MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d126dd8b90ef12045e9576a5b28d796c9edbe522789333572210397519ef521. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d126dd8b90ef12045e9576a5b28d796c9edbe522789333572210397519ef521
SHA3-384 hash: e7b70d745a9e622bba84586983b026ef5ffe2d4472bc11d35324999df0f87b3ea5f99aea7f82012fc1fdf8b87bb5f357
SHA1 hash: 357fa0071a6d5292737a93ed7ecb2807cfe9ed09
MD5 hash: aaea2c74fc5c631acdb1d3162726fb11
humanhash: four-oklahoma-hydrogen-tennis
File name:8d126dd8b90ef12045e9576a5b28d796c9edbe522789333572210397519ef521
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'603'840 bytes
First seen:2025-10-10 06:29:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0293eec0b5432ad092f24065016203b2 (21 x GuLoader, 9 x RemcosRAT, 6 x Formbook)
ssdeep 49152:uY/YWRlEVb/rhJPSD/TbloVQ0a+cM13Lvue9H9yPyIOy:uY/YWgVb/9zVzaTObvjNSyS
Threatray 1'980 similar samples on MalwareBazaar
TLSH T103752307B220E1A0E6914A701E3EBC1967777F36B94B51872DC4BB2EB3F3053864971A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
036ba6def972fa19e1f0e8f1b996709e.eml
Verdict:
Malicious activity
Analysis date:
2025-09-14 13:39:32 UTC
Tags:
attachments attc-unc susp-attachments arch-exec rat remcos remote evasion stealer
Link:
https://app.any.run/tasks/ff032050-2448-43a0-af04-9dc7a5d66261

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32036/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e8a8598b7b147cc4b68903
Tags:
uloader virus nsis blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context installer microsoft_visual_cc obfuscated overlay signed
Link:
https://www.filescan.io/uploads/68e8ab1a4f3013c55e49391d/reports/56fa1d83-c764-42e3-813e-14250f45c223/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8d126dd8b90ef12045e9576a5b28d796c9edbe522789333572210397519ef521
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-14T08:01:00Z UTC
Last seen:
2025-10-12T01:18:00Z UTC
Hits:
~10000
Link:
https://opentip.kaspersky.com/8d126dd8b90ef12045e9576a5b28d796c9edbe522789333572210397519ef521/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/30f75d93-e8d1-4d63-a8f7-6bec2b8e1304
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8d126dd8b90ef12045e9576a5b28d796c9edbe522789333572210397519ef521
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/aaea2c74fc5c631acdb1d3162726fb11
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8d126dd8b90ef12045e9576a5b28d796c9edbe522789333572210397519ef521/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2025-09-14 14:01:27 UTC
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rujg3wfzb3ysarpjk5vfwkgxs3e63psse6etgnlseebzoum66uqq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
09a3119541471bb54bfe2bbb4cb18d86501deb8d6a0737ac659bf34e0b6a65d0
RemcosRAT
3997015d194d36fbfdf295ccfac536f72f39e2710777613eab05e5dd98a35ee8
RemcosRAT
6c395098c834dc56befed790a3f47f542376b19d4bc10e34b23e315afe8108e9
RemcosRAT
6c4c09f6f9ed8e1d1d2d14c4680d57dee044886c77d7bb0c7426e80fa3fd47ec
RemcosRAT
abc25960c92c881ef69a94a3d8a96faacfdf0619327332509227c3cadc5f13b0
RemcosRAT
ad014d604ccb527054c3e00fbc8f963b916bd22f3b571275c8a149881f4d1daa
RemcosRAT
b1458b43d78afd118a7853e1985e9e2ad6b147af13d5100b786d20497ebd9a60
RemcosRAT
d510513ccbb33c26a814ac58e781688d20780ee08a85f5962a94866cf988a0a4
RemcosRAT
e4b394710171888c98115ff1cc8639992a746c3313363565ca8f54b237fc4ec2
RemcosRAT
e837ce85c10c216e724d02358e910fa27e6b1c93dff8e51ed71e54e1970c58ce
RemcosRAT
error
RemcosRAT
+ 1'970 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery installer
Link:
https://tria.ge/reports/251010-hjvatavyc1/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/728df602-db34-4899-afbb-a595dec49cc2
Unpacked files
SH256 hash:
8d126dd8b90ef12045e9576a5b28d796c9edbe522789333572210397519ef521
MD5 hash:
aaea2c74fc5c631acdb1d3162726fb11
SHA1 hash:
357fa0071a6d5292737a93ed7ecb2807cfe9ed09
Link:
https://www.unpac.me/results/7ecf7b47-77e3-43d1-9a56-ba6848badc3e/
SH256 hash:
db70cfc1016f3ba89bf44b70145d3c27ad673c1dcd318330d5b5d1c375d704cd
MD5 hash:
927f12a8226b1c185bfc8f24cfbbe6c4
SHA1 hash:
0c3adab46ecb8aa7eae8b6376d2c5615556eaa70
Link:
https://www.unpac.me/results/7ecf7b47-77e3-43d1-9a56-ba6848badc3e/
SH256 hash:
7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
MD5 hash:
dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1 hash:
c9206ced48d1e5bc648b1d0f54cccc18bf643a14
Link:
https://www.unpac.me/results/7ecf7b47-77e3-43d1-9a56-ba6848badc3e/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8d126dd8b90e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
Link:
https://yomi.yoroi.company/submissions/8d126dd8b90ef12045e9576a5b28d796c9edbe522789333572210397519ef521

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/32036/

Comments