MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c900419b3bbe82ee2575baee02ae117465573706653cda154b8ccadaba663fad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c900419b3bbe82ee2575baee02ae117465573706653cda154b8ccadaba663fad
SHA3-384 hash: 5ace76833b7e2a4d780daf53a9c2a074fbbaffb040b8cd6198b7b70f1495a228f6acfc4531dc8e0579b4587edb620d6b
SHA1 hash: e69e52dbb6e57579eeb622f37cffd3deb7a0fdfa
MD5 hash: 7d83593e662d3dbae4baaa9f88e8df67
humanhash: wyoming-sodium-muppet-network
File name:Bestellung 24014256.com
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:407'657 bytes
First seen:2026-03-23 15:33:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (304 x GuLoader, 55 x VIPKeylogger, 54 x RemcosRAT)
ssdeep 12288:YMw+9m5NkVTMUSReD9mFP/puZXUg7T9UnG:YMw+A5NkZMUSResXyknG
TLSH T16984120177E4C526E66300705D72C6BAA9F0EA6A5866C35713507FAE38FE6D07E0E783
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter threatcat_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
GuLoader NSIS
Details
GuLoader
a c2 URL, a useragent string, and a string XOR key
GuLoader
an XOR decryption key and an extracted component
NSIS
extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/8e179bce-9baf-47b7-8306-11bf620bbff0/
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Bestellung 24014256.com
Verdict:
Malicious activity
Analysis date:
2026-03-23 15:36:22 UTC
Tags:
remcos rat remote stealer mpress
Link:
https://app.any.run/tasks/ca76a99c-f407-44e1-bb06-4f9c072b1e82

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Inject6.15694.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69c15d3faacb4c376b131717
Tags:
injection obfusc
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c900419b3bbe82ee2575baee02ae117465573706653cda154b8ccadaba663fad
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
Link:
https://opentip.kaspersky.com/c900419b3bbe82ee2575baee02ae117465573706653cda154b8ccadaba663fad/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8e83c36f-f3e1-4ef1-a96a-8ee297ee0c37
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1887704
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1887704 Sample: Bestellung 24014256.com.exe Startdate: 23/03/2026 Architecture: WINDOWS Score: 100 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Antivirus detection for dropped file 2->52 54 11 other signatures 2->54 7 Bestellung 24014256.com.exe 2 37 2->7         started        process3 file4 26 C:\Users\user\AppData\Local\...\System.dll, PE32 7->26 dropped 28 C:\Users\user\...\Trafikkontrollren, Matlab 7->28 dropped 10 Bestellung 24014256.com.exe 4 9 7->10         started        15 Bestellung 24014256.com.exe 7->15         started        process5 dnsIp6 36 192.227.128.157, 1344, 49699, 49700 AS-COLOCROSSINGUS United States 10->36 30 C:\Users\user\AppData\Local\Temp\THEB02.tmp, MS-DOS 10->30 dropped 32 C:\Users\user\AppData\Local\Temp\THE95C.tmp, MS-DOS 10->32 dropped 34 C:\Users\user\AppData\Local\Temp\THE89F.tmp, MS-DOS 10->34 dropped 56 Detected Remcos RAT 10->56 58 Writes to foreign memory regions 10->58 60 Maps a DLL or memory area into another process 10->60 17 userinit.exe 2 10->17         started        20 userinit.exe 1 10->20         started        22 userinit.exe 1 10->22         started        24 Bestellung 24014256.com.exe 10->24         started        file7 signatures8 process9 signatures10 38 Tries to steal Mail credentials (via file registry) 17->38 40 Tries to harvest and steal browser information (history, passwords, etc) 17->40 42 Unusual module load detection (module proxying) 17->42 44 Tries to steal Instant Messenger accounts or passwords 20->44 46 Tries to steal Mail credentials (via file / registry access) 20->46
Score:
41%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/c900419b3bbe82ee2575baee02ae117465573706653cda154b8ccadaba663fad
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c900419b3bbe82ee2575baee02ae117465573706653cda154b8ccadaba663fad/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/c900419b3bbe82ee2575baee02ae117465573706653cda154b8ccadaba663fad
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zeaedgz3x2bo4jlvxlxaflqrorsvonygmu6nufklrtfnvotgh6wq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:remotehost collection discovery downloader rat
Link:
https://tria.ge/reports/260323-tjpacaas6n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Loads dropped DLL
Detected Nirsoft tools
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Malware Config
C2 Extraction:
192.227.128.157:1344
192.227.128.157:1352
192.227.128.157:1058
Unpacked files
SH256 hash:
c900419b3bbe82ee2575baee02ae117465573706653cda154b8ccadaba663fad
MD5 hash:
7d83593e662d3dbae4baaa9f88e8df67
SHA1 hash:
e69e52dbb6e57579eeb622f37cffd3deb7a0fdfa
Link:
https://www.unpac.me/results/179e06f9-2ccf-4a14-a33f-bb7c3111af52/
SH256 hash:
6bf9cccd8a600f4d442efe201e8c07b49605ba35f49a4b3ab22fa2641748e156
MD5 hash:
48f3e7860e1de2b4e63ec744a5e9582a
SHA1 hash:
420c64d802a637c75a53efc8f748e1aede3d6dc6
Link:
https://www.unpac.me/results/179e06f9-2ccf-4a14-a33f-bb7c3111af52/
SH256 hash:
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
MD5 hash:
564bb0373067e1785cba7e4c24aab4bf
SHA1 hash:
7c9416a01d821b10b2eef97b80899d24014d6fc1
Link:
https://www.unpac.me/results/179e06f9-2ccf-4a14-a33f-bb7c3111af52/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c900419b3bbe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c900419b3bbe82ee2575baee02ae117465573706653cda154b8ccadaba663fad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe c900419b3bbe82ee2575baee02ae117465573706653cda154b8ccadaba663fad

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/58875/

Comments