MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86bd0fb523c233fe4e82fbb0f614482c65736dea768816f6d0b44cecbdb07535. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 21

Intelligence 21 IOCs YARA 3 File information Comments

SHA256 hash:	86bd0fb523c233fe4e82fbb0f614482c65736dea768816f6d0b44cecbdb07535
SHA3-384 hash:	e6982281680756eb444995e6aeb298891b147acd7b27bfb51ea6f0d69a803650fc0dc1ece24de40fb9683a4f6952006b
SHA1 hash:	3ae8c2cc609fc0335cd3e62d2339cde34e88f223
MD5 hash:	658dd2910336c1e9226c5f6f4457f194
humanhash:	pasta-alabama-mobile-michigan
File name:	ARTWORK (1).exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'218'560 bytes
First seen:	2026-01-30 07:41:15 UTC
Last seen:	2026-01-30 15:15:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'795 x AgentTesla, 19'692 x Formbook, 12'274 x SnakeKeylogger)
ssdeep	24576:K17CYs+G2PlF+IM8ZuDt7Q/ROlIMy6Tg+0JnnYBOPtY7:KNsv2P+IMlt7iROby6TgTnRt
TLSH	T1B345F09821698BC2D0EA3AF75AB2C23CD3751CAD5825F21B0EC67FD7F17A358C416192
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	zhuzhu0009
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/e551a078-5455-44da-89d5-1e8c37b8cacf/

Malware family:

remcos

ID:

File name:

_86bd0fb523c233fe4e82fbb0f614482c65736dea768816f6d0b44cecbdb07535.exe

Verdict:

Malicious activity

Analysis date:

2026-01-30 07:42:33 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/e19021fb-2ced-477c-b7d4-8dd633e5d63d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/50800/

Detection(s):

SecuriteInfo.com.Trojan.Remcos.172.1061.15148.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=697c60a19a17da7683b48bda

Tags:

injection packed virus lien

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Connection attempt

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

explorer krypt lolbin packed remcos stealer unsafe vbnet

Link:

https://www.filescan.io/uploads/697c609fb6bd365f0a6976ff/reports/342463f7-c53c-4e8f-98a7-9a7d210b6a67/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/86bd0fb523c233fe4e82fbb0f614482c65736dea768816f6d0b44cecbdb07535

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-30T02:43:00Z UTC

Last seen:

2026-01-30T05:40:00Z UTC

Hits:

~100

Detections:

Trojan.MSIL.Crypt.sb Backdoor.Win32.Remcos.sb HEUR:Trojan-PSW.MSIL.Stealer.gen Trojan.MSIL.Inject.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Greedy.sb Trojan-Dropper.Win32.Injector.sb PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/86bd0fb523c233fe4e82fbb0f614482c65736dea768816f6d0b44cecbdb07535/results?tab=lookup

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5f8ac695-e1d1-42a5-bb4a-917206736a2d

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/86bd0fb523c233fe4e82fbb0f614482c65736dea768816f6d0b44cecbdb07535

Gathering data

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/86bd0fb523c233fe4e82fbb0f614482c65736dea768816f6d0b44cecbdb07535/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/86bd0fb523c233fe4e82fbb0f614482c65736dea768816f6d0b44cecbdb07535

Threat name:

Win32.Trojan.PhantomStealer

Status:

Malicious

First seen:

2026-01-30 07:42:31 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 38 (63.16%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q26q7njdyiz74tuc7oypmfcifrsxg3pko2ebn5wqwrgozpnqou2q._file

Verdict:

malicious

Label(s):

nirsoft

remcos

admintool_mailpassview

Similar samples:

error

RemcosRAT

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost collection defense_evasion discovery rat trojan

Link:

https://tria.ge/reports/260130-jjxavads8a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

System Location Discovery: System Language Discovery

Launches sc.exe

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Detected Nirsoft tools

NirSoft MailPassView

Remcos

Remcos family

UAC bypass

Malware Config

C2 Extraction:

158.94.210.195:2405

Unpacked files

SH256 hash:

86bd0fb523c233fe4e82fbb0f614482c65736dea768816f6d0b44cecbdb07535

MD5 hash:

658dd2910336c1e9226c5f6f4457f194

SHA1 hash:

3ae8c2cc609fc0335cd3e62d2339cde34e88f223

Link:

https://www.unpac.me/results/77654b04-b64e-4587-8b92-b0664d42e4c8/

SH256 hash:

77a22aa49513f0424017549f49bcf531c73e728d00d509fbb144b201ce4e0bcb

MD5 hash:

fab9060d31e97662094a2c13835d6418

SHA1 hash:

04b7d52b2d4cd289effe0f8b506367397dd6de0e

Link:

https://www.unpac.me/results/77654b04-b64e-4587-8b92-b0664d42e4c8/

SH256 hash:

05d098dba65a77b93b0216baf7fa4433a87b9ce7a55c275059793d4e577008e6

MD5 hash:

79a2bf8dbdb8851b2af67d23a703b63b

SHA1 hash:

208cbaa017ae8568fbc09b9cfa3a34005da76904

Detections:

win_remcos_auto

win_remcos_w0

Remcos

malware_windows_remcos_rat

win_remcos_rat_unpacked

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Link:

https://www.unpac.me/results/77654b04-b64e-4587-8b92-b0664d42e4c8/

SH256 hash:

7bb14ead76a9648673351cfcf34785d2ce03dbd9f180b043f60f91c8735e3192

MD5 hash:

d88494f23efa9314545e4a283f79319f

SHA1 hash:

e7762fa5039d9ffda773eccffb9fc11049592c33

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/77654b04-b64e-4587-8b92-b0664d42e4c8/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/86bd0fb523c2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/86bd0fb523c233fe4e82fbb0f614482c65736dea768816f6d0b44cecbdb07535

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/50800/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample