MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abd30485e613a4f9fff5b6bb8e0a10abdb331d10346ef3dd31cea53e34491ce9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 30 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abd30485e613a4f9fff5b6bb8e0a10abdb331d10346ef3dd31cea53e34491ce9
SHA3-384 hash: bb40eda06c748ee75bf6627bb63555f3447fe5002caf7ab9709847ed5178203925f256c2266da814f484510bfa5bb6d9
SHA1 hash: 895efcc314565a3a196f59ca485d8ff8fb2eaa5f
MD5 hash: 2f5c9acef834f012e09fbf167ca56465
humanhash: fruit-east-monkey-vermont
File name:rInforma____odopedidon___05032025.scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:221'696 bytes
First seen:2025-03-06 18:00:08 UTC
Last seen:2025-03-06 18:35:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:APq1raHUePwFZZHuWyecOUfTBezUNfGBhlU/7POguiumjfEIl:APqBZVh8LE00i/7PduilH
Threatray 5'931 similar samples on MalwareBazaar
TLSH T1E324531776CAC5B1C2645B36C4AF470007B4FE81E66BC61AFBEE3B5B095376A984031B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 00dc9aa2aaa2c400 (1 x RemcosRAT, 1 x PureCrypter)
Reporter FXOLabs
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
611
Origin country :
US US
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Informação do pedido nº. 05032025.scr
Verdict:
Malicious activity
Analysis date:
2025-03-06 18:02:42 UTC
Tags:
opendir rat remcos remote purecrypter netreactor
Link:
https://app.any.run/tasks/ed832505-f383-48bc-bcbc-f787ef3783dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.12432.19212.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c9e419c668b65489bf7fb5
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request to an infection source
Launching a process
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Connection attempt to an infection source
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
masquerade net_reactor obfuscated packed stealer
Link:
https://www.filescan.io/uploads/67c9e2af4a3011c802c9a0ca/reports/76b695de-b0c4-4b8f-8760-376568335327/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/abd30485e613a4f9fff5b6bb8e0a10abdb331d10346ef3dd31cea53e34491ce9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51454751-1f2f-4112-9dbf-3f1ab1034b3e
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1631194
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1631194 Sample: rInforma____odopedidon___05... Startdate: 06/03/2025 Architecture: WINDOWS Score: 100 25 geoplugin.net 2->25 39 Suricata IDS alerts for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 10 other signatures 2->45 8 rInforma____odopedidon___05032025.scr.exe 15 2 2->8         started        signatures3 process4 dnsIp5 27 91.223.3.167, 49733, 80 PL-SKYTECH-ASPL Poland 8->27 47 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->47 12 InstallUtil.exe 4 13 8->12         started        signatures6 process7 dnsIp8 29 15.204.0.108, 4607, 49734, 49735 HP-INTERNET-ASUS United States 12->29 31 geoplugin.net 178.237.33.50, 49736, 80 ATOM86-ASATOM86NL Netherlands 12->31 49 Contains functionality to bypass UAC (CMSTPLUA) 12->49 51 Detected Remcos RAT 12->51 53 Tries to steal Mail credentials (via file registry) 12->53 55 7 other signatures 12->55 16 InstallUtil.exe 1 12->16         started        19 InstallUtil.exe 1 12->19         started        21 InstallUtil.exe 2 12->21         started        23 4 other processes 12->23 signatures9 process10 signatures11 33 Tries to steal Instant Messenger accounts or passwords 16->33 35 Tries to steal Mail credentials (via file / registry access) 16->35 37 Tries to harvest and steal browser information (history, passwords, etc) 19->37
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/abd30485e613a4f9fff5b6bb8e0a10abdb331d10346ef3dd31cea53e34491ce9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abd30485e613a4f9fff5b6bb8e0a10abdb331d10346ef3dd31cea53e34491ce9/
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-03-06 15:54:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vpjqjbpgcospt77vw25y4cqqvpntghiqgrxphxjrz2st4ncjdtuq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
02a3bd948e6463c2dc29482b77286aa13e7c76043a16fffd0b0ce05e53c1c68e
RemcosRAT
1c80bf8e780ae58203e7f816c8fe04f66df434a3fbd981ba7c6e52e588622c03
RemcosRAT
4af2c738b8b2cc2a5ffdc33dea46b4e82582d32c95af28456127991bb1b50e09
RemcosRAT
8494f6e50e72e6108b7b4c474fc5fcae6723dfde0f074aab1a3c95f65ffe89ba
RemcosRAT
b43ca133d57448c7afb42bffcb1ce756cdad70308d3f49c9c981fac24c55e76f
RemcosRAT
b69b9806518246a9db6ae7d892b6d20b3b2c3381851def105fc5bcb049e717fb
RemcosRAT
d2a87b1b1a1106b874e949e49a55e7e68202eaa84062c270bbf62481bb769a45
RemcosRAT
db0957f9d8a95431403d63b33f7c424a5593424ceaf6aefb25694557a2e558b3
RemcosRAT
ea3d846cce6aa910a7ff04f5908946c735f94c41576c4cf44ced9c6304491861
RemcosRAT
error
RemcosRAT
+ 5'921 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection discovery
Link:
https://tria.ge/reports/250306-wlevsstzdx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Detected Nirsoft tools
NirSoft MailPassView
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1bd033cf-5176-4293-9c4c-a72f786e6aca
Unpacked files
SH256 hash:
abd30485e613a4f9fff5b6bb8e0a10abdb331d10346ef3dd31cea53e34491ce9
MD5 hash:
2f5c9acef834f012e09fbf167ca56465
SHA1 hash:
895efcc314565a3a196f59ca485d8ff8fb2eaa5f
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/0a5204b9-f0e4-4d8e-b6e9-e2c7389d60c8/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/abd30485e613/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/abd30485e613a4f9fff5b6bb8e0a10abdb331d10346ef3dd31cea53e34491ce9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:nirsoft_v1
Create hunting rule
Author:RandomMalware
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Remcos_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Remcos Payload
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe abd30485e613a4f9fff5b6bb8e0a10abdb331d10346ef3dd31cea53e34491ce9

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments