MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a245dc4e4ff5da951dfe9f37988d93300928a866c497b21d3de660d2b1b0f65c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a245dc4e4ff5da951dfe9f37988d93300928a866c497b21d3de660d2b1b0f65c
SHA3-384 hash: 1e81e54b8a573ac5ab975af960912e00fec467fb9ed8424f9f8141f913734e55372373d94892a3912d8187fed0168b0f
SHA1 hash: daffd076de444e20fbcbddfaffbcc00dcdd119ef
MD5 hash: 5ec9d165803ccdbaeef83b8af15b1a79
humanhash: magnesium-yellow-beer-seven
File name:Kxkyyhogbjiqjky.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'641'472 bytes
First seen:2025-10-24 13:07:56 UTC
Last seen:2025-11-06 11:05:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1c46483cb5cc22b9cc47e186fc5136c7 (5 x a310Logger, 2 x RemcosRAT)
ssdeep 24576:a1x9k6hSHdKu0IDGgCQl+XZJmHcyhBmV9uXIEDZ2rvL0nEo9jgmuJN15+S4oANJi:aZEZwrm1hY/i2jL2Ewjg
Threatray 1'644 similar samples on MalwareBazaar
TLSH T14E75D012FE528D3AF02E353AD82BDAD654197EF02A14786E79FD3A583F391C37416086
TrID 45.4% (.EXE) Win64 Executable (generic) (10522/11/4)
19.4% (.EXE) Win32 Executable (generic) (4504/4/1)
8.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.7% (.EXE) OS/2 Executable (generic) (2029/13)
8.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
US US
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Kxkyyhogbjiqjky.exe
Verdict:
Malicious activity
Analysis date:
2025-10-24 13:12:20 UTC
Tags:
delphi rat remcos remote
Link:
https://app.any.run/tasks/3e4d5fca-9977-41f9-bcc1-647231323507

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34042/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fb7a5c3bdc93eb0563d6fe
Tags:
delphi emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Connection attempt to an infection source
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug borland_delphi darkcloud fingerprint keylogger modiloader overlay overlay packed remcos zero
Link:
https://www.filescan.io/uploads/68fb7a7c3a79800405f4c413/reports/87f079a4-d1aa-4526-bbcd-8bad112b809e/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/ModiLoader.a
Link:
https://www.hybrid-analysis.com/sample/a245dc4e4ff5da951dfe9f37988d93300928a866c497b21d3de660d2b1b0f65c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-21T03:22:00Z UTC
Last seen:
2025-10-26T11:24:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/a245dc4e4ff5da951dfe9f37988d93300928a866c497b21d3de660d2b1b0f65c/results?tab=lookup
Malware family:
ModiLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3195c2d1-403a-4cce-8be0-979058b2f8a4
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a245dc4e4ff5da951dfe9f37988d93300928a866c497b21d3de660d2b1b0f65c
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a245dc4e4ff5da951dfe9f37988d93300928a866c497b21d3de660d2b1b0f65c/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-10-21 08:12:32 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ujc5ytsp6xnjkhp6t43zrdmtgaesrkdgysl3ehj54zqnfmnq6zoa._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
remcos
Create hunting rule
Similar samples:
3d291ac83b4d8f072c8998a788d1ce213445e1ade6b6e9b5751863c10826df44
RemcosRAT
44b4e8fd5f88de4ef6a49b7d42e9b31c226f66346db7f73d3ad8aaf1074c7f12
RemcosRAT
47dbb57be5618b8002a22685fd9d6e8dd3955232b783be156e7365eecaad08fb
RemcosRAT
5756bb7dd6781086bfa7c5af6786f9792c895f29900f37eb92284ab38224c8f8
RemcosRAT
915bbdf3cf472b1eb3ce2e4a3859214867cd885899b7c26bc13561709e122920
RemcosRAT
a245dc4e4ff5da951dfe9f37988d93300928a866c497b21d3de660d2b1b0f65c
RemcosRAT
ade2283b9bf50c48d8da2aa2d782e4b152bc13b4fc1665f665a55518d426a42a
RemcosRAT
d2ed08a124a2e2da4446c03d4487083a7078d901dff790c2ae0a8e61005a1eaf
RemcosRAT
error
RemcosRAT
+ 1'634 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery trojan
Link:
https://tria.ge/reports/251024-qdqdnsyrdx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1bd96bdf-459f-4b8c-83b5-0693b66786f9
Unpacked files
SH256 hash:
a245dc4e4ff5da951dfe9f37988d93300928a866c497b21d3de660d2b1b0f65c
MD5 hash:
5ec9d165803ccdbaeef83b8af15b1a79
SHA1 hash:
daffd076de444e20fbcbddfaffbcc00dcdd119ef
Link:
https://www.unpac.me/results/ac939428-0d07-47d1-acff-331a00c4b94a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a245dc4e4ff5da951dfe9f37988d93300928a866c497b21d3de660d2b1b0f65c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34042/

Comments