MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b09c4b720472ee2fb724a5318cecac95cf1664b49154e63bfdbbf419a09d0758. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 20


Intelligence 20 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b09c4b720472ee2fb724a5318cecac95cf1664b49154e63bfdbbf419a09d0758
SHA3-384 hash: c100091a08d3acc6c44e640e7b3e2ff44215876838d715e8dbe0912d6c4033739747e15f23c5b8324b067fa167ee696e
SHA1 hash: d444240acc8d17d78705921747bb3a353b55610b
MD5 hash: 6577d5ca36df9e49e85e07952b6a52b3
humanhash: ohio-hot-bakerloo-sixteen
File name:payment. 001 11436-06-03-2026.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:869'888 bytes
First seen:2026-06-04 05:40:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'013 x AgentTesla, 19'917 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 12288:5dZMqlGZXwyC6nckcKQyyFiJiMzwbfK0egoLjmnTtinVhdXp/dc8ZCzjlRjuFj:5blGKp6coqFiJubyvL6nIHdXhVCXo
Threatray 29 similar samples on MalwareBazaar
TLSH T1670501390906EB01E8E66FB15DB1E2B437B62CEAF131C2195FCD1C6BBA67310B905356
TrID 72.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.4% (.EXE) Win64 Executable (generic) (6522/11/2)
4.4% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon 60e0c2a3a3e4b292 (1 x RemcosRAT, 1 x PhantomStealer, 1 x AsyncRAT)
Reporter abuse_ch
Tags:bat exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/34a40cf1-52a7-47cc-b900-ca5e6084e983/
Malware family:
n/a
ID:
1
File name:
_b09c4b720472ee2fb724a5318cecac95cf1664b49154e63bfdbbf419a09d0758.exe
Verdict:
Malicious activity
Analysis date:
2026-06-04 05:41:58 UTC
Tags:
auto-reg auto-startup
Link:
https://app.any.run/tasks/94cc15a8-6a8d-45c6-90e0-5db05d23fc99

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68929/
Detection(s):
SecuriteInfo.com.Variant.Genie.8DN.96.33946796.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a210fdb57b7bf261d60bfdf
Tags:
autorun dropper shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Connection attempt
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context masquerade packed vbnet
Link:
https://www.filescan.io/uploads/6a210fda099ef368af1c89d1/reports/2ccabd66-28ba-4892-9e84-b18ca46fb307/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/b09c4b720472ee2fb724a5318cecac95cf1664b49154e63bfdbbf419a09d0758
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-04T00:50:00Z UTC
Last seen:
2026-06-05T03:48:00Z UTC
Hits:
~1000
Detections:
Trojan.MSIL.Crypt.sb Trojan.MSIL.DOTHETUK.sb Trojan.MSIL.Dnoper.sb Trojan-Spy.Win64.Agent.sb Backdoor.Remcos.HTTP.C&C Trojan.MSIL.Inject.sb Trojan.MSIL.Agent.sb Trojan-PSW.Win32.Stealer.sb Backdoor.Win32.Androm.sb Trojan-Spy.Win32.Xegumumune.sbc Trojan-Spy.Win32.Stealer.sb PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Noon.gen Backdoor.Win32.Remcos.sb Backdoor.Win32.Remcos.f Backdoor.Agent.TCP.C&C HEUR:Trojan.MSIL.Agent.gen Exploit.Win32.BypassUAC.sb Trojan.Win32.Agent.sb Trojan-Dropper.Win32.Injector.sb Backdoor.MSIL.XWorm.b Backdoor.Win32.Remcos.e
Link:
https://opentip.kaspersky.com/b09c4b720472ee2fb724a5318cecac95cf1664b49154e63bfdbbf419a09d0758/results?tab=lookup
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/947784d3-797d-4035-bafc-13a3e60e050f
Result
Threat name:
Remcos, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1922641
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Executable File Creation
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1922641 Sample: payment. 001 11436-06-03-20... Startdate: 04/06/2026 Architecture: WINDOWS Score: 100 109 keyauth.win 2->109 111 geoplugin.net 2->111 125 Suricata IDS alerts for network traffic 2->125 127 Found malware configuration 2->127 129 Malicious sample detected (through community Yara rule) 2->129 131 28 other signatures 2->131 11 payment. 001 11436-06-03-2026.bat.exe 1 7 2->11         started        15 powershell.exe 19 2->15         started        17 powershell.exe 2->17         started        19 4 other processes 2->19 signatures3 process4 dnsIp5 99 C:\Users\user\AppData\...\siuoeVLKKWf.exe, PE32 11->99 dropped 101 C:\Users\...\siuoeVLKKWf.exe:Zone.Identifier, ASCII 11->101 dropped 103 C:\Users\user\AppData\...\4r3lsfrwtoa.ps1, ASCII 11->103 dropped 105 payment. 001 11436...03-2026.bat.exe.log, ASCII 11->105 dropped 153 Creates autostart registry keys with suspicious values (likely registry only malware) 11->153 155 Creates multiple autostart registry keys 11->155 157 Creates an autostart registry key pointing to binary in C:\Windows 11->157 161 2 other signatures 11->161 22 payment. 001 11436-06-03-2026.bat.exe 4 11 11->22         started        27 powershell.exe 23 11->27         started        29 payment. 001 11436-06-03-2026.bat.exe 11->29         started        31 payment. 001 11436-06-03-2026.bat.exe 11->31         started        33 siuoeVLKKWf.exe 15->33         started        35 conhost.exe 15->35         started        37 siuoeVLKKWf.exe 17->37         started        39 conhost.exe 17->39         started        113 127.0.0.1 unknown unknown 19->113 159 Detected Remcos RAT 19->159 file6 signatures7 process8 dnsIp9 115 155.103.71.146, 49692, 777 WHITELABELUS Turkey 22->115 89 C:\Users\user\AppData\Roaming\system32.exe, PE32 22->89 dropped 91 C:\Users\user\AppData\Local\Temp\flwdzv.exe, PE32 22->91 dropped 133 Tries to harvest and steal browser information (history, passwords, etc) 22->133 41 flwdzv.exe 22->41         started        45 csc.exe 22->45         started        47 csc.exe 22->47         started        57 4 other processes 22->57 135 Loading BitLocker PowerShell Module 27->135 49 conhost.exe 27->49         started        137 Multi AV Scanner detection for dropped file 33->137 139 Injects a PE file into a foreign processes 33->139 51 siuoeVLKKWf.exe 33->51         started        53 siuoeVLKKWf.exe 37->53         started        55 siuoeVLKKWf.exe 37->55         started        file10 signatures11 process12 file13 93 C:\Users\user\AppData\Local\...\windows32.exe, PE32 41->93 dropped 95 C:\Users\user\AppData\Local\...\install.vbs, data 41->95 dropped 141 Antivirus detection for dropped file 41->141 143 Multi AV Scanner detection for dropped file 41->143 145 Detected Remcos RAT 41->145 147 Creates multiple autostart registry keys 41->147 59 wscript.exe 41->59         started        97 C:\...\payment. 001 11436-06-03-2026.bat.exe, PE32 45->97 dropped 62 conhost.exe 45->62         started        64 cvtres.exe 45->64         started        66 conhost.exe 47->66         started        68 cvtres.exe 47->68         started        70 conhost.exe 57->70         started        72 cvtres.exe 57->72         started        74 conhost.exe 57->74         started        76 cvtres.exe 57->76         started        signatures14 process15 signatures16 149 Windows Scripting host queries suspicious COM object (likely to drop second stage) 59->149 151 WScript reads language and country specific registry keys (likely country aware script) 59->151 78 cmd.exe 59->78         started        process17 process18 80 windows32.exe 78->80         started        85 conhost.exe 78->85         started        dnsIp19 107 geoplugin.net 178.237.33.50 ATOM86-ASATOM86NL Netherlands 80->107 87 C:\ProgramData\windows32\logs.dat, data 80->87 dropped 117 Antivirus detection for dropped file 80->117 119 Multi AV Scanner detection for dropped file 80->119 121 Detected Remcos RAT 80->121 123 Installs a global keyboard hook 80->123 file20 signatures21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b09c4b720472ee2fb724a5318cecac95cf1664b49154e63bfdbbf419a09d0758
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b09c4b720472ee2fb724a5318cecac95cf1664b49154e63bfdbbf419a09d0758/
Verdict:
Malicious
Threat:
Family.REMCOSRAT
Link:
https://tip.neiki.dev/file/b09c4b720472ee2fb724a5318cecac95cf1664b49154e63bfdbbf419a09d0758
Threat name:
Win32.Trojan.Genie
Create hunting rule
Status:
Malicious
First seen:
2026-06-04 03:57:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
15 of 36 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wcoew4qeolxc7nzeuuyyz3fmsxhrmzfusfkomo75xp2btie5a5ma._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
301aacc4bac5acd89177dfa0ed6fbafc8460f58a7e9a1b546187372ca6883e2c
RemcosRAT
457ee25c806d8b4cce736f18ac897bf464de671edef18df590220f87043f0638
RemcosRAT
59264e23039aa0aa0c5c376715c0d353cef4e52e055bd0da423dc8d2abef127f
RemcosRAT
797a4574316768c9e35bca960303066617e47069c78ea1f1d949cfa3535eb2de
RemcosRAT
e18128d6e9657ce06424fbdb8af5cc6b23bbeda33fdbc13762318d11b24a22f4
RemcosRAT
+ 19 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm collection discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/260604-gc6jtsas5y/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Detect Xworm Payload
Family: Xworm
Unpacked files
SH256 hash:
b09c4b720472ee2fb724a5318cecac95cf1664b49154e63bfdbbf419a09d0758
MD5 hash:
6577d5ca36df9e49e85e07952b6a52b3
SHA1 hash:
d444240acc8d17d78705921747bb3a353b55610b
Link:
https://www.unpac.me/results/1cbf6965-51da-4aa3-b925-13e4a5131c9b/
SH256 hash:
88e9bd705ea4aa28ca889ac48514d58290e7dcff1fded1f1a57d8b0eb6fd4225
MD5 hash:
7fc5e8ad3f222a8e8aec2077283ad278
SHA1 hash:
08b054a8b64e48213088e13dbc1405dea043e046
Link:
https://www.unpac.me/results/1cbf6965-51da-4aa3-b925-13e4a5131c9b/
SH256 hash:
53621628353329b35f1fc4ee995b6ee43ad8bbf6a21956ff6e620b05a1ede650
MD5 hash:
a41d901f83b125d1b6db34d7e9f0f90d
SHA1 hash:
22b4f6c860b6080f59607bb6811ecc41eb766929
Link:
https://www.unpac.me/results/1cbf6965-51da-4aa3-b925-13e4a5131c9b/
SH256 hash:
cf5dafb0fd320378be54ed47d552dd872b7b343994ddba51e3a1cd2b30d176d3
MD5 hash:
d6e222077074b587ef0fb07636e43284
SHA1 hash:
ddcb6634e0e88f4b9ce66562d951e608a8d843cf
Link:
https://www.unpac.me/results/1cbf6965-51da-4aa3-b925-13e4a5131c9b/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b09c4b720472/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b09c4b720472ee2fb724a5318cecac95cf1664b49154e63bfdbbf419a09d0758

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Runtime_Broker_Variant_1
Create hunting rule
Author:Sn0wFr0$t
Description:Detecting malicious Runtime Broker
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68929/

Comments