MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb8594c13244e445a1dfecba1f648242b3812fff888393e8b421c8a5ae64bf5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	bb8594c13244e445a1dfecba1f648242b3812fff888393e8b421c8a5ae64bf5e
SHA3-384 hash:	0d0d095a2b140f875a86bb792a4bc2be3c5dc1f643ea1c295ae29a4bd86a7b25214f694f465b02e9d91006466a583259
SHA1 hash:	1b121f98ed13bfb347811d9dcf41920371c1259e
MD5 hash:	3c4176bf5e1a3cd145031b82fdac9bb4
humanhash:	romeo-moon-montana-stairway
File name:	rKBNC20260100228Y.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	981'856 bytes
First seen:	2026-01-19 19:30:09 UTC
Last seen:	2026-02-05 15:18:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b34f154ec913d2d2c435cbd644e91687 (548 x GuLoader, 117 x RemcosRAT, 80 x EpsilonStealer)
ssdeep	24576:R+kzuB2+1Vf1vXbzXp+zSXJ2jesYl/XEvUmHYop61+V:wAn+1lVbzXea2CsYlhmHfpN
Threatray	2'411 similar samples on MalwareBazaar
TLSH	T1602523126FA1E0C1C2619B7C483912BF9AF9D5319DF9691F0314EF6C2E731E6E24B582
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	FXOLabs
Tags:	exe RemcosRAT signed

Code Signing Certificate

Organisation:	Lakseglene
Issuer:	Lakseglene
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-12-24T03:25:00Z
Valid to:	2026-12-24T03:25:00Z
Serial number:	072482f15203fb8c63811f8d44a006934f1e8fd9
Thumbprint Algorithm:	SHA256
Thumbprint:	1e37a034d8c8b18ef71236cea8a2cc020409e08805844dad0765c3810f6e8f0f
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

GuLoader NSIS

Details

GuLoader

an XOR decryption key and an extracted component

GuLoader

a c2 URL, a useragent string, and a string XOR key

NSIS

extracted archive contents

Link:

https://research.acce.ciphertechsolutions.com/results/2cbbe940-1414-44e6-9b07-18424bd3eae0/

Malware family:

remcos

ID:

File name:

rKBNC20260100228Y.exe

Verdict:

Malicious activity

Analysis date:

2026-01-19 19:33:41 UTC

Tags:

remcos rat auto-reg

Link:

https://app.any.run/tasks/d8eeba33-ac25-494f-8a14-906e1c439b27

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/49431/

Verdict:

Malicious

Score:

95.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=696e8660bcad3327ec068450

Tags:

injection virus blic

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/bb8594c13244e445a1dfecba1f648242b3812fff888393e8b421c8a5ae64bf5e

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-19T15:34:00Z UTC

Last seen:

2026-01-21T16:53:00Z UTC

Hits:

~1000

Detections:

Packed.NSIS.Krynis.sb VHO:Backdoor.Win32.Remcos.gen HEUR:Trojan.Win32.GuLoader.gen Trojan-Downloader.Win32.Minix.sb Trojan.Win32.Guloader.sb Trojan.NSIS.Makoob.sbb Trojan.NSIS.Makoob.sba

Link:

https://opentip.kaspersky.com/bb8594c13244e445a1dfecba1f648242b3812fff888393e8b421c8a5ae64bf5e/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/27fff032-d77a-46d7-b7fe-00ffc3c383e0

Score:

73%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bb8594c13244e445a1dfecba1f648242b3812fff888393e8b421c8a5ae64bf5e

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/3c4176bf5e1a3cd145031b82fdac9bb4

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/bb8594c13244e445a1dfecba1f648242b3812fff888393e8b421c8a5ae64bf5e/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/bb8594c13244e445a1dfecba1f648242b3812fff888393e8b421c8a5ae64bf5e

Threat name:

Win32.Backdoor.Remcos

Status:

Suspicious

First seen:

2026-01-19 19:20:57 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xoczjqjsitselio75s5b6zecikzycl77rcbzh2fueheklltex5pa._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost discovery persistence rat

Link:

https://tria.ge/reports/260119-x74lqact9d/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Contacts third-party web service commonly abused for C2

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Remcos

Remcos family

Malware Config

C2 Extraction:

130.12.182.167:2404
130.12.182.167:5000

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b888210c-99fa-4677-a321-41f4c42c5abc

Unpacked files

SH256 hash:

bb8594c13244e445a1dfecba1f648242b3812fff888393e8b421c8a5ae64bf5e

MD5 hash:

3c4176bf5e1a3cd145031b82fdac9bb4

SHA1 hash:

1b121f98ed13bfb347811d9dcf41920371c1259e

Link:

https://www.unpac.me/results/fce40331-8850-46d6-80b3-928997f397f0/

SH256 hash:

86c8ee210e6611383a634dcb8c60455063ddae3d7adccbeacf3adf7bf2a46676

MD5 hash:

d2e45dd852a659e11897df573832f381

SHA1 hash:

19990ee627c95b6c18d3b5c5f0ec5c24791d0af5

Link:

https://www.unpac.me/results/fce40331-8850-46d6-80b3-928997f397f0/

SH256 hash:

c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

MD5 hash:

9625d5b1754bc4ff29281d415d27a0fd

SHA1 hash:

80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

Link:

https://www.unpac.me/results/fce40331-8850-46d6-80b3-928997f397f0/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bb8594c13244/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/bb8594c13244e445a1dfecba1f648242b3812fff888393e8b421c8a5ae64bf5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe bb8594c13244e445a1dfecba1f648242b3812fff888393e8b421c8a5ae64bf5e

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/49431/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample