MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 999c04854a14a50e67c4efb840139402b256ae8c84582b36f1f4ab3878fd2af1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 19


Intelligence 19 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 999c04854a14a50e67c4efb840139402b256ae8c84582b36f1f4ab3878fd2af1
SHA3-384 hash: b4600dd243f96180b683b39cc14228f8458510d8760ab9bc709fdcadfbd56db2b0e8116501ffc2d3628af9e2b370055b
SHA1 hash: 4a90cc251c03e24bb9a4725897e84b20141361d6
MD5 hash: 16559a9eb01cf0873641816e2bd22a6d
humanhash: kilo-delaware-april-six
File name:HSBC Bank_Payment Advice Copy.pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'536'000 bytes
First seen:2025-12-03 14:03:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb41e5567017c33839f07ebe2eb84cb4 (6 x DBatLoader, 3 x RemcosRAT, 3 x a310Logger)
ssdeep 24576:bbCbz7++IfUFixpw0QB7FqyJOXkjimcrbyc55LY2rz1Ocp9WsrEJioSEn/2NHH:bbiFjbPqyJOX4imcrekRY2lIEEJ9nehH
Threatray 1'878 similar samples on MalwareBazaar
TLSH T1B065E166A1F08436E123CAB55C1A938A642DBEB43FB59C5636DC3F6C8F356742C250B3
TrID 35.4% (.EXE) Win64 Executable (generic) (10522/11/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe HSBC RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
remcos
Create hunting rule
ID:
1
File name:
HSBC Bank_Payment Advice Copy.pdf.exe
Verdict:
Malicious activity
Analysis date:
2025-12-03 14:08:17 UTC
Tags:
delphi rat remcos remote
Link:
https://app.any.run/tasks/98b18475-6c22-4eff-8d38-c878b51adb0a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42298/
Detection(s):
SecuriteInfo.com.TR.Drop.Age.1624064.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6930436116e6db515e464900
Tags:
underscore delphi remcos emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Connecting to a non-recommended domain
Connection attempt
Sending a custom TCP request
DNS request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug borland_delphi captcha fingerprint installer-heuristic keylogger masquerade packed
Link:
https://www.filescan.io/uploads/693043608e26c121ec95db19/reports/b3685199-92b6-4748-9dcb-745b350f4c77/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/999c04854a14a50e67c4efb840139402b256ae8c84582b36f1f4ab3878fd2af1
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-26T00:41:00Z UTC
Last seen:
2025-12-04T03:36:00Z UTC
Hits:
~100
Detections:
HEUR:Backdoor.Win32.Convagent.gen Backdoor.Win32.Remcos.sb HEUR:Trojan.Win32.DelfInject.gen
Link:
https://opentip.kaspersky.com/999c04854a14a50e67c4efb840139402b256ae8c84582b36f1f4ab3878fd2af1/results?tab=lookup
Malware family:
ModiLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7578660d-e21d-4f6b-964d-bc7ddee8c443
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1825441
Signature
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: Remcos
Sigma detected: Suspicious Double Extension File Execution
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/999c04854a14a50e67c4efb840139402b256ae8c84582b36f1f4ab3878fd2af1
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/999c04854a14a50e67c4efb840139402b256ae8c84582b36f1f4ab3878fd2af1/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/999c04854a14a50e67c4efb840139402b256ae8c84582b36f1f4ab3878fd2af1
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-11-26 06:40:00 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tgoajbkkcssq4z6e564eae4uakzfnlumqrmcwnxr6svtq6h5flyq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
dbatloader
Create hunting rule
Similar samples:
01bc103ee77df6c8974d2fd4b86a7572f3d6968615a22471e3c18ff98260f1b8
RemcosRAT
3abf62ae0a936abf68778522cfc3a6e1ccbbe80d8dc9e4ebd1c40970f3949012
RemcosRAT
6a60df67162c247c7b02056c1c72acc6556d3c01ee01681157a57fc291d0068b
RemcosRAT
999c04854a14a50e67c4efb840139402b256ae8c84582b36f1f4ab3878fd2af1
RemcosRAT
e2cfa796e8599abc3ca0dd45eee8737dc42861d09369ec2f31fa2fdc6316e60d
RemcosRAT
error
RemcosRAT
+ 1'868 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost discovery rat trojan
Link:
https://tria.ge/reports/251203-rdcy1scq9w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Remcos
Remcos family
Malware Config
C2 Extraction:
91.92.243.134:9672
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d9822b03-8c1a-4275-8220-44cc2e729294
Unpacked files
SH256 hash:
999c04854a14a50e67c4efb840139402b256ae8c84582b36f1f4ab3878fd2af1
MD5 hash:
16559a9eb01cf0873641816e2bd22a6d
SHA1 hash:
4a90cc251c03e24bb9a4725897e84b20141361d6
Link:
https://www.unpac.me/results/a2408159-ef16-474b-a8a8-4b01bebbdaa9/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/999c04854a14/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/999c04854a14a50e67c4efb840139402b256ae8c84582b36f1f4ab3878fd2af1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TeslaCryptPackedMalware
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/42298/

Comments