MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fc99d95e5e736e838b5b3237d5d656c4b8de9a75100e01a834e45dd76917dcd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fc99d95e5e736e838b5b3237d5d656c4b8de9a75100e01a834e45dd76917dcd
SHA3-384 hash: 0ff4cbcc2bfc0816426da11cf65b1146403bd7297c5af2e89afb84fe1dd1d223b6cca6239cc267d589645a6deb711fc3
SHA1 hash: 271606735ae10758ffd579105f42a183e57f820d
MD5 hash: 96555cf8146236bba843b438e8e6b59f
humanhash: montana-don-cat-alanine
File name:docs.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'229 bytes
First seen:2026-03-19 13:15:28 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 48:noDGu3ipl1G2Y0bpmR1W/VpCQj5CwDBQIgp8qI8NRr2WURj9E9WHtKd:noDPX0bUR0PNJq/Rr2WUh4oo
TLSH T122617C4693861AFF8F036770616FFF491F02DE6B2A63859D92800A19613915B3FAE930
Magika batch
Reporter abuse_ch
Tags:bat RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
BatchScript
Details
BatchScript
varying reportable information from embedded commands and any observed URLs
Link:
https://research.acce.ciphertechsolutions.com/results/ded4acd9-a7c9-4ea0-a64c-0531de5d5c5c/
Malware family:
n/a
ID:
1
File name:
docs.bat
Verdict:
Malicious activity
Analysis date:
2026-03-19 13:17:15 UTC
Tags:
powershell
Link:
https://app.any.run/tasks/dea8cef2-ad3e-40bc-83e9-9e43e88a4124

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.PUA.IA.Suspicious.47732585.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bbf71993b644ca466ba9a8
Tags:
vmdetect xtreme shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Launching a process
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Using obfuscated Powershell scripts
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated opendir powershell
Link:
https://www.filescan.io/uploads/69bbf7192000fc76c3ed022c/reports/27db13a1-6961-44a2-a4c8-69f626c1ac69/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8fc99d95e5e736e838b5b3237d5d656c4b8de9a75100e01a834e45dd76917dcd
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan.BAT.Alien.gen PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/8fc99d95e5e736e838b5b3237d5d656c4b8de9a75100e01a834e45dd76917dcd/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1886324
Signature
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Unusual module load detection (module proxying)
Uses known network protocols on non-standard ports
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1886324 Sample: docs.bat Startdate: 19/03/2026 Architecture: WINDOWS Score: 100 57 windowstoolsupdate48347834.com 2->57 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Yara detected UAC Bypass using CMSTP 2->69 71 10 other signatures 2->71 9 cmd.exe 2 2->9         started        12 powershell.exe 25 2->12         started        14 powershell.exe 2->14         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 81 Suspicious powershell command line found 9->81 83 Obfuscated command line found 9->83 85 Bypasses PowerShell execution policy 9->85 19 powershell.exe 25 37 9->19         started        24 conhost.exe 9->24         started        26 csc.exe 3 12->26         started        28 conhost.exe 12->28         started        30 csc.exe 3 14->30         started        32 conhost.exe 14->32         started        55 127.0.0.1 unknown unknown 16->55 signatures6 process7 dnsIp8 59 87.120.219.134, 34981, 49694 NET1-ASBG Bulgaria 19->59 61 windowstoolsupdate48347834.com 147.45.179.125, 39489, 49707, 49708 FREE-NET-ASFREEnetEU Russian Federation 19->61 63 87.120.219.222, 41292, 49692, 49693 NET1-ASBG Bulgaria 19->63 49 C:\Users\user\AppData\...\50c0ymk0.cmdline, Unicode 19->49 dropped 73 Contains functionality to bypass UAC (CMSTPLUA) 19->73 75 Contains functionalty to change the wallpaper 19->75 77 Contains functionality to steal Chrome passwords or cookies 19->77 79 4 other signatures 19->79 34 csc.exe 3 19->34         started        37 WmiPrvSE.exe 19->37         started        39 attrib.exe 1 19->39         started        51 C:\Users\user\AppData\Local\...\vcvkshej.dll, PE32 26->51 dropped 41 cvtres.exe 1 26->41         started        53 C:\Users\user\AppData\Local\...\n3lkqa3w.dll, PE32 30->53 dropped 43 cvtres.exe 1 30->43         started        file9 signatures10 process11 file12 47 C:\Users\user\AppData\Local\...\50c0ymk0.dll, PE32 34->47 dropped 45 cvtres.exe 1 34->45         started        process13
Score:
96%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/8fc99d95e5e736e838b5b3237d5d656c4b8de9a75100e01a834e45dd76917dcd
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8fc99d95e5e736e838b5b3237d5d656c4b8de9a75100e01a834e45dd76917dcd/
Verdict:
Malicious
Threat:
Trojan.Win32
Link:
https://tip.neiki.dev/file/8fc99d95e5e736e838b5b3237d5d656c4b8de9a75100e01a834e45dd76917dcd
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r7ez3fpf443oqofvwmrx2xlfnrfy32nhkeaoagudjzc525urpxgq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence
Link:
https://tria.ge/reports/260319-qhwq9ahs4v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
System Location Discovery: System Language Discovery
Adds Run key to start application
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8fc99d95e5e7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8fc99d95e5e736e838b5b3237d5d656c4b8de9a75100e01a834e45dd76917dcd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:WIN_FileFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:FileFix social engineering with PowerShell and PHP commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Batch (bat) bat 8fc99d95e5e736e838b5b3237d5d656c4b8de9a75100e01a834e45dd76917dcd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3799606/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/58145/

Comments