MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae083b4e99c5fd5c0ddf1bb08b301a5344e8153cce6bb1a976055c032e4b0aef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae083b4e99c5fd5c0ddf1bb08b301a5344e8153cce6bb1a976055c032e4b0aef
SHA3-384 hash: 3af14c4400d43a7211d7102131820fb2802fa85c57198220b30e8843926cc927ac797c02b979278102ddf1ce3a7f9728
SHA1 hash: 3aee11d1fb373fed5b9fa4ab5acb8ebc7f421965
MD5 hash: bbb57efbdf5ae11521f27a80708c707a
humanhash: cup-minnesota-east-paris
File name:x.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'567'232 bytes
First seen:2025-04-21 13:18:26 UTC
Last seen:2025-07-14 13:44:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 28f5e65a361bd583b60b9c7cd9e771e1 (1 x RemcosRAT)
ssdeep 24576:X90qfw2/plw15vmqNuM5zL3KaUsylDD+bGlkdVXJHbLX8bYs6:XvI2QNFzL3KaUBlUGlGX1vX8bYs
Threatray 205 similar samples on MalwareBazaar
TLSH T1FE75D033BDB04BF7C9E6097B8D4EB698180D7D60D918748A6BED5DC8BF35AB02C58112
TrID 35.4% (.EXE) Win64 Executable (generic) (10522/11/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 07d0d8dcd4d8d007 (8 x RemcosRAT, 7 x FormBook, 2 x AgentTesla)
Reporter James_inthe_box
Tags:192-227-173-59 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
458
Origin country :
US US
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
x.exe
Verdict:
Malicious activity
Analysis date:
2025-04-21 13:20:43 UTC
Tags:
delphi dbatloader loader remcos rat stealer mpress
Link:
https://app.any.run/tasks/3b74478e-8694-479e-a997-5b0263cc0f7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/3239/
Detection(s):
Win.Trojan.Modiloader-10042434-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680647162203b3e10cd23f1d
Tags:
autorun remcos cobalt delphi
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
borland_delphi entropy fingerprint keylogger packed packed packer_detected remcos
Link:
https://www.filescan.io/uploads/680645cd90767142c3ddd72b/reports/6603aab5-40cb-4f15-b9d6-ba053615b186/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/ae083b4e99c5fd5c0ddf1bb08b301a5344e8153cce6bb1a976055c032e4b0aef
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/91de756c-d259-4e21-ae47-7fe8f7fcca83
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1670316
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Drops PE files with a suspicious file extension
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1670316 Sample: x.exe Startdate: 21/04/2025 Architecture: WINDOWS Score: 100 63 www.ambiopharmconsultingltd.com 2->63 65 geoplugin.net 2->65 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 11 other signatures 2->79 8 x.exe 8 2->8         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        16 3 other processes 2->16 signatures3 process4 file5 61 C:\Users\user\Links\Ktfafmbt.PIF, PE32 8->61 dropped 107 Drops PE files with a suspicious file extension 8->107 109 Writes to foreign memory regions 8->109 111 Allocates memory in foreign processes 8->111 113 4 other signatures 8->113 18 SndVol.exe 4 17 8->18         started        23 cmd.exe 1 8->23         started        25 cmd.exe 1 8->25         started        27 cmd.exe 1 8->27         started        29 Ktfafmbt.PIF 12->29         started        31 Ktfafmbt.PIF 14->31         started        33 Ktfafmbt.PIF 16->33         started        35 Ktfafmbt.PIF 16->35         started        37 Ktfafmbt.PIF 16->37         started        signatures6 process7 dnsIp8 67 www.ambiopharmconsultingltd.com 192.227.173.59, 2556, 49689, 49690 AS-COLOCROSSINGUS United States 18->67 69 geoplugin.net 178.237.33.50, 49692, 80 ATOM86-ASATOM86NL Netherlands 18->69 59 C:\ProgramData\file\logs.dat, data 18->59 dropped 81 Contains functionality to bypass UAC (CMSTPLUA) 18->81 83 Detected Remcos RAT 18->83 85 Contains functionalty to change the wallpaper 18->85 103 6 other signatures 18->103 52 3 other processes 18->52 87 Uses ping.exe to sleep 23->87 89 Uses schtasks.exe or at.exe to add and modify task schedules 23->89 91 Uses ping.exe to check the status of other devices and networks 23->91 39 conhost.exe 23->39         started        54 2 other processes 25->54 57 2 other processes 27->57 93 Writes to foreign memory regions 29->93 95 Allocates memory in foreign processes 29->95 97 Allocates many large memory junks 29->97 41 colorcpl.exe 29->41         started        105 2 other signatures 31->105 44 colorcpl.exe 31->44         started        99 Antivirus detection for dropped file 33->99 101 Multi AV Scanner detection for dropped file 33->101 46 SndVol.exe 33->46         started        48 SndVol.exe 35->48         started        50 SndVol.exe 37->50         started        file9 signatures10 process11 dnsIp12 115 Detected Remcos RAT 41->115 117 Tries to steal Mail credentials (via file registry) 52->117 119 Tries to steal Instant Messenger accounts or passwords 52->119 121 Tries to steal Mail credentials (via file / registry access) 52->121 123 Tries to harvest and steal browser information (history, passwords, etc) 52->123 71 127.0.0.1 unknown unknown 54->71 signatures13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ae083b4e99c5fd5c0ddf1bb08b301a5344e8153cce6bb1a976055c032e4b0aef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae083b4e99c5fd5c0ddf1bb08b301a5344e8153cce6bb1a976055c032e4b0aef/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-04-19 12:11:56 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vyedwtuzyx6vydo7doyiwma2kncoqfj4zzv3dklwavoaglslblxq._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
remcos
Create hunting rule
Similar samples:
061b716c6ca8262d658b5877cd23d1013e90831193da7e19cd03ca0f22b176bc
RemcosRAT
12c1c1518f45ddb96ce633a7da8a4129728d4f0359ff4bc4624ba02dcee18bd2
RemcosRAT
7cbc23bc350f050b9429f3c2b553dd00f04216a80a8103a0607277c106bd7f20
RemcosRAT
937e801eb514b4f00dd260d699cd69247c1bf9b65f925c164704a16bbf8e5156
RemcosRAT
a3114edcd192349ce4a5638983bf46a73b279e4bb2962fe263b32e4ea8465b9a
RemcosRAT
ac4e313d582ab153491aa677a62883b70a2e8a907a009ace26e906712dda5e97
RemcosRAT
ae083b4e99c5fd5c0ddf1bb08b301a5344e8153cce6bb1a976055c032e4b0aef
RemcosRAT
c8c42ae2eaf33626062223dbafa0d63db32e52fddaccb86794368761784eac4e
RemcosRAT
d81e8904bd7fe99cb71dca45476edd03b67f687c057c338fc8177784f151b34b
RemcosRAT
error
RemcosRAT
fdec4f38d4c07df570111f70f1fb8a8f778053b390eba076cf603866bafbb410
RemcosRAT
+ 195 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader collection discovery trojan
Link:
https://tria.ge/reports/250421-qkj58sykv6/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
Win.Trojan.Modiloader-10042434-0 remcos
YARA:
n/a
Link:
https://app.threat.zone/submission/42a5dde7-dcd8-47ad-90f1-eb2bfa53b808
Unpacked files
SH256 hash:
ae083b4e99c5fd5c0ddf1bb08b301a5344e8153cce6bb1a976055c032e4b0aef
MD5 hash:
bbb57efbdf5ae11521f27a80708c707a
SHA1 hash:
3aee11d1fb373fed5b9fa4ab5acb8ebc7f421965
Link:
https://www.unpac.me/results/2eb736fe-f3a5-40ad-a6f9-22f5ac63351f/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ae083b4e99c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae083b4e99c5fd5c0ddf1bb08b301a5344e8153cce6bb1a976055c032e4b0aef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Windows_Generic_Threat_d7b57912
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe ae083b4e99c5fd5c0ddf1bb08b301a5344e8153cce6bb1a976055c032e4b0aef

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/3239/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetFileAttributesA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::PeekMessageW
user32.dll::CreateWindowExA

Comments