MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9adf45e916d4221218b486ba02c1912ff30335c1373ebbcffbf5dc972899cae3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9adf45e916d4221218b486ba02c1912ff30335c1373ebbcffbf5dc972899cae3
SHA3-384 hash: 4dff309a8eb18c47b45a88cc36d0f7bb7e6e7027d400313e636afb01bda66dc8bedbb44d229b2c7bf12e7eaeca99a8ae
SHA1 hash: 6f0ff1db89412bf525beee0c1186e82160d41998
MD5 hash: 23cf8a639e66400f85c57ff31ed87053
humanhash: bulldog-victor-lima-texas
File name:d.msi
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:4'071'424 bytes
First seen:2025-10-14 12:07:13 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:N5VL8r6F5mCmR+tugZZL+H9IyKficUAG595W40ZZnZA4s14HxPMxUIroPueG6bgH:Fo6fZLSIX6cZGZWXpVHx2UIUPOVgu
Threatray 4'553 similar samples on MalwareBazaar
TLSH T1FC160116B3C38A22C55D017BF459FE0E5438FE63473451E7BAF5395F88B08C1A2BAA46
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter abuse_ch
Tags:msi RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
54
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32694/
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ee3d3d97a16d00a8d9d3dd
Tags:
shellcode dropper virus
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
cmd evasive lolbin obfuscated remote threat wix
Link:
https://www.filescan.io/uploads/68ee3d4b71883144ef364592/reports/a8ac9f1a-c14f-4a15-8319-99bccadb1b59/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9adf45e916d4221218b486ba02c1912ff30335c1373ebbcffbf5dc972899cae3
Verdict:
Malicious
File Type:
msi
First seen:
2025-10-13T20:36:00Z UTC
Last seen:
2025-10-13T21:12:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Penguish.sb Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb Backdoor.Win32.Remcos.f VHO:Trojan.Win32.Penguish.drw Trojan.Win32.Penguish.drw Trojan.Win64.Penguish.gen
Link:
https://opentip.kaspersky.com/9adf45e916d4221218b486ba02c1912ff30335c1373ebbcffbf5dc972899cae3/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1794813
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1794813 Sample: d.msi Startdate: 14/10/2025 Architecture: WINDOWS Score: 100 56 185.157.162.126 OBE-EUROPEObenetworkEuropeSE Sweden 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for dropped file 2->62 64 6 other signatures 2->64 9 msiexec.exe 23 49 2->9         started        12 EHttpSrv.exe 1 2->12         started        15 EHttpSrv.exe 1 2->15         started        17 msiexec.exe 3 2->17         started        signatures3 process4 file5 46 C:\Windows\Installer\MSI180F.tmp, PE32 9->46 dropped 48 C:\Windows\Installer\MSI17DF.tmp, PE32 9->48 dropped 50 C:\Windows\Installer\MSI17AF.tmp, PE32 9->50 dropped 52 5 other malicious files 9->52 dropped 19 EHttpSrv.exe 1 9->19         started        22 msiexec.exe 9->22         started        74 Maps a DLL or memory area into another process 12->74 24 cmd.exe 2 12->24         started        27 cmd.exe 15->27         started        signatures6 process7 file8 66 Maps a DLL or memory area into another process 19->66 68 Switches to a custom stack to bypass stack traces 19->68 29 cmd.exe 4 19->29         started        44 C:\Users\user\AppData\Local\Temp\ttwlfa, PE32 24->44 dropped 70 Writes to foreign memory regions 24->70 33 EHttpSrv.exe 24->33         started        35 conhost.exe 24->35         started        37 conhost.exe 27->37         started        signatures9 process10 file11 54 C:\Users\user\AppData\...\excjdmglcxgujh, PE32 29->54 dropped 76 Writes to foreign memory regions 29->76 78 Found hidden mapped module (file has been removed from disk) 29->78 80 Maps a DLL or memory area into another process 29->80 82 Switches to a custom stack to bypass stack traces 29->82 39 EHttpSrv.exe 29->39         started        42 conhost.exe 29->42         started        84 Found direct / indirect Syscall (likely to bypass EDR) 33->84 signatures12 process13 signatures14 72 Found direct / indirect Syscall (likely to bypass EDR) 39->72
Score:
10%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/9adf45e916d4221218b486ba02c1912ff30335c1373ebbcffbf5dc972899cae3
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
.Net CAB:COMPRESSION:MSZIP Executable Office Document PDB Path PE (Portable Executable) PE File Layout SVG
Link:
https://app.malva.re/file/23cf8a639e66400f85c57ff31ed87053
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9adf45e916d4221218b486ba02c1912ff30335c1373ebbcffbf5dc972899cae3/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/9adf45e916d4221218b486ba02c1912ff30335c1373ebbcffbf5dc972899cae3
Threat name:
Win32.Trojan.Suschil
Create hunting rule
Status:
Malicious
First seen:
2025-10-14 02:54:11 UTC
File Type:
Binary (Archive)
Extracted files:
298
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tlpul2iw2qrbegfuq25afqmrf7zqgnobg47lxt736xojokezzlrq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
23723f9b4239194a21bf0df559f9e9df8aec1399899346311c09cdcd91a9f1b0
RemcosRAT
289266f50512ab914e578d5ce34352d297983fe303edd7b211521e94e4db7ca7
RemcosRAT
6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321
RemcosRAT
a326bbb242a11e0cd4155f58bcffa36b99487cf0d655359fd161e905577d8254
RemcosRAT
bdb79800e4177b59b3830ae7cc996a41fc2b560593e7b51e02408c062f8d4449
RemcosRAT
e483ca3bc78e49f0ceef3406ea963101fe1d2b08b4bace6945ac9298222b8c37
RemcosRAT
error
RemcosRAT
f286d2b89eaebb2e1e6e23a44bc92dae7c058348286810549f4c7514c9ea61ad
RemcosRAT
f5dfa6b5d19d9334c69d24dd98f13cb30badacb6403b03afc47af4e267cbe0c2
RemcosRAT
+ 4'543 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:remcos botnet:v2 discovery loader persistence privilege_escalation rat
Link:
https://tria.ge/reports/251014-pa47zs1rz8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Remcos
Remcos family
Malware Config
C2 Extraction:
185.157.162.126:1995
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8eed244e-bda6-437b-a844-a0f1feb839a5
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9adf45e916d4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9adf45e916d4221218b486ba02c1912ff30335c1373ebbcffbf5dc972899cae3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Microsoft Software Installer (MSI) msi 9adf45e916d4221218b486ba02c1912ff30335c1373ebbcffbf5dc972899cae3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3444507/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3444267/
Cape
Cape
https://www.capesandbox.com/analysis/32694/

Comments