MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3b797088da9ddb98ef5a04ff29d54e289cd7824a47ebf1f7b09ea4eb2c840bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 16 File information Comments

SHA256 hash:	a3b797088da9ddb98ef5a04ff29d54e289cd7824a47ebf1f7b09ea4eb2c840bb
SHA3-384 hash:	f5f60dbc5b3755e57970c56c7d6e83e18d727cd8acccdc256e425b58a665d002af81ed8f229e7609dbd624cc35759f02
SHA1 hash:	d61497463ff4f9837945bf215c4241374abf4845
MD5 hash:	7ab59d753fdaef9db15732bf9e5217fd
humanhash:	snake-fourteen-illinois-grey
File name:	3076a25bf4b4449397ec68d8d0b12679.ps1
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	641'871 bytes
First seen:	2025-07-29 07:25:16 UTC
Last seen:	2025-07-29 07:51:51 UTC
File type:	ps1
MIME type:	text/plain
ssdeep	12288:na3nfP65xBecMRCychmlvlnNLDdXX2nXxFYQMAGOuCsJ:5NJMRCVIldnNPhQdsJ
TLSH	T1CCD4AF3AC517BDDB3A1E0D8C940C2D421DB81DD7C678E6A8D98C506776CCA929FAC4F8
Magika	powershell
Reporter	JAMESWT_WT
Tags:	bigbelly042-duckdns-org ps1 RemcosRAT Spam-ITA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

SecuriteInfo.com.VBS.EmbeddedEXE-2.UNOFFICIAL

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6888774c0b4775fb2132d11c

Tags:

ransomware

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated obfuscated

Link:

https://www.filescan.io/uploads/6888777913488cfd44ddc7b8/reports/edb4f72a-d88b-4c3d-b1f6-0089becb2f1b/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/a3b797088da9ddb98ef5a04ff29d54e289cd7824a47ebf1f7b09ea4eb2c840bb

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/a3b797088da9ddb98ef5a04ff29d54e289cd7824a47ebf1f7b09ea4eb2c840bb

Verdict:

Malware

YARA:

3 match(es)

Tags:

Base64 Block Base64 Payload Contains Base64 Block DeObfuscated Executable PDB Path PE (Portable Executable) PowerShell

Link:

https://app.malva.re/file/7ab59d753fdaef9db15732bf9e5217fd

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/a3b797088da9ddb98ef5a04ff29d54e289cd7824a47ebf1f7b09ea4eb2c840bb/

Verdict:

Malicious

Threat:

VHO:Trojan.Win32.BypassUAC

Link:

https://tip.neiki.dev/file/a3b797088da9ddb98ef5a04ff29d54e289cd7824a47ebf1f7b09ea4eb2c840bb

Threat name:

Script-PowerShell.Backdoor.Remcos

Status:

Malicious

First seen:

2025-07-26 17:50:41 UTC

File Type:

Text

AV detection:

10 of 24 (41.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uo3zocenvho3tdxvubh7fhku4ke426beur7l6h33bhve5mwiic5q._file

Verdict:

malicious

Label(s):

remcos

Similar samples:

error

RemcosRAT

Result

Malware family:

n/a

Score:

9/10

Tags:

collection discovery execution spyware stealer

Link:

https://tria.ge/reports/250729-h89f2ael7y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Executes dropped EXE

Reads user/profile data of web browsers

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a3b797088da9ddb98ef5a04ff29d54e289cd7824a47ebf1f7b09ea4eb2c840bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	INDICATOR_EXE_Packed_MPress Create hunting rule
Author:	ditekSHen
Description:	Detects executables built or packed with MPress PE compressor

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	nirsoft_v1 Create hunting rule
Author:	RandomMalware

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SUSP_PS1_FromBase64String_Content_Indicator_RID3714 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious base64 encoded PowerShell expressions
Reference:	https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	TeslaCryptPackedMalware Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample