MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81bd5ea2395abf6ca7e0959d84a2ecc797c24f789ab18afc6eeeea69c41a2457. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 21

Intelligence 21 IOCs YARA 26 File information Comments

SHA256 hash:	81bd5ea2395abf6ca7e0959d84a2ecc797c24f789ab18afc6eeeea69c41a2457
SHA3-384 hash:	139db015ae8386583e1edf66651ac874b2048301a72075722c69d90ea9baf6382a49db60055e4aa2eea01e1a9225bcc9
SHA1 hash:	30da55ee747359debe1916c706ed8b524f742bec
MD5 hash:	b13eebd55c0e129b97cfb16b387dc121
humanhash:	kentucky-fanta-enemy-pennsylvania
File name:	81bd5ea2395abf6ca7e0959d84a2ecc797c24f789ab18afc6eeeea69c41a2457
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'155'584 bytes
First seen:	2025-06-26 17:42:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'813 x AgentTesla, 19'735 x Formbook, 12'282 x SnakeKeylogger)
ssdeep	24576:b0VSe8kjzKKNosJQKLv+SmhuRZdrsx5Y4t1DfjH5tXdz+B0f:YTNLNosaa5fRLrsI4vjZtX8i
Threatray	4'603 similar samples on MalwareBazaar
TLSH	T1DD3523A6539BD631C27E833A00E67F0D4AACB4F6878EEB990D4C6146F453BD6A407347
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	johnk3r
Tags:	cirugia4k-con-ip-com exe remcos RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

528

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

81bd5ea2395abf6ca7e0959d84a2ecc797c24f789ab18afc6eeeea69c41a2457

Verdict:

Malicious activity

Analysis date:

2025-06-26 17:43:42 UTC

Tags:

remcos rat auto-reg

Link:

https://app.any.run/tasks/aca9f71b-35e1-4d5f-843b-4699607aa954

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/11273/

Detection(s):

Win.Packed.Msilheracles-10017859-0

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=685d8687b06783b9ebd8482d

Tags:

smartassembly packed spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %AppData% directory

Launching a process

Creating a process with a hidden window

Сreating synchronization primitives

DNS request

Creating a file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 entropy obfuscated obfuscated packed packed packer_detected smartassembly smart_assembly

Link:

https://www.filescan.io/uploads/685d86c0d1f1eb5d81c7742a/reports/5c05ea7a-69ea-4d93-95eb-6817d0efd24f/overview

Verdict:

Malicious

Labled as:

Ransom.Samas.Generic

Link:

https://www.hybrid-analysis.com/sample/81bd5ea2395abf6ca7e0959d84a2ecc797c24f789ab18afc6eeeea69c41a2457

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1afa01bb-e80e-46d9-9e30-6354bf39e2e5

Result

Threat name:

Remcos, ResolverRAT

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1723671

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Opens the same file many times (likely Sandbox evasion)

Sigma detected: Remcos

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Yara detected Remcos RAT

Yara detected ResolverRAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/81bd5ea2395abf6ca7e0959d84a2ecc797c24f789ab18afc6eeeea69c41a2457

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

.Net Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/b13eebd55c0e129b97cfb16b387dc121

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/81bd5ea2395abf6ca7e0959d84a2ecc797c24f789ab18afc6eeeea69c41a2457/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/81bd5ea2395abf6ca7e0959d84a2ecc797c24f789ab18afc6eeeea69c41a2457

Threat name:

ByteCode-MSIL.Spyware.AsyncRAT

Status:

Malicious

First seen:

2025-06-26 17:43:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qg6v5irzlk7wzj7aswoyjixmy6l4et3ytkyyv7do53vgtra2erlq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

2998c9450c0410adcf943c88783718017418ede6ce92368be07b515f7395c650

RemcosRAT

4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc

RemcosRAT

5933dcc6e1411448bf62c554b4ff7b437665bcd8ad3ee37ed30253d6603d1e98

RemcosRAT

81bd5ea2395abf6ca7e0959d84a2ecc797c24f789ab18afc6eeeea69c41a2457

RemcosRAT

820485feb8d8b9c13f3f2bc037f7918b0a38526c6f7193f878b2d410572dac26

RemcosRAT

ae724f16e8ec11a0d12439ffe18032ae2cbd388d419475f77be39fe9c4045a97

RemcosRAT

d38b7f092af30ecfbbfdb162e1dd8baabb4c0f2dee65ec5179126a8488e499e6

RemcosRAT

error

RemcosRAT

+ 4'593 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:cirugia 4k discovery persistence rat

Link:

https://tria.ge/reports/250626-v97p2sdn8s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Executes dropped EXE

Remcos

Remcos family

Malware Config

C2 Extraction:

cirugia4k.con-ip.com:1090

Verdict:

Malicious

Tags:

Win.Packed.Msilheracles-10017859-0

YARA:

n/a

Link:

https://app.threat.zone/submission/fd248023-505e-43e9-9b0f-fcc90eaa125d

Unpacked files

SH256 hash:

81bd5ea2395abf6ca7e0959d84a2ecc797c24f789ab18afc6eeeea69c41a2457

MD5 hash:

b13eebd55c0e129b97cfb16b387dc121

SHA1 hash:

30da55ee747359debe1916c706ed8b524f742bec

Link:

https://www.unpac.me/results/de0c3283-e10f-4d64-a840-10ab7f4e3c1c/

SH256 hash:

7c0e218987baae6ba580630b01b922d4cf62658530f312068afe59514db037e2

MD5 hash:

6795eadb50b89ce4c8980a8418ca7be4

SHA1 hash:

ed51e144dc92476cd689f37a9825665923974a5b

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/de0c3283-e10f-4d64-a840-10ab7f4e3c1c/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/81bd5ea2395a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/81bd5ea2395abf6ca7e0959d84a2ecc797c24f789ab18afc6eeeea69c41a2457

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	iexplorer_remcos Create hunting rule
Author:	iam-py-test
Description:	Detect iexplorer being taken over by Remcos

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	lsi_remcos Create hunting rule
Author:	anonym
Description:	Remcos_V5 Payload

Rule name:	lsi_remcos2 Create hunting rule
Author:	anonym
Description:	Remcos_V5 Payload

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_ Create hunting rule
Author:	Michelle Khalil
Description:	This rule detects unpacked remcos malware samples.

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Remcos_unpacked_PulseIntel Create hunting rule
Author:	PulseIntel
Description:	Remcos Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

Rule name:	win_remcos_rat_unpacked Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	win_remcos_w0 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	yarahub_win_remcos_rat_unpacked_aug_2023 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/11273/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample