MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 935472ec0746ee4c02fbf1e4306d8995955d1d8be8dd6ba19933928d3c4fa5a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 22


Intelligence 22 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 935472ec0746ee4c02fbf1e4306d8995955d1d8be8dd6ba19933928d3c4fa5a3
SHA3-384 hash: 9c7c27cc41abc379c9a527e0f8395bd280d2fcee48a5a379ed33b645b7ec7d1d5907b7edc54ac1b653ccfbbe42afb292
SHA1 hash: 83b161c14852f28ddd8a10de42dac99d30239622
MD5 hash: 9f40dfbf697843ace6dad11c8ff325af
humanhash: robert-pasta-october-saturn
File name:UjaQ60rDI5mM5Eq.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:970'752 bytes
First seen:2025-11-13 09:00:10 UTC
Last seen:2025-12-08 14:57:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:0pcAsp4AoJwUHqABq31LMiYbU/neiThKAR0jNTs:oAq5BqSiYviThnSj5
Threatray 1'771 similar samples on MalwareBazaar
TLSH T1BD251264B6ACDF12E4B91FF16935D2B01B71AE9C9862C20A4EE53DDF31B6F001A50793
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
167
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
UjaQ60rDI5mM5Eq.exe
Verdict:
Malicious activity
Analysis date:
2025-11-13 09:02:33 UTC
Tags:
remcos rat auto-sch-xml remote evasion
Link:
https://app.any.run/tasks/92bf67a0-352a-43e7-832c-5752c30a27b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38092/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69159e3e60ebe843fe8dad01
Tags:
injection spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/69159e399ab15138ef0f3659/reports/52a01d6a-8466-4384-bcd2-0bd65ea703e9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/935472ec0746ee4c02fbf1e4306d8995955d1d8be8dd6ba19933928d3c4fa5a3
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-13T04:19:00Z UTC
Last seen:
2025-11-14T20:54:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb VHO:Trojan-PSW.MSIL.Convagent.gen Trojan.Agent.HTTP.C&C PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Agensla.gen Trojan.MSIL.Taskun.sb Trojan-Dropper.Win32.Agent.sb HEUR:Trojan.MSIL.Taskun.sb
Link:
https://opentip.kaspersky.com/935472ec0746ee4c02fbf1e4306d8995955d1d8be8dd6ba19933928d3c4fa5a3/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c1752204-9daa-40e3-b02e-6bab6d1400bc
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1813185
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to determine the online IP of the system
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1813185 Sample: UjaQ60rDI5mM5Eq.exe Startdate: 13/11/2025 Architecture: WINDOWS Score: 100 59 api.ipify.org 2->59 61 api.findip.net 2->61 85 Suricata IDS alerts for network traffic 2->85 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 11 other signatures 2->91 10 UjaQ60rDI5mM5Eq.exe 7 2->10         started        14 DUqqeloqVhti.exe 5 2->14         started        signatures3 process4 file5 51 C:\Users\user\AppData\...\DUqqeloqVhti.exe, PE32 10->51 dropped 53 C:\Users\...\DUqqeloqVhti.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmpDFF2.tmp, XML 10->55 dropped 57 C:\Users\user\...\UjaQ60rDI5mM5Eq.exe.log, ASCII 10->57 dropped 93 Contains functionality to bypass UAC (CMSTPLUA) 10->93 95 Contains functionality to determine the online IP of the system 10->95 97 Contains functionalty to change the wallpaper 10->97 103 7 other signatures 10->103 16 UjaQ60rDI5mM5Eq.exe 2 1 10->16         started        20 powershell.exe 23 10->20         started        22 schtasks.exe 1 10->22         started        99 Multi AV Scanner detection for dropped file 14->99 101 Unusual module load detection (module proxying) 14->101 24 DUqqeloqVhti.exe 14->24         started        27 schtasks.exe 1 14->27         started        signatures6 process7 dnsIp8 47 C:\Users\user\AppData\Local\Temp\TH41CD.tmp, PE32 16->47 dropped 77 Detected Remcos RAT 16->77 79 Writes to foreign memory regions 16->79 29 svchost.exe 12 16->29         started        81 Loading BitLocker PowerShell Module 20->81 31 WmiPrvSE.exe 20->31         started        33 conhost.exe 20->33         started        35 conhost.exe 22->35         started        65 37.120.155.34, 2469, 49700 M247GB Romania 24->65 67 api.ipify.org 104.26.12.205, 443, 49723 CLOUDFLARENETUS United States 24->67 69 api.findip.net 172.67.214.3, 443, 49725 CLOUDFLARENETUS United States 24->69 49 C:\ProgramData\remcos\logs.dat, data 24->49 dropped 83 Installs a global keyboard hook 24->83 37 conhost.exe 27->37         started        file9 signatures10 process11 process12 39 chrome.exe 2 29->39         started        42 chrome.exe 29->42         started        dnsIp13 63 192.168.2.6, 138, 2469, 443 unknown unknown 39->63 44 chrome.exe 39->44         started        process14 dnsIp15 71 part-0012.t-0009.t-msedge.net 13.107.213.40, 443, 49702 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 44->71 73 13.107.246.40, 443, 49703, 49721 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 44->73 75 20 other IPs or domains 44->75
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/935472ec0746ee4c02fbf1e4306d8995955d1d8be8dd6ba19933928d3c4fa5a3
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.37 Win 32 Exe x86
Link:
https://app.malva.re/file/9f40dfbf697843ace6dad11c8ff325af
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/935472ec0746ee4c02fbf1e4306d8995955d1d8be8dd6ba19933928d3c4fa5a3/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/935472ec0746ee4c02fbf1e4306d8995955d1d8be8dd6ba19933928d3c4fa5a3
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-11-13 06:53:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=snkhf3ahi3xeyax36hsda3mjswkv2hml5dowximzgoji2pcpuwrq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
02f7b0a5e5d5f342ac04d36ed2e79629714ed3a2d7fad472e60745ff9956db4d
RemcosRAT
3abf62ae0a936abf68778522cfc3a6e1ccbbe80d8dc9e4ebd1c40970f3949012
RemcosRAT
4b4c08cf40f2958c5b7a62c60ed7e3dc48224ab59d997be1e030926eb41f3bd4
RemcosRAT
5756bb7dd6781086bfa7c5af6786f9792c895f29900f37eb92284ab38224c8f8
RemcosRAT
b5c978f16a11c1bc6589e5b4b78d08fec1cea4cf2df5df9c67b1eda26e485f6d
RemcosRAT
c1ca6e896923695c85b8273a60b86c35e16db4c8eac92cbaa97e1a889a92704d
RemcosRAT
ca54ece8f6070eeaac4fae0635129df2ecb9664683cc5bdfc3998d7a351e651e
RemcosRAT
error
RemcosRAT
fd1e88a2fd28c0cbfcf0c6a8175d130eb36df27774237d5201fb2af39df7c82d
RemcosRAT
+ 1'761 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos discovery execution persistence rat
Link:
https://tria.ge/reports/251113-kym66aypbx/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Remcos
Remcos family
Malware Config
C2 Extraction:
37.120.155.34:2469
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/54288c8f-6b4c-4e2a-b236-4690d480977f
Unpacked files
SH256 hash:
935472ec0746ee4c02fbf1e4306d8995955d1d8be8dd6ba19933928d3c4fa5a3
MD5 hash:
9f40dfbf697843ace6dad11c8ff325af
SHA1 hash:
83b161c14852f28ddd8a10de42dac99d30239622
Link:
https://www.unpac.me/results/a902723e-87ed-4c42-a442-96c5aee3235e/
SH256 hash:
b35545b58bd259fd30f1d5a83a88d2f3197365146302e5ff4c7bbd3f674309e9
MD5 hash:
910bc9e38a7de11c61f79907227a49cf
SHA1 hash:
10b805ee57caf87358586c906e566980812ea82a
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a902723e-87ed-4c42-a442-96c5aee3235e/
SH256 hash:
b697f5bc215fc82f85842c32f2ff3ea82a983b479fda069ca443a534cc7b7167
MD5 hash:
22163fe98af1d905e5ac534d1144f9e6
SHA1 hash:
5178047d67c2bb384acd8e2f55749c8daefc99e8
Detections:
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/a902723e-87ed-4c42-a442-96c5aee3235e/
Parent samples :
935472ec0746ee4c02fbf1e4306d8995955d1d8be8dd6ba19933928d3c4fa5a3
dc06752bce3e55d5122cc6588af713c966feb9133b2f3ae44d7086f7295a76c6
7cc6b476fa83fe157ece10867c61b37587d9d425e26bf26ef16b5f13d38f2c44
4e34822a9cccaf17a60bee19d98b6663bb1d81134a490d5812f4b399b40694bd
99562c4b1720a4d4289d7563e2b40e3910f8295587ab07d0b95cc81a91fe309b
e401c37dcfe4433d2b0fdbe449f905554b5449d397eb18e2c78cca0b10dc113b
SH256 hash:
f44a97ba959a2f1b2154d69c4d118fd16bc5608f7f1dcf4f36bd44c6543b3b9a
MD5 hash:
64a9dd1563f828735d8bb70617bd4d5a
SHA1 hash:
85cfa4ff543dc85b7c8247876c9a8bee99cd9091
Link:
https://www.unpac.me/results/a902723e-87ed-4c42-a442-96c5aee3235e/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/935472ec0746/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/935472ec0746ee4c02fbf1e4306d8995955d1d8be8dd6ba19933928d3c4fa5a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 935472ec0746ee4c02fbf1e4306d8995955d1d8be8dd6ba19933928d3c4fa5a3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38092/

Comments