MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0e71fc4618108e7d2d5c4de99b53b7860aacbf0450bc088f5d6516eb7cd15d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	b0e71fc4618108e7d2d5c4de99b53b7860aacbf0450bc088f5d6516eb7cd15d7
SHA3-384 hash:	e5e841309be5d6f92c381e99f11892ac87bbbd51395e42ca65f5671f76bc8e462470d70ffa710204f2845efcd9f90574
SHA1 hash:	0c78bc314c09db2d8f8fb051dc1788ad336cef2b
MD5 hash:	8f59598fb768286bd1359c9b095e4710
humanhash:	march-king-winter-one
File name:	b0e71fc4618108e7d2d5c4de99b53b7860aacbf0450bc088f5d6516eb7cd15d7
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'021'952 bytes
First seen:	2025-10-09 14:33:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	24576:ooqytsiMzycprel+sN7PiSxWqpOiUXjj0Ui+X1L1yDFLYsB2IF:oEt38Jrel/KS8GQjjAQyDFcIF
TLSH	T1742512681746DC01D9B60FB00CB1D3721664AECEB905C357EEF6ECFFB86A7612941292
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	adrian__luca
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

b0e71fc4618108e7d2d5c4de99b53b7860aacbf0450bc088f5d6516eb7cd15d7

Verdict:

Malicious activity

Analysis date:

2025-10-09 18:39:46 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/435118f7-4358-4e05-945a-02943309e913

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/31573/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68e7c95a7f305fa2545e015b

Tags:

virus spawn msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Creating a process from a recently created file

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected remcos

Link:

https://www.filescan.io/uploads/68e7d76bd4a0085473c5a489/reports/73189e94-bb38-4c15-97aa-a0aca2a82549/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/b0e71fc4618108e7d2d5c4de99b53b7860aacbf0450bc088f5d6516eb7cd15d7

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-23T07:31:00Z UTC

Last seen:

2025-10-05T02:11:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/b0e71fc4618108e7d2d5c4de99b53b7860aacbf0450bc088f5d6516eb7cd15d7/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/4f75ac17-dec2-46dd-a0a2-e7cef2480dbd

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b0e71fc4618108e7d2d5c4de99b53b7860aacbf0450bc088f5d6516eb7cd15d7

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.26 Win 32 Exe x86

Link:

https://app.malva.re/file/8f59598fb768286bd1359c9b095e4710

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/b0e71fc4618108e7d2d5c4de99b53b7860aacbf0450bc088f5d6516eb7cd15d7/

Threat name:

ByteCode-MSIL.Trojan.RedLineStealer

Status:

Malicious

First seen:

2025-09-23 14:19:35 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 36 (72.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wdtr7rdbqeeopuwvytpjtnj3pbqkvs7qiuf4bchv2ziw5n6ncxlq._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos discovery persistence rat

Link:

https://tria.ge/reports/251009-s4eqzagj4x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Remcos

Remcos family

Malware Config

C2 Extraction:

193.23.3.100:2404

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ddfdd2c0-c903-4a6d-98de-2837dfb2cb6d

Unpacked files

SH256 hash:

b0e71fc4618108e7d2d5c4de99b53b7860aacbf0450bc088f5d6516eb7cd15d7

MD5 hash:

8f59598fb768286bd1359c9b095e4710

SHA1 hash:

0c78bc314c09db2d8f8fb051dc1788ad336cef2b

Link:

https://www.unpac.me/results/6dacf0db-546c-4c1a-ac42-d63d352b4d2b/

SH256 hash:

1041b538ccbc7d66e59247ef7551cde9b6c282843541585e9190a8e2e3943b12

MD5 hash:

e870d1e8f3791ccc141f85f40fd2972b

SHA1 hash:

150919ee289cffa6feb40ab8261f620dd7e26aac

Link:

https://www.unpac.me/results/6dacf0db-546c-4c1a-ac42-d63d352b4d2b/

SH256 hash:

5248697da0e928cb2f7ac6d1042278f42307c147ca0ec4d7fe4f52d00acd5655

MD5 hash:

f09a0ed9b48842f598ee7414886ba5d5

SHA1 hash:

4d7e4d009d9c132e4e8e7fa161bbd4d9e7b2088a

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/6dacf0db-546c-4c1a-ac42-d63d352b4d2b/

SH256 hash:

28cf1be01db9163a93b1b3e32cac5fffb0741906e3ae37295e2263a267b8e5e9

MD5 hash:

fa8fbccf912e25209cf4e2c0aaeecd49

SHA1 hash:

e1ba2e9531080cb64aae687a0d7cd66edb943fa3

Detections:

win_remcos_w0

win_remcos_auto

Remcos

malware_windows_remcos_rat

win_remcos_rat_unpacked

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Link:

https://www.unpac.me/results/6dacf0db-546c-4c1a-ac42-d63d352b4d2b/

Parent samples :

d3ca5baf944da6755945329cd881bf120e5aa89621b891354e443ef6f9464370
b0e71fc4618108e7d2d5c4de99b53b7860aacbf0450bc088f5d6516eb7cd15d7
bf91d37bfd0f032dbf4614463f27df2f38fea5ece588b79a06ba066be7d760bd

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/b0e71fc4618108e7d2d5c4de99b53b7860aacbf0450bc088f5d6516eb7cd15d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/31573/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample