MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99d592000e85eef794a714fa042815a31a1d34bba194555bcfc2e85175a8ab2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99d592000e85eef794a714fa042815a31a1d34bba194555bcfc2e85175a8ab2c
SHA3-384 hash: a669a43e634fbd5db4f5c16c5aed847d62ecb67e6b3191b26d0d969a2748bb2311d29b89b14ac63899c2ce90ac7a070d
SHA1 hash: 7f8694f79fc18dde97a9080e23439b56ad4bcb01
MD5 hash: db8f4d4fb8ae576974bc62a6b0773971
humanhash: four-five-princess-video
File name:Order 2736.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:384'880 bytes
First seen:2025-10-27 01:20:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (385 x GuLoader, 58 x RemcosRAT, 40 x AgentTesla)
ssdeep 6144:bspNjlsn8OLszqA0vgZ7+NIo5zWy7avkBg+WQt7ekmvoZd3iSeWLBqBbTgf3UuXJ:bcE8OLszQvQSIo5Ky7pB5WQt+voeNeqG
Threatray 2'004 similar samples on MalwareBazaar
TLSH T16D8412051261C0AAD8530478E43533FF4BB6CD1BD916AA078B39FF1B7872399AC5E196
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter threatcat_ch
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:Refigners
Issuer:Refigners
Algorithm:sha256WithRSAEncryption
Valid from:2025-09-11T01:55:36Z
Valid to:2026-09-11T01:55:36Z
Serial number: 6ab48675b198e1c8551f0c710c6be86b96508d8e
Thumbprint Algorithm:SHA256
Thumbprint: 3e9235a0051e16ac1e71adce8a5e1aa5f9808d7f701c762f29c37b79738e4426
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
180
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
_99d592000e85eef794a714fa042815a31a1d34bba194555bcfc2e85175a8ab2c.exe
Verdict:
Malicious activity
Analysis date:
2025-10-27 01:21:51 UTC
Tags:
auto-reg remcos rat
Link:
https://app.any.run/tasks/9aeaf43e-b0ae-4fa1-9524-8604d9be2b62

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34237/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fec9046c859164aa651756
Tags:
injection obfusc virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a file
Delayed reading of the file
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer masquerade microsoft_visual_cc nsis overlay signed
Link:
https://www.filescan.io/uploads/68fec8f63a79800405f79e3b/reports/f019ac65-e0fd-4ed8-a270-5ffe713646a5/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/99d592000e85eef794a714fa042815a31a1d34bba194555bcfc2e85175a8ab2c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-26T22:00:00Z UTC
Last seen:
2025-10-28T21:35:00Z UTC
Hits:
~1000
Detections:
HEUR:Backdoor.Win32.Remcos.gen Trojan.NSIS.Makoob.sbe Trojan.NSIS.Makoob.sba Trojan-Downloader.Win32.Minix.sb
Link:
https://opentip.kaspersky.com/99d592000e85eef794a714fa042815a31a1d34bba194555bcfc2e85175a8ab2c/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/94ca61d3-eb0b-48b2-a8ec-f8dda4fa2f57
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1802175
Signature
AI detected suspicious PE digital signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Detected Remcos RAT
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1802175 Sample: Order 2736.exe Startdate: 27/10/2025 Architecture: WINDOWS Score: 100 57 drive.usercontent.google.com 2->57 59 drive.google.com 2->59 75 Suricata IDS alerts for network traffic 2->75 77 Found malware configuration 2->77 79 Antivirus detection for dropped file 2->79 81 12 other signatures 2->81 10 Order 2736.exe 1 28 2->10         started        13 remcos.exe 24 2->13         started        16 remcos.exe 2->16         started        signatures3 process4 file5 47 C:\Users\user\AppData\Local\...\System.dll, PE32 10->47 dropped 18 Order 2736.exe 2 10 10->18         started        49 C:\Users\user\AppData\Local\...\System.dll, PE32 13->49 dropped 97 Found direct / indirect Syscall (likely to bypass EDR) 13->97 23 remcos.exe 13->23         started        signatures6 process7 dnsIp8 61 drive.google.com 142.250.188.14, 443, 49763, 49765 GOOGLEUS United States 18->61 63 drive.usercontent.google.com 142.251.40.193, 443, 49764, 49766 GOOGLEUS United States 18->63 41 C:\ProgramData\Remcos\remcos.exe, PE32 18->41 dropped 43 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 18->43 dropped 83 Detected Remcos RAT 18->83 85 Creates autostart registry keys with suspicious names 18->85 25 remcos.exe 24 18->25         started        87 Found direct / indirect Syscall (likely to bypass EDR) 23->87 file9 signatures10 process11 file12 45 C:\Users\user\AppData\Local\...\System.dll, PE32 25->45 dropped 89 Multi AV Scanner detection for dropped file 25->89 91 Found hidden mapped module (file has been removed from disk) 25->91 93 Tries to detect virtualization through RDTSC time measurements 25->93 95 2 other signatures 25->95 29 remcos.exe 4 10 25->29         started        signatures13 process14 dnsIp15 65 196.251.114.65, 2404, 49767, 49768 xneeloZA Seychelles 29->65 51 C:\Users\user\AppData\Local\Temp\TH3574.tmp, MS-DOS 29->51 dropped 53 C:\Users\user\AppData\Local\Temp\TH3553.tmp, MS-DOS 29->53 dropped 55 C:\Users\user\AppData\Local\Temp\TH3514.tmp, PE32 29->55 dropped 99 Detected Remcos RAT 29->99 101 Writes to foreign memory regions 29->101 103 Maps a DLL or memory area into another process 29->103 34 RmClient.exe 1 29->34         started        37 RmClient.exe 2 29->37         started        39 RmClient.exe 1 29->39         started        file16 signatures17 process18 signatures19 67 Tries to steal Instant Messenger accounts or passwords 34->67 69 Tries to steal Mail credentials (via file / registry access) 34->69 71 Tries to steal Mail credentials (via file registry) 37->71 73 Tries to harvest and steal browser information (history, passwords, etc) 37->73
Score:
64%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/99d592000e85eef794a714fa042815a31a1d34bba194555bcfc2e85175a8ab2c
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/db8f4d4fb8ae576974bc62a6b0773971
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99d592000e85eef794a714fa042815a31a1d34bba194555bcfc2e85175a8ab2c/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/99d592000e85eef794a714fa042815a31a1d34bba194555bcfc2e85175a8ab2c
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2025-10-27 01:02:30 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
12 of 23 (52.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=thkzeaaoqxxppffhct5aikavumnb2nf3ugkfkw6pylufc5nivmwa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
09a3119541471bb54bfe2bbb4cb18d86501deb8d6a0737ac659bf34e0b6a65d0
RemcosRAT
3997015d194d36fbfdf295ccfac536f72f39e2710777613eab05e5dd98a35ee8
RemcosRAT
3db2448252079fc75ecc09ab84bd133e951ac084666e6972733db1975bf9d1be
RemcosRAT
6c395098c834dc56befed790a3f47f542376b19d4bc10e34b23e315afe8108e9
RemcosRAT
abc25960c92c881ef69a94a3d8a96faacfdf0619327332509227c3cadc5f13b0
RemcosRAT
ad014d604ccb527054c3e00fbc8f963b916bd22f3b571275c8a149881f4d1daa
RemcosRAT
d510513ccbb33c26a814ac58e781688d20780ee08a85f5962a94866cf988a0a4
RemcosRAT
d899a46671c4d07c396298300fa8bccb84afef9953785cfb6caacd95b059543b
RemcosRAT
e715ca77bca80baec611ba2f5982ce26a52211523f2db2115165e593b65ff6ef
RemcosRAT
e837ce85c10c216e724d02358e910fa27e6b1c93dff8e51ed71e54e1970c58ce
RemcosRAT
error
RemcosRAT
+ 1'994 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection discovery persistence rat
Link:
https://tria.ge/reports/251027-bqklmaxqck/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
196.251.114.65:2404
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7e71246c-6e4e-4db8-a6ad-15e3776143be
Unpacked files
SH256 hash:
99d592000e85eef794a714fa042815a31a1d34bba194555bcfc2e85175a8ab2c
MD5 hash:
db8f4d4fb8ae576974bc62a6b0773971
SHA1 hash:
7f8694f79fc18dde97a9080e23439b56ad4bcb01
Link:
https://www.unpac.me/results/c619c132-a74a-427b-8bb7-8ba2b4f9ef70/
SH256 hash:
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
MD5 hash:
17ed1c86bd67e78ade4712be48a7d2bd
SHA1 hash:
1cc9fe86d6d6030b4dae45ecddce5907991c01a0
Link:
https://www.unpac.me/results/c619c132-a74a-427b-8bb7-8ba2b4f9ef70/
SH256 hash:
c13104552b8b553159f50f6e2ca45114493397a6fa4bf2cbb960c4a2bbd349ab
MD5 hash:
42b064366f780c1f298fa3cb3aeae260
SHA1 hash:
5b0349db73c43f35227b252b9aa6555f5ede9015
Link:
https://www.unpac.me/results/c619c132-a74a-427b-8bb7-8ba2b4f9ef70/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/99d592000e85/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.52
Link:
https://yomi.yoroi.company/submissions/99d592000e85eef794a714fa042815a31a1d34bba194555bcfc2e85175a8ab2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 99d592000e85eef794a714fa042815a31a1d34bba194555bcfc2e85175a8ab2c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/34237/

Comments