MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ca7124e0d0abbebeb7089771abe45deb02ce6c49ad9ab3f6d6dc3b9cac09013. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ca7124e0d0abbebeb7089771abe45deb02ce6c49ad9ab3f6d6dc3b9cac09013
SHA3-384 hash: cdd393126e4430ed10c9e5f77c7e0177efe6d66bc989d0cca7b2097c070c42b04f637aa911d0800a51e050bc15af9e44
SHA1 hash: 68ebdaa237e185845f6e38406c3d802946674705
MD5 hash: 0328dfca3ebd3b8c2f7fe7f417222b76
humanhash: cardinal-harry-jersey-whiskey
File name:scan010116.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:543'023 bytes
First seen:2025-10-20 12:58:02 UTC
Last seen:2025-11-06 10:51:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (525 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 12288:ZSxFmy11eL2KnQmdm9QeSgWL2KlDNbWi13y9ko0:ZSzmyrrFic6V1NRlG0
Threatray 2'105 similar samples on MalwareBazaar
TLSH T105B4E01667A0CD03F38112784496F73E8E69AED43C9ACE1217F57DDB7914B32682D2A3
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter cocaman
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
scan010116.exe
Verdict:
Malicious activity
Analysis date:
2025-10-20 12:59:32 UTC
Tags:
remcos rat remote stealer evasion mpress
Link:
https://app.any.run/tasks/a18c4fc3-309c-48ff-903f-58e379f2df07

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33443/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f631fcc949ca4fcbe3aeea
Tags:
injection obfusc virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Delayed reading of the file
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context installer microsoft_visual_cc obfuscated overlay packed packer_detected
Link:
https://www.filescan.io/uploads/68f6320b3a79800405ec47d3/reports/3440487c-842c-42de-a3a6-6da88b28746b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8ca7124e0d0abbebeb7089771abe45deb02ce6c49ad9ab3f6d6dc3b9cac09013
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-16T20:37:00Z UTC
Last seen:
2025-10-22T07:31:00Z UTC
Hits:
~1000
Detections:
PDM:Trojan.Win32.Generic Trojan-Dropper.Win32.Injector.sb Trojan-Downloader.Win32.Minix.sb Trojan.Win32.Guloader.sb Trojan.NSIS.Makoob.sba Backdoor.Win32.Remcos.sb HEUR:Trojan.Win32.GuLoader.gen Trojan.Win32.Yakes Trojan.NSIS.Makoob.sbb
Link:
https://opentip.kaspersky.com/8ca7124e0d0abbebeb7089771abe45deb02ce6c49ad9ab3f6d6dc3b9cac09013/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/cb3a1542-faa4-4ea2-8cc3-25fbea807b11
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1798322
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1798322 Sample: scan010116.exe Startdate: 20/10/2025 Architecture: WINDOWS Score: 100 61 drive.usercontent.google.com 2->61 63 drive.google.com 2->63 65 2 other IPs or domains 2->65 83 Suricata IDS alerts for network traffic 2->83 85 Found malware configuration 2->85 87 Antivirus detection for dropped file 2->87 89 7 other signatures 2->89 10 scan010116.exe 41 2->10         started        14 remcos.exe 27 2->14         started        16 remcos.exe 2->16         started        signatures3 process4 file5 53 C:\Users\user\AppData\Local\...\System.dll, PE32 10->53 dropped 101 Tries to detect virtualization through RDTSC time measurements 10->101 103 Switches to a custom stack to bypass stack traces 10->103 18 scan010116.exe 2 10 10->18         started        55 C:\Users\user\AppData\Local\...\System.dll, PE32 14->55 dropped 23 remcos.exe 12 14->23         started        57 C:\Users\user\AppData\Local\...\System.dll, PE32 16->57 dropped 25 remcos.exe 16->25         started        signatures6 process7 dnsIp8 67 drive.google.com 142.250.217.174, 443, 49721, 49723 GOOGLEUS United States 18->67 69 drive.usercontent.google.com 172.217.165.193, 443, 49722, 49724 GOOGLEUS United States 18->69 49 C:\ProgramData\Remcos\remcos.exe, PE32 18->49 dropped 51 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 18->51 dropped 91 Detected Remcos RAT 18->91 93 Creates autostart registry keys with suspicious names 18->93 27 remcos.exe 27 18->27         started        file9 signatures10 process11 file12 59 C:\Users\user\AppData\Local\...\System.dll, PE32 27->59 dropped 105 Multi AV Scanner detection for dropped file 27->105 107 Found hidden mapped module (file has been removed from disk) 27->107 109 Tries to detect virtualization through RDTSC time measurements 27->109 111 Switches to a custom stack to bypass stack traces 27->111 31 remcos.exe 4 18 27->31         started        signatures13 process14 dnsIp15 71 196.251.70.45, 2404, 49728, 49729 Web4AfricaZA Seychelles 31->71 73 api.ipify.org 104.26.13.205, 443, 49730 CLOUDFLARENETUS United States 31->73 75 api.findip.net 172.67.214.3, 443, 49731 CLOUDFLARENETUS United States 31->75 43 C:\Users\user\AppData\Local\Temp\THB5F8.tmp, MS-DOS 31->43 dropped 45 C:\Users\user\AppData\Local\Temp\THB5D7.tmp, MS-DOS 31->45 dropped 47 C:\Users\user\AppData\Local\Temp\THB5B7.tmp, PE32 31->47 dropped 77 Detected Remcos RAT 31->77 79 Writes to foreign memory regions 31->79 81 Maps a DLL or memory area into another process 31->81 36 RmClient.exe 31->36         started        39 RmClient.exe 31->39         started        41 RmClient.exe 31->41         started        file16 signatures17 process18 signatures19 95 Tries to steal Instant Messenger accounts or passwords 36->95 97 Tries to steal Mail credentials (via file / registry access) 36->97 99 Tries to harvest and steal browser information (history, passwords, etc) 39->99
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8ca7124e0d0abbebeb7089771abe45deb02ce6c49ad9ab3f6d6dc3b9cac09013
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/0328dfca3ebd3b8c2f7fe7f417222b76
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8ca7124e0d0abbebeb7089771abe45deb02ce6c49ad9ab3f6d6dc3b9cac09013/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/8ca7124e0d0abbebeb7089771abe45deb02ce6c49ad9ab3f6d6dc3b9cac09013
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-10-17 01:24:35 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rstretqnbk56x23qrf3rvpsf32yczzwetlm2wp3nnxb3tswasajq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
2be5b104a63deb6addd9d49ffea10cfbefc8c214c2578f4554b6272ca3856899
RemcosRAT
4d02f3763b13495b4365c2ea7bd38bcb14b3163b7b6a3962fe4a7f5898235451
RemcosRAT
551863be2e92aa2d319a92cda72bc2123233ee3a7e965ee691fd70d88c21d772
RemcosRAT
55d8dc6d475a919fe7ec17bd2575cf0f0a1eec913dba89f9556b69621eec0eb6
RemcosRAT
5dfcdc1c491fbf2f7f2fbac6bbf27b84be652583b66b252c46e8ed86577c3c60
RemcosRAT
67fd31f9b85ca5e31e0851c8a5f8f2f36343d884aa3dd7f26d4aa6c5d02b28fe
RemcosRAT
a509d90eaa00df8640c180439726fc0ed487dc30d236e19d1fc1514782e23671
RemcosRAT
b5d44eb79bb60df60b30f4157e958cb1a84c6ed93f2fb3767e96c573c27092e4
RemcosRAT
dd6d8363c2761f77948a54be192dbbe563d2da9dd8f922102547631ccbd05ebb
RemcosRAT
ecc38b2d94c70426a8c8ffb8d0414c048023731d37153f2ac50e62d966505143
RemcosRAT
error
RemcosRAT
+ 2'095 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos collection discovery downloader persistence rat
Link:
https://tria.ge/reports/251020-p7tgraal6y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Malware Config
C2 Extraction:
196.251.70.45:2404
Unpacked files
SH256 hash:
8ca7124e0d0abbebeb7089771abe45deb02ce6c49ad9ab3f6d6dc3b9cac09013
MD5 hash:
0328dfca3ebd3b8c2f7fe7f417222b76
SHA1 hash:
68ebdaa237e185845f6e38406c3d802946674705
Link:
https://www.unpac.me/results/00850999-76b6-4693-8550-ac47a679d2c9/
SH256 hash:
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
MD5 hash:
75ed96254fbf894e42058062b4b4f0d1
SHA1 hash:
996503f1383b49021eb3427bc28d13b5bbd11977
Link:
https://www.unpac.me/results/00850999-76b6-4693-8550-ac47a679d2c9/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8ca7124e0d0a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.79
Link:
https://yomi.yoroi.company/submissions/8ca7124e0d0abbebeb7089771abe45deb02ce6c49ad9ab3f6d6dc3b9cac09013

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip b266d0ded84c4e9162120175278b2e5996aa05a4dc5d037cd6c50cb15e6c1426

RemcosRAT

Executable exe 8ca7124e0d0abbebeb7089771abe45deb02ce6c49ad9ab3f6d6dc3b9cac09013

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 b266d0ded84c4e9162120175278b2e5996aa05a4dc5d037cd6c50cb15e6c1426
Cape
Cape
https://www.capesandbox.com/analysis/33443/
  
Dropped by
MD5 e7e39384c4cea12dfb1474ac8b767ab8

Comments