MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f84bbd8179674ee35fd11e94435df0c49c81bb5ca44c2f5ad4b5bec53f0ab35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f84bbd8179674ee35fd11e94435df0c49c81bb5ca44c2f5ad4b5bec53f0ab35
SHA3-384 hash: 0111b9140125666b84043614319e20ac81dd77505080bba0f09ea41fb8f067a3bc450e363d26397754154682a5e68f8b
SHA1 hash: 1cbcc21567d99985b6dd13f75c4d0f24782ec2a8
MD5 hash: e00891b43db9e4acedebcadb089f8927
humanhash: india-montana-music-juliet
File name:SyAlpha16.zip
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:4'746'100 bytes
First seen:2025-11-29 12:12:38 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 98304:Z8aFSHP97m78U7LV1RFhTBc1QMgvGeXvd1e4StbXcuvvE3TSa0U3BQOSA:Z8GSvo5F1RjBOQhvfe4GbXcuv8jSVIyU
TLSH T178263303117DE4996B837B2464F31E3F31274B93A870E6AEDFEA44E1DB8811391A5367
Magika zip
Reporter BlinkzSec
Tags:RemcosRAT zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
SK SK
File Archive Information

This file archive contains 10 file(s), sorted by their relevance:

File name:webres.dll
File size:904'192 bytes
SHA256 hash: a433f520af046edbcd5ff95f843635335f75a1d6daffa99b9d9174e9df8b2a46
MD5 hash: 776b35e1e9a8400a1791fa9488737ec6
MIME type:application/x-dosexec
Signature RemcosRAT
File name:Droulcleendrood.qks
File size:1'533'246 bytes
SHA256 hash: 06bf6eb1e4b0620eb71189b298820ff38790283e6d2198db3aa00e31ba7f06a1
MD5 hash: 4b0789d05152c8e062eebf1f59b80054
MIME type:application/octet-stream
Signature RemcosRAT
File name:Temperature.dll
File size:177'664 bytes
SHA256 hash: 8940ec12a587d1c22304b447f72aabbd058d6fe1d0156883146b7d103ed226fe
MD5 hash: 5c916d04158c9ea8d03e4c5e5eb5a3fb
MIME type:application/x-dosexec
Signature RemcosRAT
File name:SyAlpha16.exe
File size:2'591'488 bytes
SHA256 hash: e4d63c9aefed1b16830fdfce831f27b8e5b904c58b9172496125ba9920c7405b
MD5 hash: 1e0b2ef7208c86e2e66a2945b0716738
MIME type:application/x-dosexec
Signature RemcosRAT
File name:vcl120.bpl
File size:2'014'720 bytes
SHA256 hash: 859d84044efc9b130c639db1c9e65250546606ffd7e3f27f491099e56fbca97c
MD5 hash: d5145c203ad9d94a13416b1e5400ab2d
MIME type:application/x-dosexec
Signature RemcosRAT
File name:rtl120.bpl
File size:1'115'136 bytes
SHA256 hash: 16d723e4fcfd60c0dbf57d1c0d7aea1811aaa8ceace4d2f519d42429328d82c0
MD5 hash: 871678fa7176bd199d7ba3f8542b157c
MIME type:application/x-dosexec
Signature RemcosRAT
File name:Saikdrarceer.opiw
File size:25'439 bytes
SHA256 hash: 901fc92ff4f9305b4da603d39496641c256a7f62351941c6e9bc6e58035126d2
MD5 hash: 3bd2d3f260a802be1eba90d0f7c37899
MIME type:application/octet-stream
Signature RemcosRAT
File name:2
File size:346 bytes
SHA256 hash: 49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
MD5 hash: 24d3b502e1846356b0263f945ddd5529
MIME type:text/plain
Signature RemcosRAT
File name:Focus.dll
File size:555'008 bytes
SHA256 hash: 25d86f888db2acdb7edc980de16ccff09c6a053d4606fdb447370e5287ee4845
MD5 hash: a5d335ebd8eca8adeae81b0e69ce4545
MIME type:application/x-dosexec
Signature RemcosRAT
File name:HardwareLib.dll
File size:189'952 bytes
SHA256 hash: 4e5f1f42f90316819b9fe431722c5cc8c0a91d90e0fea87e580f17629e088a9a
MD5 hash: 022568111d51b5dbb92c0ab0872b380c
MIME type:application/x-dosexec
Signature RemcosRAT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Program.Unwanted.5405.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690f422d30bacec888c9cf84
Tags:
injection obfusc crypt
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/9f84bbd8179674ee35fd11e94435df0c49c81bb5ca44c2f5ad4b5bec53f0ab35/results/dashboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm embarcadero_delphi evasive expired-cert explorer fingerprint keylogger lolbin packed rundll32 runonce signed
Link:
https://www.filescan.io/uploads/692ae3581b65ca0bb92759b1/reports/cfc4b700-f76f-41f3-95dd-fab499803245/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9f84bbd8179674ee35fd11e94435df0c49c81bb5ca44c2f5ad4b5bec53f0ab35
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/9f84bbd8179674ee35fd11e94435df0c49c81bb5ca44c2f5ad4b5bec53f0ab35
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
File Type:
zip
First seen:
2025-11-29T09:07:00Z UTC
Last seen:
2025-11-29T09:07:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/9f84bbd8179674ee35fd11e94435df0c49c81bb5ca44c2f5ad4b5bec53f0ab35/results?tab=lookup
Score:
24%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/9f84bbd8179674ee35fd11e94435df0c49c81bb5ca44c2f5ad4b5bec53f0ab35
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Zip Archive
Link:
https://app.malva.re/file/e00891b43db9e4acedebcadb089f8927
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f84bbd8179674ee35fd11e94435df0c49c81bb5ca44c2f5ad4b5bec53f0ab35/
Threat name:
Win32.Trojan.Rugmi
Create hunting rule
Status:
Malicious
First seen:
2025-11-29 11:56:17 UTC
File Type:
Binary (Archive)
Extracted files:
187
AV detection:
8 of 36 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t6clxwaxsz2o4np5chuuino7bre4qg5vzjcmf5nnjnn6yu7qvm2q._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:remcos botnet:asegurarretiry discovery loader rat
Link:
https://tria.ge/reports/251129-q1yzbshn5z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Malware Config
C2 Extraction:
seguritypostload.duckdns.org:1122
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

zip 9f84bbd8179674ee35fd11e94435df0c49c81bb5ca44c2f5ad4b5bec53f0ab35

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3720299/
  
Delivery method
Distributed via web download

Comments