MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7b336ac707a02409eeede986df2753eed36af85ac0b52dfe1d6b564c30a2ae2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 19

Intelligence 19 IOCs YARA 26 File information Comments

SHA256 hash:	b7b336ac707a02409eeede986df2753eed36af85ac0b52dfe1d6b564c30a2ae2
SHA3-384 hash:	90e38505ebff5a1c6df931ecf78b1b53e4715be3b5d845c09b3ff3889d61eed2f1e345386f1762966ab84d982e3c0544
SHA1 hash:	13346d1c563655609905079079a7a18836416f34
MD5 hash:	dbb42d91f214e9c00cf0fa9d735bad39
humanhash:	summer-twelve-tennessee-uniform
File name:	20260227150340_mutacion3_c3cde5.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	657'920 bytes
First seen:	2026-02-27 20:37:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep	12288:M7scoHvln/+iB9PQoYYUPGmdou5usyWVaMwmB:xcoHvln/+aPQoYDPGmd35oj7mB
TLSH	T15EE47D95A3D441F4D077C238C9828537E6B2BC056570462F03EB5E5B6F237A29F2EB26
TrID	84.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4) 3.1% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 2.0% (.EXE) Win64 Executable (generic) (6522/11/2)
Magika	pebin
Reporter	BastianHein
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Neshta Remcos

Details

Neshta

an extracted component and decrypted strings

Remcos

a version number and verbose configuration settings

Link:

https://research.acce.ciphertechsolutions.com/results/e31f883d-42c0-4500-ba95-15e9456c4a05/

Malware family:

remcos

ID:

File name:

b7b336ac707a02409eeede986df2753eed36af85ac0b52dfe1d6b564c30a2ae2.exe

Verdict:

Malicious activity

Analysis date:

2026-02-27 20:24:59 UTC

Tags:

remcos rat neshta

Link:

https://app.any.run/tasks/cb2ef368-3d14-46ba-b5a9-4ec7ca65089d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Neshta

Link:

https://www.capesandbox.com/analysis/54932/

Detection(s):

Win.Trojan.Neshuta-1

Win.Virus.Neshta-7101689-0

Win.Trojan.Remcos-9841897-0

Win.Trojan.Remcos-10002580-0

Win.Trojan.Neshta-160

Win.Trojan.Neshta-153

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a1fd9ac950ab5d9ab23d4b

Tags:

downloader dropper neshta virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

borland_delphi cmd evasive exploit exploit explorer fingerprint lolbin neshta overlay packed packed rat rat remcos remcos rundll32 virus windows

Link:

https://www.filescan.io/uploads/69a200b297feb4afd6602a5b/reports/6811c875-e7a0-40b9-871f-74caed0b9cd3/overview

Verdict:

Malicious

Labled as:

Neshta.A

Link:

https://www.hybrid-analysis.com/sample/b7b336ac707a02409eeede986df2753eed36af85ac0b52dfe1d6b564c30a2ae2

Verdict:

Malicious

File Type:

exe x32

Detections:

Trojan.Win32.Gorgon.sb Trojan-Spy.Win32.Xegumumune.sbc PDM:Trojan.Win32.Generic Virus.Win32.Neshta.a Trojan-Spy.Win32.Stealer.sb HEUR:Worm.Win32.Generic Backdoor.Win32.Remcos.sb Backdoor.Win32.Remcos.e Backdoor.Win32.Remcos.aayz Trojan-PSW.Win32.Stealer.sb

Link:

https://opentip.kaspersky.com/b7b336ac707a02409eeede986df2753eed36af85ac0b52dfe1d6b564c30a2ae2/results?tab=lookup

Malware family:

Neshta

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/10903c22-f715-4a28-b90e-debc39877bff

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b7b336ac707a02409eeede986df2753eed36af85ac0b52dfe1d6b564c30a2ae2

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b7b336ac707a02409eeede986df2753eed36af85ac0b52dfe1d6b564c30a2ae2/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/b7b336ac707a02409eeede986df2753eed36af85ac0b52dfe1d6b564c30a2ae2

Threat name:

Win32.Virus.Neshta

Status:

Malicious

First seen:

2026-02-27 18:10:52 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w6ztnldqpibebhxo32mg34tvh3wtnl4fvqfvfx7b222wjqykflra._file

Verdict:

malicious

Label(s):

neshta

remcos

Similar samples:

error

RemcosRAT

Result

Malware family:

remcos

Score:

10/10

Tags:

family:neshta family:remcos discovery persistence spyware stealer

Link:

https://tria.ge/reports/260227-zes1mafx3g/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Checks computer location settings

Executes dropped EXE

Modifies system executable filetype association

Reads user/profile data of web browsers

Detect Neshta payload

Neshta

Neshta family

Unpacked files

SH256 hash:

b7b336ac707a02409eeede986df2753eed36af85ac0b52dfe1d6b564c30a2ae2

MD5 hash:

dbb42d91f214e9c00cf0fa9d735bad39

SHA1 hash:

13346d1c563655609905079079a7a18836416f34

Detections:

win_remcos_w0

win_neshta_g0

Neshta

Remcos

Link:

https://www.unpac.me/results/ae76a405-df3e-4c4d-829c-d4e5181760c4/

Malware family:

Neshta

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b7b336ac707a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b7b336ac707a02409eeede986df2753eed36af85ac0b52dfe1d6b564c30a2ae2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	EXE_Virus_Neshta_March2024 Create hunting rule
Author:	Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	MALWARE_Win_Neshta Create hunting rule
Author:	ditekSHen
Description:	Detects Neshta

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	MAL_Neshta_Generic Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Neshta malware
Reference:	Internal Research

Rule name:	MAL_Neshta_Generic_RID2DC9 Create hunting rule
Author:	Florian Roth
Description:	Detects Neshta malware
Reference:	Internal Research

Rule name:	neshta_v1 Create hunting rule
Author:	RandomMalware

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Remcos_unpacked_PulseIntel Create hunting rule
Author:	PulseIntel
Description:	Remcos Payload

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Remcos_921ef449 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set

Rule name:	Windows_Virus_Neshta_2a5a14c8 Create hunting rule
Author:	Elastic Security

Rule name:	win_remcos_rat_unpacked Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	win_remcos_w0 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	yarahub_win_remcos_rat_unpacked_aug_2023 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/54932/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample