MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3522c969c29c162a1b67b62b26510edfe67c8c163cbd9addea347dd229090af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3522c969c29c162a1b67b62b26510edfe67c8c163cbd9addea347dd229090af
SHA3-384 hash: 052a7c0b0bfbcaafa54e1e35d6c5b0d513a9f5ee5385d34e2f093c07c08bb9965332ba946dd4e023e2733872c4809a69
SHA1 hash: 4684c13f8cb09fc2145bbf5b39b69e4d15112474
MD5 hash: 4cfe59591a7403c15fbac3d2a64f9ebe
humanhash: eleven-ceiling-four-jig
File name:scan10125.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:930'544 bytes
First seen:2025-10-21 05:47:56 UTC
Last seen:2025-10-21 07:08:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (548 x GuLoader, 117 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 24576:b3vYXoZoe1iIgSAecVawQAIxTy7AuN5hUI5iD1AG5nME5q0:b3JVNQVawQAYTy7AuN071r5MEY0
Threatray 2'341 similar samples on MalwareBazaar
TLSH T1EB152211BB00DC56DCB28770067F56393173BD5B9EB4424F130E72AA7BB2B853819AA3
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter lowmal3
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:Ravneagtiges
Issuer:Ravneagtiges
Algorithm:sha256WithRSAEncryption
Valid from:2025-09-18T01:41:52Z
Valid to:2026-09-18T01:41:52Z
Serial number: 16c33220529560311e1441e422a34e4bb060ad2d
Thumbprint Algorithm:SHA256
Thumbprint: b3f42aa56a0c9b3820fdb888188a4e22003cb82d9938d10e6e0480888246996d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
_c3522c969c29c162a1b67b62b26510edfe67c8c163cbd9addea347dd229090af.exe
Verdict:
Malicious activity
Analysis date:
2025-10-21 06:10:08 UTC
Tags:
rat remcos auto-reg
Link:
https://app.any.run/tasks/49cbc35d-15a9-4346-94d5-e16760bb99d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33575/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f71ecb3edd081eba404420
Tags:
dropper virus blic
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a file
Creating a file in the %temp% directory
Delayed reading of the file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context installer microsoft_visual_cc obfuscated overlay signed
Link:
https://www.filescan.io/uploads/68f71f103a79800405ed950d/reports/0db16ad7-6bc2-4434-8bbf-4286f2c5aeee/overview
Verdict:
Malicious
Labled as:
Trojan_Win32_Wacatac_B_ml
Link:
https://www.hybrid-analysis.com/sample/c3522c969c29c162a1b67b62b26510edfe67c8c163cbd9addea347dd229090af
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-20T18:28:00Z UTC
Last seen:
2025-10-23T04:25:00Z UTC
Hits:
~1000
Detections:
Trojan.Win32.Agent.sb Trojan.NSIS.Makoob.sbe Trojan.NSIS.Makoob.sba VHO:Trojan.NSIS.Makoob.gen Trojan.Win32.GuLoader.sb HEUR:Trojan.Win32.Makoob.gen Trojan-Downloader.Win32.Minix.sb Trojan.NSIS.Makoob.sbb
Link:
https://opentip.kaspersky.com/c3522c969c29c162a1b67b62b26510edfe67c8c163cbd9addea347dd229090af/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7ccdef38-b34c-4193-b166-372065545556
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1798901
Signature
AI detected suspicious PE digital signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1798901 Sample: scan10125.exe Startdate: 21/10/2025 Architecture: WINDOWS Score: 100 61 drive.usercontent.google.com 2->61 63 drive.google.com 2->63 65 2 other IPs or domains 2->65 83 Suricata IDS alerts for network traffic 2->83 85 Found malware configuration 2->85 87 Antivirus detection for dropped file 2->87 89 9 other signatures 2->89 10 scan10125.exe 4 90 2->10         started        14 remcos.exe 2->14         started        16 remcos.exe 10 2->16         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\unconcatenating.gru, DOS 10->49 dropped 51 C:\Users\user\AppData\Local\...\System.dll, PE32 10->51 dropped 103 Tries to detect virtualization through RDTSC time measurements 10->103 105 Switches to a custom stack to bypass stack traces 10->105 18 scan10125.exe 2 10 10->18         started        53 C:\Users\user\AppData\Local\...\System.dll, PE32 14->53 dropped 23 remcos.exe 14->23         started        signatures6 process7 dnsIp8 67 drive.usercontent.google.com 172.217.15.193, 443, 49692, 49699 GOOGLEUS United States 18->67 69 drive.google.com 192.178.50.78, 443, 49691, 49698 GOOGLEUS United States 18->69 43 C:\ProgramData\Remcos\remcos.exe, PE32 18->43 dropped 45 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 18->45 dropped 91 Detected Remcos RAT 18->91 93 Creates autostart registry keys with suspicious names 18->93 25 remcos.exe 38 18->25         started        file9 signatures10 process11 file12 47 C:\Users\user\AppData\Local\...\System.dll, PE32 25->47 dropped 95 Multi AV Scanner detection for dropped file 25->95 97 Found hidden mapped module (file has been removed from disk) 25->97 99 Tries to detect virtualization through RDTSC time measurements 25->99 101 Switches to a custom stack to bypass stack traces 25->101 29 remcos.exe 25->29         started        signatures13 process14 dnsIp15 71 196.251.70.45, 2404, 49700, 49701 Web4AfricaZA Seychelles 29->71 73 api.findip.net 104.21.93.189, 443, 49703 CLOUDFLARENETUS United States 29->73 75 api.ipify.org 104.26.12.205, 443, 49702 CLOUDFLARENETUS United States 29->75 55 C:\Users\user\AppData\Local\Temp\TH2175.tmp, MS-DOS 29->55 dropped 57 C:\Users\user\AppData\Local\Temp\TH20A8.tmp, MS-DOS 29->57 dropped 59 C:\Users\user\AppData\Local\Temp\TH2088.tmp, PE32 29->59 dropped 107 Detected Remcos RAT 29->107 109 Writes to foreign memory regions 29->109 111 Maps a DLL or memory area into another process 29->111 34 RmClient.exe 29->34         started        37 RmClient.exe 29->37         started        39 RmClient.exe 29->39         started        41 RmClient.exe 29->41         started        file16 signatures17 process18 signatures19 77 Tries to steal Instant Messenger accounts or passwords 34->77 79 Tries to steal Mail credentials (via file / registry access) 34->79 81 Tries to harvest and steal browser information (history, passwords, etc) 37->81
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c3522c969c29c162a1b67b62b26510edfe67c8c163cbd9addea347dd229090af
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/4cfe59591a7403c15fbac3d2a64f9ebe
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3522c969c29c162a1b67b62b26510edfe67c8c163cbd9addea347dd229090af/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/c3522c969c29c162a1b67b62b26510edfe67c8c163cbd9addea347dd229090af
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Suspicious
First seen:
2025-10-21 00:34:22 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ynjczfu4fhawfinwpnrleziq5x7gpsgbmpf5tlo6und52iuqscxq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0b145928bcccd1f9510ef2744ef2487a38cdcdcc6b8595995c491c29f97f55e9
RemcosRAT
21773cea42a57dff11a05f01ea94f48fc457871b110a410e4ccb416a4e346229
RemcosRAT
85407e0947fde678d6abc0d8ebf96c35240a7467b6cf1347ec798072d4f393e2
RemcosRAT
ca8baf05a8f6f9dd4a486ec38da9bf9b338699464a7d3c05e8b6da8e0059247a
RemcosRAT
error
RemcosRAT
f7be02f5ceebf889ff98f83f55c9de2b825229952abc034529223641d8ff3e31
RemcosRAT
+ 2'331 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos collection discovery downloader persistence rat
Link:
https://tria.ge/reports/251021-gjhrcagp2y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Launches sc.exe
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Malware Config
C2 Extraction:
196.251.70.45:2404
Unpacked files
SH256 hash:
c3522c969c29c162a1b67b62b26510edfe67c8c163cbd9addea347dd229090af
MD5 hash:
4cfe59591a7403c15fbac3d2a64f9ebe
SHA1 hash:
4684c13f8cb09fc2145bbf5b39b69e4d15112474
Link:
https://www.unpac.me/results/e39b6373-b2d6-4ac1-8e85-aa72423bf139/
SH256 hash:
86c8ee210e6611383a634dcb8c60455063ddae3d7adccbeacf3adf7bf2a46676
MD5 hash:
d2e45dd852a659e11897df573832f381
SHA1 hash:
19990ee627c95b6c18d3b5c5f0ec5c24791d0af5
Link:
https://www.unpac.me/results/e39b6373-b2d6-4ac1-8e85-aa72423bf139/
SH256 hash:
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
MD5 hash:
9625d5b1754bc4ff29281d415d27a0fd
SHA1 hash:
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
Link:
https://www.unpac.me/results/e39b6373-b2d6-4ac1-8e85-aa72423bf139/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/c3522c969c29c162a1b67b62b26510edfe67c8c163cbd9addea347dd229090af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip c66a637de988bf2aed02f67714ee12324a70605256582ccd277a0a9eb74854dd

RemcosRAT

Executable exe c3522c969c29c162a1b67b62b26510edfe67c8c163cbd9addea347dd229090af

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33575/
  
Dropped by
SHA256 c66a637de988bf2aed02f67714ee12324a70605256582ccd277a0a9eb74854dd
  
Dropped by
MD5 323ac449e186a684bb9b155922799b50

Comments