MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbd7cc3340148f7bb3f3b8da082367550494471104d4f9fdaa5bee65aae637ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbd7cc3340148f7bb3f3b8da082367550494471104d4f9fdaa5bee65aae637ac
SHA3-384 hash: 3dd4a8d54ffac0bc6bd8ce84ffcec7fc0e0950020d622e21dcc7c9bdee9cbafa53fbcade29688a12e376981944fe3348
SHA1 hash: 6182c504d0d3e5d8dc7dd73dc0f6aea77de24727
MD5 hash: 65e5e09bc777dc16e8f669ee62d838b1
humanhash: diet-eight-batman-pasta
File name:65e5e09bc777dc16e8f669ee62d838b1.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:442'298 bytes
First seen:2025-08-27 01:20:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (532 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 12288:/2iSxqBSSbPRBx2LfIDKex9qbAcfnKkMLIegg0L:/5Sr8JBpD7ebpS5g9
Threatray 1'534 similar samples on MalwareBazaar
TLSH T19A942321E780F4B6DA6227314C29E7E39EE07E22163587035BE63F4DFE392A5811D4D6
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
206.123.152.101:3421

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
206.123.152.101:3421 https://threatfox.abuse.ch/ioc/1575346/

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
65e5e09bc777dc16e8f669ee62d838b1.exe
Verdict:
Malicious activity
Analysis date:
2025-08-27 01:23:07 UTC
Tags:
auto-reg remcos rat
Link:
https://app.any.run/tasks/f30bee03-cb99-46e2-83a3-81f9df2acb7b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23755/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ae5d71eb163e0ec182d171
Tags:
injection virus nsis blic
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file in the %temp% subdirectories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole guloader installer microsoft_visual_cc overlay overlay unsafe
Link:
https://www.filescan.io/uploads/68ae5d5f28a89d9dd4f4fea3/reports/a1345647-3fed-4a92-b0bb-1262e19e2518/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/bbd7cc3340148f7bb3f3b8da082367550494471104d4f9fdaa5bee65aae637ac
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-23T04:27:00Z UTC
Last seen:
2025-08-23T04:27:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/bbd7cc3340148f7bb3f3b8da082367550494471104d4f9fdaa5bee65aae637ac/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/dfc1bee2-a42d-4e4f-bb89-6c20406ffeef
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1765884
Signature
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bbd7cc3340148f7bb3f3b8da082367550494471104d4f9fdaa5bee65aae637ac
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bbd7cc3340148f7bb3f3b8da082367550494471104d4f9fdaa5bee65aae637ac/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/bbd7cc3340148f7bb3f3b8da082367550494471104d4f9fdaa5bee65aae637ac
Threat name:
Win32.Trojan.Etset
Create hunting rule
Status:
Malicious
First seen:
2025-08-23 15:05:01 UTC
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xpl4ym2acshxxm7txdnaqi3hkucjiryratkpt7nklpxglkxgg6wa._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
139ef2f1bd05c11dacb8ac3184108a66ae629779889a05328015c2f02186bd47
RemcosRAT
253f5d458d58c68d652d8034d533b958226b72ba3f9e120acb2b7a8808aa052e
RemcosRAT
29da2190a5e040e36cf79c7948eca244100b64eea9236b7279f97381fdc3e695
RemcosRAT
4117cfa44e461122d319394e630e4836d6977b949de9a678e13c4772a10f6df9
RemcosRAT
491cf03511ae77ed758d9b36f3237da0ef099370144ed61367146fee1c2bacee
RemcosRAT
6603338f6a709aa136eef198311467a868faff29c644bbc33a62dd1ba8eaf640
RemcosRAT
912219e3933db2e01a3d6d0f98a1bc00fa5073c715a84fe17e06ba6fa9d8ad2b
RemcosRAT
error
RemcosRAT
+ 1'524 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:june discovery persistence rat
Link:
https://tria.ge/reports/250827-bqfyfael3x/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Remcos
Remcos family
Malware Config
C2 Extraction:
streetwisecre.duckdns.org:3421
streetwisecre.duckdns.org:2565
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/45ab7bb2-51ed-45ac-bf6c-75c72db0dafa
Unpacked files
SH256 hash:
bbd7cc3340148f7bb3f3b8da082367550494471104d4f9fdaa5bee65aae637ac
MD5 hash:
65e5e09bc777dc16e8f669ee62d838b1
SHA1 hash:
6182c504d0d3e5d8dc7dd73dc0f6aea77de24727
Link:
https://www.unpac.me/results/a6a0b56b-43e9-4df6-8f18-ec7fbeb5a2a8/
SH256 hash:
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
MD5 hash:
75ed96254fbf894e42058062b4b4f0d1
SHA1 hash:
996503f1383b49021eb3427bc28d13b5bbd11977
Link:
https://www.unpac.me/results/a6a0b56b-43e9-4df6-8f18-ec7fbeb5a2a8/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bbd7cc334014/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bbd7cc3340148f7bb3f3b8da082367550494471104d4f9fdaa5bee65aae637ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/23755/

Comments