MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 918fec49a231215309ad2a0c27c80d6ddd2d3dafb1cedd6f1198db1ab5f124e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 918fec49a231215309ad2a0c27c80d6ddd2d3dafb1cedd6f1198db1ab5f124e6
SHA3-384 hash: ceb8736975039b517222f6ee67581391eb771cf48ab4715d5e2c9b82eea2db071ef9e5c65a46f4e6dad67190aafab8d0
SHA1 hash: e0deba2b2a32e17f230bc46d52f4a18b7d03390f
MD5 hash: 42755130819b391a086369d62feb5975
humanhash: harry-august-pip-solar
File name:RHB_17518712354340563_20250723-pdf.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:795'443 bytes
First seen:2025-07-24 13:50:09 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 24576:jp/xkotlm81BhyR5vyzcfUjiUGiMwKKBlt:1ZtAl/k
Threatray 4'114 similar samples on MalwareBazaar
TLSH T19B05F13EEEA5ECC107AA31D1665E3B19129C8B93F1714F5CECE528A62864585DF3F02C
Magika vba
Reporter smica83
Tags:bat RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
55
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
https://files.mailparser.io/f/SxXGJDTU6pM9HP0BnUrUmQ
Verdict:
Malicious activity
Analysis date:
2025-07-24 12:19:35 UTC
Tags:
arch-exec remcos rat stealer susp-powershell
Link:
https://app.any.run/tasks/f6d98831-cd9c-43ce-abd1-f6050a591d00

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/16612/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68823a2b2f623871a5f2ef42
Tags:
autorun crypted sage remo
Verdict:
Suspicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/918fec49a231215309ad2a0c27c80d6ddd2d3dafb1cedd6f1198db1ab5f124e6
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1743421
Signature
.NET source code contains a sample name check
.NET source code references suspicious native API functions
Detected Remcos RAT
Drops script or batch files to the startup folder
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Yara detected Powershell decode and execute
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1743421 Sample: RHB_17518712354340563_20250... Startdate: 24/07/2025 Architecture: WINDOWS Score: 100 172 www.atgairport.com 2->172 174 geoplugin.net 2->174 180 Suricata IDS alerts for network traffic 2->180 182 Malicious sample detected (through community Yara rule) 2->182 184 Yara detected Powershell decode and execute 2->184 186 10 other signatures 2->186 14 cmd.exe 1 2->14         started        17 cmd.exe 2->17         started        19 cmd.exe 1 2->19         started        21 14 other processes 2->21 signatures3 process4 signatures5 196 Suspicious powershell command line found 14->196 23 cmd.exe 1 14->23         started        25 conhost.exe 14->25         started        27 cmd.exe 17->27         started        29 conhost.exe 17->29         started        31 cmd.exe 1 19->31         started        33 conhost.exe 19->33         started        35 cmd.exe 1 21->35         started        37 cmd.exe 1 21->37         started        39 26 other processes 21->39 process6 process7 41 cmd.exe 3 23->41         started        44 cmd.exe 27->44         started        46 cmd.exe 31->46         started        48 cmd.exe 2 35->48         started        50 cmd.exe 2 37->50         started        52 cmd.exe 39->52         started        54 cmd.exe 39->54         started        56 cmd.exe 39->56         started        58 9 other processes 39->58 signatures8 194 Suspicious powershell command line found 41->194 60 2 other processes 41->60 65 2 other processes 44->65 67 2 other processes 46->67 69 2 other processes 48->69 71 2 other processes 50->71 73 2 other processes 52->73 75 2 other processes 54->75 77 2 other processes 56->77 79 18 other processes 58->79 process9 dnsIp10 176 www.atgairport.com 192.227.135.201, 2404, 49690 AS-COLOCROSSINGUS United States 60->176 178 geoplugin.net 178.237.33.50, 49691, 80 ATOM86-ASATOM86NL Netherlands 60->178 166 3 other malicious files 60->166 dropped 198 Drops script or batch files to the startup folder 60->198 200 Installs a global keyboard hook 60->200 81 csc.exe 3 60->81         started        152 C:\Users\user\AppData\Roaming\...\ef8b.bat, ASCII 65->152 dropped 84 csc.exe 65->84         started        154 C:\Users\user\AppData\Roaming\...\f5de.bat, ASCII 67->154 dropped 96 2 other processes 67->96 156 C:\Users\user\AppData\Roaming\...\08c3.bat, ASCII 69->156 dropped 86 csc.exe 3 69->86         started        158 C:\Users\user\AppData\Roaming\...\f0a3.bat, ASCII 71->158 dropped 88 csc.exe 3 71->88         started        160 C:\Users\user\AppData\Roaming\...\5ac2.bat, ASCII 73->160 dropped 90 csc.exe 73->90         started        162 C:\Users\user\AppData\Roaming\...\306c.bat, ASCII 75->162 dropped 92 csc.exe 75->92         started        164 C:\Users\user\AppData\Roaming\...\1577.bat, ASCII 77->164 dropped 94 csc.exe 77->94         started        168 9 other malicious files 79->168 dropped 202 Detected Remcos RAT 79->202 98 9 other processes 79->98 file11 signatures12 process13 file14 132 C:\Users\user\AppData\Local\...\2e0qfvna.dll, PE32 81->132 dropped 100 cvtres.exe 1 81->100         started        134 C:\Users\user\AppData\Local\...\xjp1dwbk.dll, PE32 84->134 dropped 103 cvtres.exe 84->103         started        136 C:\Users\user\AppData\Local\...\veenqo5s.dll, PE32 86->136 dropped 105 cvtres.exe 1 86->105         started        138 C:\Users\user\AppData\Local\...\vv2wocnt.dll, PE32 88->138 dropped 107 cvtres.exe 1 88->107         started        140 C:\Users\user\AppData\Local\...\q0lgvuct.dll, PE32 90->140 dropped 109 cvtres.exe 90->109         started        142 C:\Users\user\AppData\Local\...\akwhc0xk.dll, PE32 92->142 dropped 111 cvtres.exe 92->111         started        144 C:\Users\user\AppData\Local\...\nuqcnoqw.dll, PE32 94->144 dropped 113 cvtres.exe 94->113         started        146 C:\Users\user\AppData\Local\...\hy0qtqyq.dll, PE32 96->146 dropped 115 3 other processes 96->115 148 9 other files (none is malicious) 98->148 dropped 117 9 other processes 98->117 process15 signatures16 188 Suspicious powershell command line found 100->188 119 powershell.exe 103->119         started        123 conhost.exe 103->123         started        125 cmd.exe 115->125         started        process17 file18 150 C:\Users\user\AppData\Roaming\...\e7a3.bat, ASCII 119->150 dropped 190 Detected Remcos RAT 119->190 127 csc.exe 119->127         started        192 Suspicious powershell command line found 125->192 signatures19 process20 file21 170 C:\Users\user\AppData\Local\...\utbhmvc5.dll, PE32 127->170 dropped 130 cvtres.exe 127->130         started        process22
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/918fec49a231215309ad2a0c27c80d6ddd2d3dafb1cedd6f1198db1ab5f124e6
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/918fec49a231215309ad2a0c27c80d6ddd2d3dafb1cedd6f1198db1ab5f124e6/
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-07-24 13:30:38 UTC
File Type:
Text
AV detection:
7 of 22 (31.82%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sgh6ysncgeqvgcnnfigcpsannxos2pnpwhhn23yrtdnrvnpretta._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
remcos
Create hunting rule
Similar samples:
14b752f175fc8348815ba40afb7f48e6904300d02f521adc0c523a83ca787115
RemcosRAT
27d93c5771abbfc8c331714dafe3ef8176fa4c5a408641d648b0421ffb5f8535
RemcosRAT
5335ee22dba1a0f0eb8bb8e817d66e3c8c97a208686617dd87e48ab679578fd7
RemcosRAT
754da186c4e37abfd6f3a1c6108f567f4c05dd1082a8b139ec7745b108c377b8
RemcosRAT
8acac252db9cc404cff2e25a41ee946d8511b8723233df1be45423d4c2d1f3ec
RemcosRAT
ac4e313d582ab153491aa677a62883b70a2e8a907a009ace26e906712dda5e97
RemcosRAT
b254541038b979c1c21f489e21bc15f594492aff656bc908aa54033bafb05775
RemcosRAT
c5669d80feebd4e30450274673c686811134d9d6893166b05524a9d7aa9e315e
RemcosRAT
error
RemcosRAT
+ 4'104 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader discovery execution loader
Link:
https://tria.ge/reports/250724-q5g7dazxex/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Drops startup file
Blocklisted process makes network request
Detects DonutLoader
DonutLoader
Donutloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/918fec49a231215309ad2a0c27c80d6ddd2d3dafb1cedd6f1198db1ab5f124e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked remcos malware samples.
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/16612/

Comments