-4138-9afc-47d9496dec5e

Result

Threat name:

Remcos, ResolverRAT

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1699161

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses threadpools to delay analysis

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Yara detected Remcos RAT

Yara detected ResolverRAT

Behaviour

Behavior Graph:

Download SVG

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7ffe8a4132d889f1f228f07b2dae7bb1c0d84f5df0a77491ca51349af83319af

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7ffe8a4132d889f1f228f07b2dae7bb1c0d84f5df0a77491ca51349af83319af/

Threat name:

ByteCode-MSIL.Trojan.MassLogger

Status:

Malicious

First seen:

2025-04-29 01:29:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p77iuqjs3ce7d4ri6b5s3lt3whanqt256ctxjeokke2jv6btdgxq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

081c1e5d1c9c59d76a490b45f7062f9cfbf18fa2e5b77f827a4cfb6a5e48b5c2

RemcosRAT

0ac64e3c4051edae7fb30c1381b4406e4e79663e313b4dc0b6af84a460e011b0

RemcosRAT

9c39d381f96fb45ffcb826c90aaee8c6818767eabf44e757fa5518217611d7c7

RemcosRAT

b254541038b979c1c21f489e21bc15f594492aff656bc908aa54033bafb05775

RemcosRAT

d0e342184c25134c07419b2e7bc94990078fc0c57703d72570cd383da6c37f21

RemcosRAT

error

RemcosRAT

+ 4'100 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost discovery rat

Link:

https://tria.ge/reports/250526-mwbrfsyk17/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Remcos

Remcos family

Malware Config

C2 Extraction:

185.241.208.118:9683

Unpacked files

SH256 hash:

7ffe8a4132d889f1f228f07b2dae7bb1c0d84f5df0a77491ca51349af83319af

MD5 hash:

a9407605a9dcaf475578c8746aec7894

SHA1 hash:

9475b18303602da833b9194fb879832f44d83737

Link:

https://www.unpac.me/results/22ff79b6-3404-4a96-8257-f9cb0bedfd7f/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7ffe8a4132d8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7ffe8a4132d889f1f228f07b2dae7bb1c0d84f5df0a77491ca51349af83319af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample