MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a517b979e26b414939bb4b35fcfa6526994e52acf7fc4b8ad6ec2e0232108442. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 1 File information Comments

SHA256 hash:	a517b979e26b414939bb4b35fcfa6526994e52acf7fc4b8ad6ec2e0232108442
SHA3-384 hash:	a02e344f3f50e00f88edeb0821812f7fad876a00016f8f0c249c1ae5f1c6e56bd67abcd3a64e38efcc8b83be9d84bce4
SHA1 hash:	ddae13a0f7556a6447905eab95fcf5abb0a01e53
MD5 hash:	1b73f899c43ad812a42143e95613aabc
humanhash:	whiskey-river-twenty-west
File name:	1B73F899C43AD812A42143E95613AABC.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	347'485 bytes
First seen:	2026-03-01 17:15:06 UTC
Last seen:	2026-03-01 18:27:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1f23f452093b5c1ff091a2f9fb4fa3e9 (288 x GuLoader, 41 x RemcosRAT, 35 x AgentTesla)
ssdeep	6144:PR+xXo64cQNmmAw4dijjvU1F4ojPsQt00nEiUtjORD3:Jdkbw4dij4j4ArnBUx0j
TLSH	T1727402047B90E63BD86406B00C3FD6F69BB6FD64AC95138B6780771EBDB32859C0A365
TrID	50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.5% (.EXE) Win64 Executable (generic) (6522/11/2) 8.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
172.111.232.233:1771

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
172.111.232.233:1771	https://threatfox.abuse.ch/ioc/1756423/

Intelligence

File Origin

# of uploads :

# of downloads :

208

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

GuLoader NSIS

Details

GuLoader

a c2 URL, a useragent string, and a string XOR key

GuLoader

an XOR decryption key and an extracted component

NSIS

extracted archive contents

Link:

https://research.acce.ciphertechsolutions.com/results/aed57ebb-3c41-4814-8245-123f0ae2c834/

Malware family:

remcos

ID:

File name:

_a517b979e26b414939bb4b35fcfa6526994e52acf7fc4b8ad6ec2e0232108442.exe

Verdict:

Malicious activity

Analysis date:

2026-03-01 17:17:06 UTC

Tags:

auto-reg rat remcos

Link:

https://app.any.run/tasks/f79828a8-7be4-48b7-b180-fbbf1382909b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/55134/

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a474368fffa866e3b3e7d1

Tags:

injection virus

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis soft-404

Link:

https://www.filescan.io/uploads/69a4743397feb4afd662c88a/reports/0ab42cec-cc0e-4368-bbe3-842ffad5b295/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/a517b979e26b414939bb4b35fcfa6526994e52acf7fc4b8ad6ec2e0232108442

Result

Gathering data

Verdict:

Malicious

File Type:

exe x32

Link:

https://opentip.kaspersky.com/a517b979e26b414939bb4b35fcfa6526994e52acf7fc4b8ad6ec2e0232108442/results?tab=lookup

Malware family:

Unlabeled

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ee699084-4a1e-464a-b61b-07879efca314

Result

Threat name:

GuLoader, Remcos

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1876538

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: New RUN Key Pointing to Suspicious Folder

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Unusual module load detection (module proxying)

Uses dynamic DNS services

Yara detected GuLoader

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Score:

88%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a517b979e26b414939bb4b35fcfa6526994e52acf7fc4b8ad6ec2e0232108442

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/1b73f899c43ad812a42143e95613aabc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a517b979e26b414939bb4b35fcfa6526994e52acf7fc4b8ad6ec2e0232108442/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/a517b979e26b414939bb4b35fcfa6526994e52acf7fc4b8ad6ec2e0232108442

Threat name:

Win32.Trojan.Sonbokli

Status:

Malicious

First seen:

2026-02-27 08:09:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 36 (47.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uul3s6pcnnauson3jm27z6tfe2mu4uvm676excww5qxaemqqqrba._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:send7 discovery persistence rat

Link:

https://tria.ge/reports/260301-vss6bsfz8c/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Contacts third-party web service commonly abused for C2

Loads dropped DLL

Remcos

Remcos family

Malware Config

C2 Extraction:

rajasas35safael2.duckdns.org:1771
rajasas35safael2.duckdns.org:1772
rajasas35safael3.duckdns.org:1771
rajasas35safael4.duckdns.org:1771
rajasas35safael5.duckdns.org:1771
rajasas35safael6.duckdns.org:1771

Unpacked files

SH256 hash:

3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

MD5 hash:

0d7ad4f45dc6f5aa87f606d0331c6901

SHA1 hash:

48df0911f0484cbe2a8cdd5362140b63c41ee457

Link:

https://www.unpac.me/results/f1ca23a0-9511-4c41-a959-1b3d30090400/

SH256 hash:

a517b979e26b414939bb4b35fcfa6526994e52acf7fc4b8ad6ec2e0232108442

MD5 hash:

1b73f899c43ad812a42143e95613aabc

SHA1 hash:

ddae13a0f7556a6447905eab95fcf5abb0a01e53

Link:

https://www.unpac.me/results/f1ca23a0-9511-4c41-a959-1b3d30090400/

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a517b979e26b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/55134/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample