MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae19993ca28123ce277b975dbf1856c38b4e7aa0c35f6baa74397f0749828a4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 5 File information Comments

SHA256 hash:	ae19993ca28123ce277b975dbf1856c38b4e7aa0c35f6baa74397f0749828a4c
SHA3-384 hash:	6e9e9176aa23e5aea988b1f4ee4ee202b7f9cb54cc5e9a8a8de1e55a9457a9484a39632eb4d46ac87f329054fa8bc5be
SHA1 hash:	0ad7cf3e415ae4f8501fa6dded68a15d70f45371
MD5 hash:	aa32520840e4d4aa6307238dc5ce5e51
humanhash:	tennis-one-fanta-east
File name:	ae19993ca28123ce277b975dbf1856c38b4e7aa0c35f6baa74397f0749828a4c
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'395'712 bytes
First seen:	2026-06-08 09:15:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'066 x AgentTesla, 20'011 x Formbook, 12'352 x SnakeKeylogger)
ssdeep	24576:66aeB1o2Ki04JgbhUemQSUfI5fDElOiBqz74V54a1zUzZ5:va21o1N4kmQOBuOa1zUV5
Threatray	2'351 similar samples on MalwareBazaar
TLSH	T1A355F1D43A26E706CC620E75AA35DEB05AB80DA8F501BAE35FDD3F5BB0AD1506D0CB41
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/554ce5a8-7251-4fbf-8187-d2360bbd0984/

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/69696/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a268883ae2f98c00a68c3fb

Tags:

virus micro msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Restart of the analyzed sample

Creating a file

Creating a process from a recently created file

Connection attempt

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 krypt packed vbnet

Link:

https://www.filescan.io/uploads/6a268889554e843ff864002e/reports/57b779d4-c9c3-4dc9-8433-15bd83ccb816/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/ae19993ca28123ce277b975dbf1856c38b4e7aa0c35f6baa74397f0749828a4c

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-06T07:30:00Z UTC

Last seen:

2026-05-18T00:56:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/ae19993ca28123ce277b975dbf1856c38b4e7aa0c35f6baa74397f0749828a4c/results?tab=lookup

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8e3e6519-40f8-4b28-a7b3-5cea33f5ad4f

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ae19993ca28123ce277b975dbf1856c38b4e7aa0c35f6baa74397f0749828a4c

Gathering data

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/ae19993ca28123ce277b975dbf1856c38b4e7aa0c35f6baa74397f0749828a4c/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2026-05-06 10:51:48 UTC

AV detection:

15 of 18 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vymzspfcqer44j33s5o36gcwyofu46vaynpwxktuhf7qosmcrjga._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

be2142e2818d4df10efca8b223a823dae8dbcc0679e8e19a94fa9ae729c34273

RemcosRAT

bf46723d199408eb636dfbb7d50ef97fad7c96be7aedca35fa350c92a7492a4e

RemcosRAT

df20937ff3543e699ba6abdbd74e74e276dc8bfab9fb5cad1927292541887f7c

RemcosRAT

error

RemcosRAT

+ 2'341 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:grouphost discovery execution persistence rat

Link:

https://tria.ge/reports/260608-k8svdsby21/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Family: Remcos

Malware Config

C2 Extraction:

161.248.146.16:2245

Unpacked files

SH256 hash:

ae19993ca28123ce277b975dbf1856c38b4e7aa0c35f6baa74397f0749828a4c

MD5 hash:

aa32520840e4d4aa6307238dc5ce5e51

SHA1 hash:

0ad7cf3e415ae4f8501fa6dded68a15d70f45371

Link:

https://www.unpac.me/results/11431914-2373-486a-a468-10d10b9b5042/

SH256 hash:

b1406c9e9681a6a32e9a3dae75e91b009e4b0d1169d69f8d85226f2ff736fc75

MD5 hash:

029a31c3d63182d4df6701012eaac290

SHA1 hash:

17bccd6607a511376a674cf89faddeadc911d65b

Link:

https://www.unpac.me/results/11431914-2373-486a-a468-10d10b9b5042/

SH256 hash:

51f03dff4ed8ae25a19511a5a978c7a88cd09dac41df65a1dc07fe0b3db1d7cc

MD5 hash:

0d5e4f2e933fd4e5137a7381881d3a76

SHA1 hash:

a3a457396bb0bebc42a4a63ec426a5eb2547ea18

Detections:

win_remcos_auto

win_remcos_w0

Remcos

Link:

https://www.unpac.me/results/11431914-2373-486a-a468-10d10b9b5042/

SH256 hash:

d3a79c0061518b77a3dc73fc7e3932a1c73b9cf547a99a37d42ca497f4781f0d

MD5 hash:

10d7ba918b93f4cac164e5ea9d7ba14a

SHA1 hash:

a4d5da62942ab9b0f65b4fba35bdaedd2427cfd8

Link:

https://www.unpac.me/results/11431914-2373-486a-a468-10d10b9b5042/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ae19993ca28123ce277b975dbf1856c38b4e7aa0c35f6baa74397f0749828a4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/69696/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample