MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c131ae97938e782d3beb56c4a00ca9ddad3812364c3f0492aacdb0458f659b1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	c131ae97938e782d3beb56c4a00ca9ddad3812364c3f0492aacdb0458f659b1c
SHA3-384 hash:	5a9b4584735a44009680aeb00a863e3b9a3a5681415dbb705b45f695675fe4ba6177f572e560ff5a2b8c40f63c973bf5
SHA1 hash:	f63fc6d67b15144fb8a4dd7d9e044bb5cdd9c06d
MD5 hash:	589796c940aac07e9389b60fbf3f7523
humanhash:	maine-nevada-glucose-zulu
File name:	Shipping_document.bat
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'138'737 bytes
First seen:	2025-09-26 06:58:28 UTC
Last seen:	2025-10-09 14:52:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep	24576:NTui9ehTAczq93goXdU/GDUC+smFX/22opSkG/UYx:NTujQgoWa6t5upSkGj
TLSH	T1D535BF803D5C8097EB6E4DB3744E94B024A46CB9B7F120DF6B95772900B27E254BEE6C
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Anonymous
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

Shipping_document.bat

Verdict:

Malicious activity

Analysis date:

2025-09-26 07:01:48 UTC

Tags:

rat remcos remote evasion guloader stealer

Link:

https://app.any.run/tasks/2b6fc4a4-6fa7-4863-bae1-64385c12905f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/29142/

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68d6399a1e47839890520402

Tags:

n/a

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file in the %AppData% subdirectories

Creating a file in the %temp% directory

Delayed reading of the file

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context installer masquerade microsoft_visual_cc obfuscated overlay packed packer_detected

Link:

https://www.filescan.io/uploads/68d6399fc564c8e81d0839f0/reports/e0895494-a5ea-4f5c-8f90-0436cd08ee2a/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/c131ae97938e782d3beb56c4a00ca9ddad3812364c3f0492aacdb0458f659b1c

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-25T16:04:00Z UTC

Last seen:

2025-09-25T16:04:00Z UTC

Hits:

~1000

Detections:

Trojan-Downloader.Win32.Minix.sb Trojan.Win32.Guloader.sb Trojan.NSIS.Makoob.sbe Trojan.NSIS.Makoob.sba

Link:

https://opentip.kaspersky.com/c131ae97938e782d3beb56c4a00ca9ddad3812364c3f0492aacdb0458f659b1c/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/a019ca78-289a-4e13-8857-25070eecb4d0

Score:

80%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c131ae97938e782d3beb56c4a00ca9ddad3812364c3f0492aacdb0458f659b1c

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/589796c940aac07e9389b60fbf3f7523

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/c131ae97938e782d3beb56c4a00ca9ddad3812364c3f0492aacdb0458f659b1c/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/c131ae97938e782d3beb56c4a00ca9ddad3812364c3f0492aacdb0458f659b1c

Threat name:

Win32.Trojan.Znyonm

Status:

Malicious

First seen:

2025-09-25 21:23:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yey25f4trz4c2o7lk3ckadfj3wwtqerwjq7qjevkzwyeld3ftmoa._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:guloader family:remcos collection discovery downloader rat

Link:

https://tria.ge/reports/250926-hrs3qaeq91/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Guloader family

Guloader,Cloudeye

Remcos

Remcos family

Malware Config

C2 Extraction:

103.67.163.29:2404

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f01bb9d2-1ecc-475b-9e64-8eeb3bd1a291

Unpacked files

SH256 hash:

c131ae97938e782d3beb56c4a00ca9ddad3812364c3f0492aacdb0458f659b1c

MD5 hash:

589796c940aac07e9389b60fbf3f7523

SHA1 hash:

f63fc6d67b15144fb8a4dd7d9e044bb5cdd9c06d

Link:

https://www.unpac.me/results/72a2475c-b5f3-4980-97bf-78ffe8bece93/

SH256 hash:

b7823a15e7b1866ba3d77248f750b66505859d264cfc39d8c8c5e812f8ae4a81

MD5 hash:

a1da6788aeaf78ca4ae1dece8019e49d

SHA1 hash:

d770155e6e9aa69223be198c44a8da26a1756d89

Link:

https://www.unpac.me/results/72a2475c-b5f3-4980-97bf-78ffe8bece93/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c131ae97938e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.79

Link:

https://yomi.yoroi.company/submissions/c131ae97938e782d3beb56c4a00ca9ddad3812364c3f0492aacdb0458f659b1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/29142/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample