MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c43ace6072774cb4de54ef9bc048835733340980f6ef0b07068f8328628f1d54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c43ace6072774cb4de54ef9bc048835733340980f6ef0b07068f8328628f1d54
SHA3-384 hash: 52addbdcaa38f0b37481246d8e5e4189123fd724efaad815b82e669ab1c085f7f11e5d5112f3194ccfd88417d48efed9
SHA1 hash: efbeb0e982f905d1c66f17e8d1b804bc35ce5bdf
MD5 hash: a72fc7363604502708e172ebd1ddb365
humanhash: pasta-ohio-nine-massachusetts
File name:a72fc7363604502708e172ebd1ddb365.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:682'936 bytes
First seen:2025-03-23 17:12:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0293eec0b5432ad092f24065016203b2 (21 x GuLoader, 9 x RemcosRAT, 6 x Formbook)
ssdeep 12288:716zh9vvDedeWzvEKEOw1Ri2lvwkycacPEDbiWO0qDuoYCP6Z9pTZxLP/1pMVAt6:x6zhNSd4KFw1s2rycNP3WvAYCg9TxLPC
Threatray 137 similar samples on MalwareBazaar
TLSH T16AE4238A2734FDE7E51223B002765829D7E0EE4536B44B1F73B93A1DA3376D6E45B082
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon e0d9998898aca4b8 (4 x RemcosRAT, 1 x njrat)
Reporter abuse_ch
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:Rundskrivelsen
Issuer:Rundskrivelsen
Algorithm:sha256WithRSAEncryption
Valid from:2024-05-20T01:39:37Z
Valid to:2025-05-20T01:39:37Z
Serial number: 5ed6ceef8c38de58da963be6e4db6cf032052e56
Thumbprint Algorithm:SHA256
Thumbprint: cd958e82aa459cd7552f27eb534ad0019fd3c821bfff8377760a76d12c3e1e7c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
445
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
a72fc7363604502708e172ebd1ddb365.exe
Verdict:
Malicious activity
Analysis date:
2025-03-23 17:19:10 UTC
Tags:
rat remcos remote stealer
Link:
https://app.any.run/tasks/be49a1aa-38a1-494f-b240-ac1fd3c86cee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e19628bb84e066269e8a6f
Tags:
remcos virus blic sage
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Delayed reading of the file
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context blackhole installer microsoft_visual_cc overlay signed
Link:
https://www.filescan.io/uploads/67e04123e05c48ec61e68d6e/reports/6fdeda67-3ea3-490e-8059-191aec958e3e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c43ace6072774cb4de54ef9bc048835733340980f6ef0b07068f8328628f1d54
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/afbb9fe8-4e52-4eba-a2b5-c5bba6e716ef
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1646228
Signature
AI detected suspicious PE digital signature
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Found malware configuration
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Mass process execution to delay analysis
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sample uses process hollowing technique
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1646228 Sample: XfZU6BKl76.exe Startdate: 23/03/2025 Architecture: WINDOWS Score: 100 62 176.65.141.162 WEBTRAFFICDE Germany 2->62 64 185.189.112.27 M247GB United Kingdom 2->64 66 3 other IPs or domains 2->66 82 Suricata IDS alerts for network traffic 2->82 84 Found malware configuration 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 8 other signatures 2->88 8 XfZU6BKl76.exe 4 46 2->8         started        12 Meticulously.exe 24 2->12         started        signatures3 process4 file5 46 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->46 dropped 48 C:\Users\user\AppData\Local\...\System.dll, PE32 8->48 dropped 50 C:\Users\user\AppData\...\Meticulously.exe, PE32 8->50 dropped 58 2 other malicious files 8->58 dropped 90 Obfuscated command line found 8->90 92 Mass process execution to delay analysis 8->92 94 Tries to detect virtualization through RDTSC time measurements 8->94 96 Creates a thread in another existing process (thread injection) 8->96 14 XfZU6BKl76.exe 5 17 8->14         started        19 cmd.exe 8->19         started        21 cmd.exe 8->21         started        25 62 other processes 8->25 52 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 12->52 dropped 54 C:\Users\user\AppData\Local\...\System.dll, PE32 12->54 dropped 56 C:\Users\user\AppData\Local\...\nsr7BBA.tmp, data 12->56 dropped 98 Multi AV Scanner detection for dropped file 12->98 100 Switches to a custom stack to bypass stack traces 12->100 23 Meticulously.exe 12->23         started        signatures6 process7 dnsIp8 68 185.156.175.43, 2758, 49726, 49727 M247GB Romania 14->68 70 od.lk 38.108.185.115, 443, 49724, 49729 COGENT-174US United States 14->70 72 2 other IPs or domains 14->72 60 C:\ProgramData\remcos\logs.dat, data 14->60 dropped 74 Detected Remcos RAT 14->74 76 Writes to foreign memory regions 14->76 78 Maps a DLL or memory area into another process 14->78 80 2 other signatures 14->80 27 recover.exe 14->27         started        30 recover.exe 14->30         started        32 recover.exe 14->32         started        42 2 other processes 14->42 34 conhost.exe 19->34         started        36 Conhost.exe 19->36         started        38 Conhost.exe 21->38         started        40 Conhost.exe 25->40         started        44 61 other processes 25->44 file9 signatures10 process11 signatures12 102 Tries to steal Mail credentials (via file registry) 27->102 104 Tries to harvest and steal browser information (history, passwords, etc) 27->104 106 Tries to steal Instant Messenger accounts or passwords 30->106 108 Tries to steal Mail credentials (via file / registry access) 30->108
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c43ace6072774cb4de54ef9bc048835733340980f6ef0b07068f8328628f1d54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c43ace6072774cb4de54ef9bc048835733340980f6ef0b07068f8328628f1d54/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yq5m4ydso5gljxsu56n4asedk4zticma63xqwbygr6bsqyupdvka._file
Verdict:
malicious
Label(s):
packer_bxor
Create hunting rule
Similar samples:
24c6d52deb03904ffdfab367e71f0bd7339495d8684a6b23b4bf7e0678986af9
RemcosRAT
50f7a5ef12735cba58b3990988df8384294b42863033acc3d1bd939c3d00bdc5
RemcosRAT
8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe
RemcosRAT
97cc634556982a9330804566cd2cd6b2fd0b9be5048de247d8b40cfdb4c1a1ec
RemcosRAT
d8dd9ac3ec0436e700aa87ac846c7d682389acbbda1818b56c42bec2e21ece73
RemcosRAT
error
RemcosRAT
+ 127 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:remotehost collection discovery downloader persistence rat
Link:
https://tria.ge/reports/250323-vrfhvaxzdz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Loads dropped DLL
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Malware Config
C2 Extraction:
185.156.175.43:2758
185.189.112.27:2758
176.65.141.162:2758
Verdict:
Malicious
Tags:
loader guloader
YARA:
NSIS_GuLoader_July_2024
Link:
https://app.threat.zone/submission/de062e46-d545-4b04-9ed3-b89f8ea8c1c1
Unpacked files
SH256 hash:
c43ace6072774cb4de54ef9bc048835733340980f6ef0b07068f8328628f1d54
MD5 hash:
a72fc7363604502708e172ebd1ddb365
SHA1 hash:
efbeb0e982f905d1c66f17e8d1b804bc35ce5bdf
Link:
https://www.unpac.me/results/5a734de2-3053-4683-aed0-a61d3fa2161e/
SH256 hash:
832da3cff792135ecb98f44c387bea3a8e2e9bd096b917303ca8b9dc71d60365
MD5 hash:
50a9396a761bf245ed4df1b08782d6f2
SHA1 hash:
e01a99100e91801abe074341b0c77cca6220f0bd
Link:
https://www.unpac.me/results/5a734de2-3053-4683-aed0-a61d3fa2161e/
SH256 hash:
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87
MD5 hash:
6c881f00ba860b17821d8813aa34dbc6
SHA1 hash:
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13
Link:
https://www.unpac.me/results/5a734de2-3053-4683-aed0-a61d3fa2161e/
SH256 hash:
7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
MD5 hash:
dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1 hash:
c9206ced48d1e5bc648b1d0f54cccc18bf643a14
Link:
https://www.unpac.me/results/5a734de2-3053-4683-aed0-a61d3fa2161e/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c43ace607277/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
Link:
https://yomi.yoroi.company/submissions/c43ace6072774cb4de54ef9bc048835733340980f6ef0b07068f8328628f1d54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileA
KERNEL32.dll::MoveFileExA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments