MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d012a92e43408d373db49ebc99461bf4dbbbd0ab1f7d07d0f96650ea849ac147. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d012a92e43408d373db49ebc99461bf4dbbbd0ab1f7d07d0f96650ea849ac147
SHA3-384 hash: 2baa6cce65ca44e453a9fcf2b2328013c099924a435d846f4fc5e614aa434a57c49bcd353e2c43ca0405efe3c84178c2
SHA1 hash: d13d7c1d773d08e83889e3bc18ca3dbd5af0be76
MD5 hash: 454c6ef6f477a4b3a6106f0c4e5a8bce
humanhash: yankee-nine-pennsylvania-rugby
File name:z12025-D1-05181NoluDiib-Revize.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:6'200 bytes
First seen:2025-11-02 14:00:10 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 192:JcjL6VTN0/wCE+f52qUiqqvWsi+VCXViOEbkCB5AWy:JYLQTQp2J8+sPcltoRXy
TLSH T1ECD12B04EC777923A806D5729B0702639C6BDCE7C84475E9B286E33769A6BACF54F009
Magika txt
Reporter FXOLabs
Tags:bat RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
z12025-D1-05181NoluDiib-Revize.bat
Verdict:
Suspicious activity
Analysis date:
2025-11-02 14:01:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0d16358f-7219-4d4f-be8c-7c2747e43503

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35000/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690764cd706befaf4ecb29f8
Tags:
xtreme shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt to an infection source
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Query of malicious DNS domain
Sending a TCP request to an infection source
Using obfuscated Powershell scripts
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 obfuscated powershell
Link:
https://www.filescan.io/uploads/6907646bbe20d933485b3ecd/reports/428d7f0a-6645-4146-9014-a454aa48e144/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.BDZ1
Link:
https://www.hybrid-analysis.com/sample/d012a92e43408d373db49ebc99461bf4dbbbd0ab1f7d07d0f96650ea849ac147
Verdict:
Malicious
File Type:
ps1
First seen:
2025-11-02T07:49:00Z UTC
Last seen:
2025-11-04T10:12:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Script.Generic HEUR:Trojan.BAT.Obfuscated.gen
Link:
https://opentip.kaspersky.com/d012a92e43408d373db49ebc99461bf4dbbbd0ab1f7d07d0f96650ea849ac147/results?tab=lookup
Score:
90%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d012a92e43408d373db49ebc99461bf4dbbbd0ab1f7d07d0f96650ea849ac147
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d012a92e43408d373db49ebc99461bf4dbbbd0ab1f7d07d0f96650ea849ac147/
Verdict:
Malicious
Threat:
Trojan.BAT.Obfuscated
Link:
https://tip.neiki.dev/file/d012a92e43408d373db49ebc99461bf4dbbbd0ab1f7d07d0f96650ea849ac147
Threat name:
Script-PowerShell.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2025-11-02 14:03:44 UTC
File Type:
Text
AV detection:
8 of 23 (34.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ajkslsdicgtopnut26jsrq36tn3xufld56qpuhzmziovbe2yfdq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos collection discovery execution rat
Link:
https://tria.ge/reports/251102-rb5ags1mhx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
fteamez7iurs02.duckdns.org:12760
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d012a92e4340/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Batch (bat) bat d012a92e43408d373db49ebc99461bf4dbbbd0ab1f7d07d0f96650ea849ac147

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35000/

Comments