MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be9be3db880efe2859d30ec62a8433af5d79523873f01fd4c2facea39e1013e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be9be3db880efe2859d30ec62a8433af5d79523873f01fd4c2facea39e1013e2
SHA3-384 hash: 2e9a29a36d9670b97703d5a3077d872cad23c924357cc4114a91c1f9938fe8a8bf4e2d65b8061cf2e3f640e8cb86d19d
SHA1 hash: 0db68f0c082afa081c5bbf58ba9c32ac7cf2af01
MD5 hash: accfe161fcf96e7c3f96c2852c42ba17
humanhash: fourteen-kentucky-apart-colorado
File name:Payment Advice.zip
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:888'842 bytes
First seen:2025-09-30 11:21:27 UTC
Last seen:2025-09-30 13:38:31 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:on6dXodCWHOSL/TalnYoiav928fUt7cSP/eiSWzBdcXyKdo9XjdeX3mCi5DCERU9:o6NoY2Oy/TaSTaXcFB/axtp8jik80e
TLSH T1361523E1109FD70ED5648C7E60FB1801B4949AFAA65E12C9EACCF264176DC3A3D0B58F
Magika zip
Reporter cocaman
Tags:payment RemcosRAT zip


Avatar
cocaman
Malicious email (T1566.001)
From: "=?UTF-8?B?IkPDqWxpbmUgTUlMT1Qi?= <info@tirthenterprises.com>" (likely spoofed)
Received: "from mx1.dreamhost.com (unknown [196.251.92.69]) "
Date: "30 Sep 2025 15:36:34 +0200"
Subject: "RE: FWD: Payment Advice"
Attachment: "Payment Advice.zip"

Intelligence

File Origin
# of uploads :
3
# of downloads :
72
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Payment Advice.exe
File size:945'664 bytes
SHA256 hash: 2cc6b5b70ad56dcce4f1ac81d9b87c27aeda5acb4db02a08600fc74f16686e3b
MD5 hash: b8de6356ba9026690f404ba033d1c138
MIME type:application/x-dosexec
Signature RemcosRAT
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fs3369.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Inject6.4717.4225.1561.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.20774.ZipHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68dbbd787d643f33eab8cd40
Tags:
micro spawn lien remo
Result
Verdict:
Malicious
File Type:
PE File
Link:
https://app.docguard.net/be9be3db880efe2859d30ec62a8433af5d79523873f01fd4c2facea39e1013e2/results/dashboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin masquerade packed tracker vbnet
Link:
https://www.filescan.io/uploads/68dbbd7bc564c8e81d0ad09f/reports/e8cf58fa-7f96-43f9-8581-15300efb28ad/overview
Verdict:
Malicious
Labled as:
Trojan.U.Remcos
Link:
https://www.hybrid-analysis.com/sample/be9be3db880efe2859d30ec62a8433af5d79523873f01fd4c2facea39e1013e2
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/be9be3db880efe2859d30ec62a8433af5d79523873f01fd4c2facea39e1013e2
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
zip
First seen:
2025-09-30T04:38:00Z UTC
Last seen:
2025-09-30T21:22:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/be9be3db880efe2859d30ec62a8433af5d79523873f01fd4c2facea39e1013e2/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/be9be3db880efe2859d30ec62a8433af5d79523873f01fd4c2facea39e1013e2
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be9be3db880efe2859d30ec62a8433af5d79523873f01fd4c2facea39e1013e2/
Threat name:
ByteCode-MSIL.Trojan.PureLogStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-30 10:56:33 UTC
File Type:
Binary (Archive)
Extracted files:
9
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x2n6hw4ib37cqwotb3dcvbbtv5oxsuryopyb7vgc7lhkhhqqcpra._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection discovery execution persistence rat spyware stealer
Link:
https://tria.ge/reports/250930-njmhvsfj2w/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
127.0.0.1:29444
nnamoograce.duckdns.org:29444
196.251.92.69:29444
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/be9be3db880efe2859d30ec62a8433af5d79523873f01fd4c2facea39e1013e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win32_dotnet_form_obfuscate
Create hunting rule
Author:Reedus0
Description:Rule for detecting .NET form obfuscate malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip be9be3db880efe2859d30ec62a8433af5d79523873f01fd4c2facea39e1013e2

(this sample)

RemcosRAT

Executable exe 2cc6b5b70ad56dcce4f1ac81d9b87c27aeda5acb4db02a08600fc74f16686e3b

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 2cc6b5b70ad56dcce4f1ac81d9b87c27aeda5acb4db02a08600fc74f16686e3b
  
Dropping
RemcosRAT
  
Dropping
MD5 b8de6356ba9026690f404ba033d1c138

Comments