MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abd99bf17b7cf13044a064cfd6d73d38a19706ba46222e05e4893b188fbe9cd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abd99bf17b7cf13044a064cfd6d73d38a19706ba46222e05e4893b188fbe9cd9
SHA3-384 hash: e6315151c03a3280230421ddcc3f0031274b03f8b703c17b2c7c6f18c75808b833bd62101bdfdcc42b4e70b0505a77eb
SHA1 hash: d37d44e9138fd4c447c0ce376f889cb64459eb3c
MD5 hash: 07af87ddad0716c0e70d507c8e019f4e
humanhash: thirteen-football-sierra-edward
File name:October 2025 YTG Dealer Letter.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:5'240 bytes
First seen:2025-10-22 11:04:53 UTC
Last seen:2025-10-22 13:32:24 UTC
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 96:GNlSKaPRTxe9/8+Ra8nfGh7L871qr3c1sYQgWCKJx357kGPx6bM7zsc3t:Gr7aPRTxuER8nuh74Jqr3c1sYdS5Qsx3
TLSH T106B152D6C782EFBD731B06E422552097469ADBC7840820F4FD6BA92B344DB1441EBECE
Magika txt
Reporter lowmal3
Tags:bat RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
66
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Alfa-R Engineering LLC Datasheetlər System.7z
Verdict:
No threats detected
Analysis date:
2025-10-22 10:30:15 UTC
Tags:
arch-exec
Link:
https://app.any.run/tasks/67a193fb-2eb3-47eb-93e5-4a2763ca889f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33717/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f8ba9e3edd081eba40ace4
Tags:
xtreme shell sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 obfuscated powershell
Link:
https://www.filescan.io/uploads/68f8bb423a79800405f0c791/reports/6972ddca-e8b6-4eaa-abad-11f5d7b53ec2/overview
Verdict:
Malicious
Labled as:
PowerShell/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/abd99bf17b7cf13044a064cfd6d73d38a19706ba46222e05e4893b188fbe9cd9
Verdict:
Malicious
File Type:
ps1
First seen:
2025-10-21T14:02:00Z UTC
Last seen:
2025-10-24T09:18:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Script.Generic HEUR:Trojan.BAT.Obfuscated.gen
Link:
https://opentip.kaspersky.com/abd99bf17b7cf13044a064cfd6d73d38a19706ba46222e05e4893b188fbe9cd9/results?tab=lookup
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1799702
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Early bird code injection technique detected
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queues an APC in another process (thread injection)
Sigma detected: Potential PowerShell Command Line Obfuscation
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Powershell decode and execute
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1799702 Sample: October 2025 YTG Dealer Let... Startdate: 22/10/2025 Architecture: WINDOWS Score: 100 46 fteamez7iurs08.duckdns.org 2->46 48 fteamez7iurs07.duckdns.org 2->48 50 8 other IPs or domains 2->50 70 Suricata IDS alerts for network traffic 2->70 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 78 12 other signatures 2->78 9 powershell.exe 17 2->9         started        12 cmd.exe 1 2->12         started        signatures3 76 Uses dynamic DNS services 48->76 process4 signatures5 80 Early bird code injection technique detected 9->80 82 Writes to foreign memory regions 9->82 84 Found suspicious powershell code related to unpacking or dynamic code loading 9->84 88 2 other signatures 9->88 14 msiexec.exe 6 11 9->14         started        19 conhost.exe 9->19         started        86 Suspicious powershell command line found 12->86 21 powershell.exe 14 18 12->21         started        23 conhost.exe 12->23         started        process6 dnsIp7 52 fteamez7iurs02.duckdns.org 172.111.213.69, 12760, 49725, 49726 WANSECURITYUS United States 14->52 54 vbc.ydns.eu 172.111.213.74, 12760, 12761 WANSECURITYUS United States 14->54 56 kociszew.webd.pl 194.181.228.25, 49721, 80 NASK-COMMERCIALPL Poland 14->56 38 C:\Users\user\AppData\Local\Temp\THE0DB.tmp, MS-DOS 14->38 dropped 40 C:\Users\user\AppData\Local\Temp\THD32E.tmp, MS-DOS 14->40 dropped 42 C:\Users\user\AppData\Local\Temp\THC1F7.tmp, PE32 14->42 dropped 44 C:\Users\user\AppData\...\lkrggaptsb.dat, data 14->44 dropped 60 Obfuscated command line found 14->60 62 Writes to foreign memory regions 14->62 64 Found hidden mapped module (file has been removed from disk) 14->64 68 3 other signatures 14->68 25 RmClient.exe 1 14->25         started        28 RmClient.exe 1 14->28         started        30 cmd.exe 1 14->30         started        32 3 other processes 14->32 58 dacar.hr 178.218.164.110, 443, 49718 SEDMIODJEL-ASHR Croatia (LOCAL Name: Hrvatska) 21->58 66 Found suspicious powershell code related to unpacking or dynamic code loading 21->66 file8 signatures9 process10 signatures11 90 Tries to steal Instant Messenger accounts or passwords 25->90 92 Tries to steal Mail credentials (via file / registry access) 25->92 94 Tries to harvest and steal browser information (history, passwords, etc) 28->94 96 Obfuscated command line found 30->96 34 conhost.exe 30->34         started        36 reg.exe 1 1 30->36         started        98 Tries to steal Mail credentials (via file registry) 32->98 process12
Score:
96%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/abd99bf17b7cf13044a064cfd6d73d38a19706ba46222e05e4893b188fbe9cd9
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/abd99bf17b7cf13044a064cfd6d73d38a19706ba46222e05e4893b188fbe9cd9/
Verdict:
Malicious
Threat:
Trojan.BAT.Obfuscated
Link:
https://tip.neiki.dev/file/abd99bf17b7cf13044a064cfd6d73d38a19706ba46222e05e4893b188fbe9cd9
Threat name:
Script-PowerShell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-10-22 08:55:41 UTC
File Type:
Text
AV detection:
7 of 38 (18.42%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vpmzx4l3ptytarfamth5nvz5hcqzobv2iyrc4bpere5rrd56ttmq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/251022-m8zztayqex/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/abd99bf17b7cf13044a064cfd6d73d38a19706ba46222e05e4893b188fbe9cd9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Batch (bat) bat abd99bf17b7cf13044a064cfd6d73d38a19706ba46222e05e4893b188fbe9cd9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33717/

Comments