MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99816cd2de501f26cb3227491cf3bf407fba47ed12f8b925a993d7c822b031ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99816cd2de501f26cb3227491cf3bf407fba47ed12f8b925a993d7c822b031ae
SHA3-384 hash: 611b22d1a68d2de89833fda1673419d720429e7db3bffac8364346fa6290c1ec34e95ef84647ef7e84ed786f0708a33f
SHA1 hash: 5a626e2c3df90014ff37764bfe2e5a51cad205b3
MD5 hash: 3baf9ad525f5caa5d07dcb14c563abb4
humanhash: bakerloo-may-bluebird-cola
File name:Shipping-Document -Pdf.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:945'152 bytes
First seen:2025-06-30 16:51:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:XPjuby9UtLFY8x1yBn35mbbWgynqAR0445WtjbK2:XPKby9UtLi8Y3fyVWtb
Threatray 1'136 similar samples on MalwareBazaar
TLSH T14C151326B61AE403E46A1BF90E51D17483794DCEE921E3978FD97CEB30E27112B81B47
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
538
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Shipping-Document -Pdf.bat
Verdict:
Malicious activity
Analysis date:
2025-06-30 16:55:53 UTC
Tags:
remcos rat auto-sch-xml netreactor auto-reg remote stealer
Link:
https://app.any.run/tasks/1e864a8a-bd2e-4cbc-95ab-154377b41edb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/11684/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3358.25550.11019.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6862c08c37c343677947e047
Tags:
shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Creating a file
Launching cmd.exe command interpreter
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the User Account Control
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/6862c094714e106cecb7f395/reports/a0eb1048-7edb-4151-b5bb-5572b236a2cb/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/99816cd2de501f26cb3227491cf3bf407fba47ed12f8b925a993d7c822b031ae
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d6a62c5c-336d-4ea3-8fcc-341b65df6117
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/99816cd2de501f26cb3227491cf3bf407fba47ed12f8b925a993d7c822b031ae
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/3baf9ad525f5caa5d07dcb14c563abb4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99816cd2de501f26cb3227491cf3bf407fba47ed12f8b925a993d7c822b031ae/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-06-30 08:16:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 36 (52.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tgawzuw6kapsnszse5erz457ib73ur7ncl4lsjnjspl4qivqggxa._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
remcos
Create hunting rule
Similar samples:
3021e7589fef17cce2d2dac8424ecc68a61d84cf25762c4caad209aa0a51e68a
RemcosRAT
5f811f675d487ef9d0cd10ba5f095edadcb38eeeedaa5ec897b3994b954d3212
RemcosRAT
6cc2fb149479570c8f47434b33dba731da0b08b48a609011965c878e34c57a5b
RemcosRAT
8ee17d796838ff6f4a61fad087b4486f2859a516d290215cdf3d731bc167ab56
RemcosRAT
99816cd2de501f26cb3227491cf3bf407fba47ed12f8b925a993d7c822b031ae
RemcosRAT
e462d1a4674d1c46ee7c3eba187353dc4c6c40863493e67b3d1ab379714f97bb
RemcosRAT
error
RemcosRAT
+ 1'126 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection defense_evasion discovery execution persistence rat trojan
Link:
https://tria.ge/reports/250630-vcye4shn6x/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
UAC bypass
Malware Config
C2 Extraction:
45.88.186.30:2404
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ed3c5f17-4945-4a8f-90b5-3db6ab0d4bce
Unpacked files
SH256 hash:
99816cd2de501f26cb3227491cf3bf407fba47ed12f8b925a993d7c822b031ae
MD5 hash:
3baf9ad525f5caa5d07dcb14c563abb4
SHA1 hash:
5a626e2c3df90014ff37764bfe2e5a51cad205b3
Link:
https://www.unpac.me/results/c2111642-cb89-4edd-a4e5-9dac80433171/
SH256 hash:
19bb7984811af5c7b837a18a3bbd096724c47a0e2885eadb9ff1a8933757718a
MD5 hash:
b60bff775d77b9e9af6f9a7ae5947d98
SHA1 hash:
11c716371d54786c1d4ab5688ab69a71cc5201ca
Link:
https://www.unpac.me/results/c2111642-cb89-4edd-a4e5-9dac80433171/
SH256 hash:
8c32d8c52abf0222f922e914a679af80fa57aa169474db445c0b5ef5bfe87625
MD5 hash:
d407a776c8e87c9c289f34dc4c0a5e23
SHA1 hash:
1a85a23894bdce7e08aea39bd1db21e4a8dfc089
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c2111642-cb89-4edd-a4e5-9dac80433171/
SH256 hash:
dff568003cd80fee590b5c37627bf5bc1ffb1909bd153f42049b2083b042253c
MD5 hash:
3e8e6aa32f74a0e4ff2f40a79b0d1d61
SHA1 hash:
df1aad6a6f20d416d664576baf9cfe5b041ac3f6
Detections:
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/c2111642-cb89-4edd-a4e5-9dac80433171/
Parent samples :
e462d1a4674d1c46ee7c3eba187353dc4c6c40863493e67b3d1ab379714f97bb
99816cd2de501f26cb3227491cf3bf407fba47ed12f8b925a993d7c822b031ae
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/99816cd2de50/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99816cd2de501f26cb3227491cf3bf407fba47ed12f8b925a993d7c822b031ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 99816cd2de501f26cb3227491cf3bf407fba47ed12f8b925a993d7c822b031ae

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/11684/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments