MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 809ecfe0d5639158fd1626f4bf2c4c3629a64e012f95f7a08d1b6b0c8a65508e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 809ecfe0d5639158fd1626f4bf2c4c3629a64e012f95f7a08d1b6b0c8a65508e
SHA3-384 hash: b407ab856a188542d32f1784258e8f3266ef7dea8c22107a29eb32a6b991481624abeedaa127992c0481f6d2b1d4a890
SHA1 hash: 8e9e55bc293debc919ebaeedcdd31c5888ec3ca1
MD5 hash: 5f9030a19aa9904c2cd6d337681c5fbd
humanhash: foxtrot-spaghetti-crazy-saturn
File name:images=PNGgooodformatePDF=Docxnotreallygood.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:23'159 bytes
First seen:2025-09-02 14:12:18 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 384:XZGnMwZ4r0edDeOq3CEW05MeDVbbbdfHIfWy:4n76rRfWy
Threatray 1'492 similar samples on MalwareBazaar
TLSH T138A2F7E169C48F31256EC15DD31FA030AE9B1F52323C9411BB8BDA4F9FD255D8362A72
Magika html
Reporter abuse_ch
Tags:hta RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
51
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b6fb8b3e988eb6ab8396c0
Tags:
obfuscate xtreme spawn
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/809ecfe0d5639158fd1626f4bf2c4c3629a64e012f95f7a08d1b6b0c8a65508e/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/809ecfe0d5639158fd1626f4bf2c4c3629a64e012f95f7a08d1b6b0c8a65508e
Verdict:
Malicious
File Type:
hta
First seen:
2025-09-02T00:09:00Z UTC
Last seen:
2025-09-02T00:09:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/809ecfe0d5639158fd1626f4bf2c4c3629a64e012f95f7a08d1b6b0c8a65508e/results?tab=lookup
Result
Threat name:
Remcos, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1769574
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Score:
93%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/809ecfe0d5639158fd1626f4bf2c4c3629a64e012f95f7a08d1b6b0c8a65508e
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
Html
Link:
https://app.malva.re/file/5f9030a19aa9904c2cd6d337681c5fbd
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/809ecfe0d5639158fd1626f4bf2c4c3629a64e012f95f7a08d1b6b0c8a65508e/
Threat name:
Script-JS.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-09-02 10:39:41 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qcpm7ygvmoivr7iwe32l6lcmgyu2mtqbf6k7piendnvqzctfkcha._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
6bc677ac4c36cb99e3170edb2b29b8e8b47399a2896f8f0c6fa998b4337bcf35
RemcosRAT
9219023b7da8a734c9d4063421680c5fd505adb36d2ba714118887df71ff4790
RemcosRAT
a0c3fa62661159a9eef10b604214afade57a535a405c359b827a3bbd4b0cc63e
RemcosRAT
c208d8d0493c60f14172acb4549dcb394d2b92d30bcae4880e66df3c3a7100e4
RemcosRAT
d58ef7f6352296a5f9052e5bb522a0556037f373b27dd1bf4c53a521f0f7a0a8
RemcosRAT
d84b28f6ce7bca728fdf5eea7ed6cc3d6bed66d189c9218484d62fda4d5a4c9c
RemcosRAT
dd526d6b1e6b225b484425cfce62bc318dae7ad5356e81587a511394a3e34aa0
RemcosRAT
e119c6c5485307075a1e5d0950a77f978f7f17e23c315ed8c38cc1259b8af26f
RemcosRAT
error
RemcosRAT
+ 1'482 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos discovery execution rat
Link:
https://tria.ge/reports/250902-rjfxvswzev/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Remcos
Remcos family
Malware Config
C2 Extraction:
185.222.58.49:465
Dropper Extraction:
https://ia600206.us.archive.org/21/items/optimized_msi_202509/optimized_MSI.png
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/809ecfe0d563/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

HTML Application (hta) hta 809ecfe0d5639158fd1626f4bf2c4c3629a64e012f95f7a08d1b6b0c8a65508e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3615621/
  
Delivery method
Distributed via web download

Comments