MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d176fe5a5daf624834ecda3144e11ca2c3395de8cde5eed0263bb3caac597096. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	d176fe5a5daf624834ecda3144e11ca2c3395de8cde5eed0263bb3caac597096
SHA3-384 hash:	13f3762e3d555a7a9bcc6ee84ae451772ada1c7bc9a0bbe3bccc4c9d25e7972c011ecd57201df0dfc01a1f501ee998ed
SHA1 hash:	79964fa3ee9bd2d03a3b195d513a3f3c1682b348
MD5 hash:	313facb378fb39e3470aeede68ae1872
humanhash:	tennessee-cola-happy-lemon
File name:	d176fe5a5daf624834ecda3144e11ca2c3395de8cde5eed0263bb3caac597096
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	900'296 bytes
First seen:	2025-11-06 10:59:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b34f154ec913d2d2c435cbd644e91687 (541 x GuLoader, 116 x RemcosRAT, 80 x EpsilonStealer)
ssdeep	24576:x3v04ToMQ+qUnTNhtIduN5hUI5iD1AG5nME5qU:x3hZqYTNHIduN071r5MEYU
TLSH	T1F9152300BB40D8EEDDB64770097F963A1673BD2A9A704B1F234E76B96773AC13469603
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	adrian__luca
Tags:	exe RemcosRAT signed

Code Signing Certificate

Organisation:	Ligedeling
Issuer:	Ligedeling
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-09-11T05:28:23Z
Valid to:	2026-09-11T05:28:23Z
Serial number:	35396232f5898ef70ea8dba08630af94fd3282e1
Thumbprint Algorithm:	SHA256
Thumbprint:	0f767b9d89f30515826a5c0d833db53fe10b1aef1b00a8b5a9dc4900f8cf7f7d
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

d176fe5a5daf624834ecda3144e11ca2c3395de8cde5eed0263bb3caac597096

Verdict:

Malicious activity

Analysis date:

2025-11-06 17:22:59 UTC

Tags:

remcos rat auto-reg remote stealer

Link:

https://app.any.run/tasks/5c5cb1ad-8840-4a62-9a79-5e34a32de253

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35968/

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690c7fa55a5ed7864e237836

Tags:

injection obfusc blic

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file in the %AppData% subdirectories

Creating a file

Creating a file in the %temp% directory

Delayed reading of the file

DNS request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Gathering data

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/d176fe5a5daf624834ecda3144e11ca2c3395de8cde5eed0263bb3caac597096

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-20T16:46:00Z UTC

Last seen:

2025-11-08T05:52:00Z UTC

Hits:

~10000

Link:

https://opentip.kaspersky.com/d176fe5a5daf624834ecda3144e11ca2c3395de8cde5eed0263bb3caac597096/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/77af2097-2d78-421f-b40d-81512c84e145

Score:

84%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d176fe5a5daf624834ecda3144e11ca2c3395de8cde5eed0263bb3caac597096

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/313facb378fb39e3470aeede68ae1872

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d176fe5a5daf624834ecda3144e11ca2c3395de8cde5eed0263bb3caac597096/

Threat name:

Win32.Backdoor.Remcos

Status:

Suspicious

First seen:

2025-10-20 19:44:30 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2f3p4ws5v5reqnhm3iyujyi4ulbtsxpizxs65ubghoz4vlczocla._file

Verdict:

malicious

Label(s):

remcos

Similar samples:

error

RemcosRAT

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos collection discovery persistence rat

Link:

https://tria.ge/reports/251106-m4g87sfw4a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Launches sc.exe

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Remcos

Remcos family

Malware Config

C2 Extraction:

209.54.101.159:5@001

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/957f483c-eda3-44f4-879e-d2513156bd51

Unpacked files

SH256 hash:

d176fe5a5daf624834ecda3144e11ca2c3395de8cde5eed0263bb3caac597096

MD5 hash:

313facb378fb39e3470aeede68ae1872

SHA1 hash:

79964fa3ee9bd2d03a3b195d513a3f3c1682b348

Link:

https://www.unpac.me/results/e197857d-4b89-4326-97b0-7a348524c824/

SH256 hash:

86c8ee210e6611383a634dcb8c60455063ddae3d7adccbeacf3adf7bf2a46676

MD5 hash:

d2e45dd852a659e11897df573832f381

SHA1 hash:

19990ee627c95b6c18d3b5c5f0ec5c24791d0af5

Link:

https://www.unpac.me/results/e197857d-4b89-4326-97b0-7a348524c824/

SH256 hash:

c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

MD5 hash:

9625d5b1754bc4ff29281d415d27a0fd

SHA1 hash:

80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

Link:

https://www.unpac.me/results/e197857d-4b89-4326-97b0-7a348524c824/

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d176fe5a5daf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.72

Link:

https://yomi.yoroi.company/submissions/d176fe5a5daf624834ecda3144e11ca2c3395de8cde5eed0263bb3caac597096

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/35968/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample