MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f844a78cc2cd8d8a426f050a3efe319930f723eb10be231de1c1f1600e82127. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RemcosRAT


Vendor detections: 22


Intelligence 22 IOCs YARA 3 File information Comments

SHA256 hash: 9f844a78cc2cd8d8a426f050a3efe319930f723eb10be231de1c1f1600e82127
SHA3-384 hash: d3a7b5e7aac7fdbb77023afe2f22b150e4b1e3bcdfbc0661ac43f587c1e36117e35605f1960edce64bbe76e542eaf58c
SHA1 hash: fceb71b23ead80d609b2523936fe925e6c1fcb24
MD5 hash: 52c1005cff76c7c6f4b21a231ad6e130
humanhash: sixteen-mountain-river-charlie
File name:JUNE18TH-PO-3520398763520.bat
Download: download sample
Signature RemcosRAT
File size:1'257'472 bytes
First seen:2026-06-18 12:47:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'082 x AgentTesla, 20'059 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 24576:0IFzrn0UruWt6fkxplJZz4m2ueUS2S+pP6Vb4zigcajbBykg+DiMrtmV2:0IFzrn01u6fcHJZ8m26SOpP6yzTcajlf
Threatray 54 similar samples on MalwareBazaar
TLSH T10F45237EB619D10AE54F03B61992E07403BEBEDCA513C51BAFE0BDEBB566F0019006A5
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 71e0ccd6f2e4f471 (1 x Formbook, 1 x AsyncRAT, 1 x PhantomStealer)
Reporter threatcat_ch
Tags:exe RemcosRAT

Intelligence


File Origin
# of uploads :
1
# of downloads :
235
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-06-18 12:47:26 UTC
Tags:
remcos rat auto-reg

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Tags:
negasteal shell msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed vbnet
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-18T01:23:00Z UTC
Last seen:
2026-06-20T10:09:00Z UTC
Hits:
~1000
Detections:
Trojan.MSIL.Inject.sb Trojan.MSIL.Dnoper.sb Trojan.MSIL.Crypt.sb Trojan-Dropper.Win32.Injector.sb PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Noon.gen Backdoor.Win32.Androm.sb Trojan.Win32.Agent.sb
Result
Threat name:
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionalty to change the wallpaper
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected Remcos RAT
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Unusual module load detection (module proxying)
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1929955 Sample: JUNE18TH-PO-3520398763520.bat.exe Startdate: 18/06/2026 Architecture: WINDOWS Score: 100 60 wasthereasolutiin.airdns.org 2->60 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus detection for URL or domain 2->68 70 14 other signatures 2->70 8 JUNE18TH-PO-3520398763520.bat.exe 1 7 2->8         started        12 powershell.exe 19 2->12         started        14 powershell.exe 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 dnsIp5 50 C:\Users\user\AppData\Roaming\vwExeNX.exe, PE32 8->50 dropped 52 C:\Users\user\...\vwExeNX.exe:Zone.Identifier, ASCII 8->52 dropped 54 C:\Users\user\AppData\...\kdek0ezw1m3.ps1, ASCII 8->54 dropped 56 C:\...\JUNE18TH-PO-3520398763520.bat.exe.log, ASCII 8->56 dropped 88 Creates autostart registry keys with suspicious values (likely registry only malware) 8->88 90 Creates an autostart registry key pointing to binary in C:\Windows 8->90 92 Adds a directory exclusion to Windows Defender 8->92 94 2 other signatures 8->94 19 JUNE18TH-PO-3520398763520.bat.exe 4 8->19         started        23 powershell.exe 23 8->23         started        25 JUNE18TH-PO-3520398763520.bat.exe 8->25         started        27 vwExeNX.exe 3 12->27         started        29 conhost.exe 12->29         started        31 vwExeNX.exe 2 14->31         started        33 conhost.exe 14->33         started        58 127.0.0.1 unknown unknown 16->58 file6 signatures7 process8 dnsIp9 62 wasthereasolutiin.airdns.org 213.152.162.114, 10131, 49689, 49690 GLOBALLAYERNL Netherlands 19->62 72 Detected Remcos RAT 19->72 74 Loading BitLocker PowerShell Module 23->74 35 WmiPrvSE.exe 23->35         started        37 conhost.exe 23->37         started        76 Antivirus detection for dropped file 27->76 78 Multi AV Scanner detection for dropped file 27->78 80 Contains functionality to bypass UAC (CMSTPLUA) 27->80 84 4 other signatures 27->84 39 vwExeNX.exe 27->39         started        82 Injects a PE file into a foreign processes 31->82 42 vwExeNX.exe 31->42         started        44 vwExeNX.exe 31->44         started        46 vwExeNX.exe 31->46         started        48 2 other processes 31->48 signatures10 process11 signatures12 86 Detected Remcos RAT 39->86
Gathering data
Threat name:
Win32.Spyware.Negasteal
Status:
Malicious
First seen:
2026-06-18 04:36:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Result
Malware family:
Score:
  10/10
Tags:
family:remcos botnet:slikfix discovery execution persistence rat
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Family: Remcos
Malware Config
C2 Extraction:
wasthereasolutiin.airdns.org:10131
Unpacked files
SH256 hash:
9f844a78cc2cd8d8a426f050a3efe319930f723eb10be231de1c1f1600e82127
MD5 hash:
52c1005cff76c7c6f4b21a231ad6e130
SHA1 hash:
fceb71b23ead80d609b2523936fe925e6c1fcb24
SH256 hash:
585b046c66bc3e3dd3c1e3ed7a416c84c33390d28522b58cdfab0882d091b470
MD5 hash:
f60ff3f8715cd8ad62c5237a6bb46f16
SHA1 hash:
7eadad48e9b890148c0c599b973d09c14343b8db
SH256 hash:
09f0d4777eeb322290a8c8323eab7acf6fa1f97cf1f5813d58df177ee0f8d50d
MD5 hash:
c207af7bd36b6a119aacf5e1a8cf2d8c
SHA1 hash:
856c1fc0412c334571f472f2f4c2489e040cd5d0
SH256 hash:
a2b12a3f77693978ec63ae262f81268909e1248ca373d9b3ecca7ca3f5913acf
MD5 hash:
c00449e5b3effa4d7d355dc37305f0ca
SHA1 hash:
95ea4da9592ca68d94cee91a63591141d4308a9e
Detections:
win_remcos_auto win_remcos_w0 Remcos
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 9f844a78cc2cd8d8a426f050a3efe319930f723eb10be231de1c1f1600e82127

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments