MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1805bb55498f94da1f9040517f7baaaacf2d4f77cdb6cd44a9436115dd12be9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 38 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1805bb55498f94da1f9040517f7baaaacf2d4f77cdb6cd44a9436115dd12be9
SHA3-384 hash: 12df8fb7561bc22e697ca9662e2da6401da8b78c92397a7fef57c8559d3a016dff3980cba186e5501dd8469393030f04
SHA1 hash: e5d929209bd61a0522ecaf4c1662dcb0f220456b
MD5 hash: c9741c83dadc26e3ae291207d494e91f
humanhash: sink-oven-illinois-quiet
File name:1x40' HQ 國際北川 SO3611-0421 KEELUNG - 中遠 EVER MAGUS V-1432-004E (AAS3-D3E-003E) .pdf.scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'283'584 bytes
First seen:2026-03-23 04:46:44 UTC
Last seen:2026-03-23 05:37:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'845 x AgentTesla, 19'778 x Formbook, 12'302 x SnakeKeylogger)
ssdeep 24576:ZdHMJ/XLR5+WlU5rLil/RRL71MwVSaqtcG+aHhC8wZzEGZjV/UCVmjSA2:ZBMJzR5+WlU5r8RL71McSaqqG+K89NzS
Threatray 2'189 similar samples on MalwareBazaar
TLSH T16F551211AB5BCC53E1BA1BB4A9D2E47007B49E4DE827D28B4FD93CE73623B851945383
TrID 70.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win64 Executable (generic) (6522/11/2)
4.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter threatcat_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
NETReactor RoboSki
Details
NETReactor
decrypted strings
RoboSki
a decrypted ReZer0 component and possibly a decryption component
Link:
https://research.acce.ciphertechsolutions.com/results/bf6e072f-5398-4e44-9a83-5cee558e4f5e/
Malware family:
remcos
Create hunting rule
ID:
1
File name:
_d1805bb55498f94da1f9040517f7baaaacf2d4f77cdb6cd44a9436115dd12be9.exe
Verdict:
Malicious activity
Analysis date:
2026-03-23 04:48:22 UTC
Tags:
netreactor remcos rat auto-reg
Link:
https://app.any.run/tasks/bd30742f-44d0-427a-a16b-594d2176632b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.11872516.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69c0c5d9aacb4c376b12f1ed
Tags:
underscore lien
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt formbook krypt masquerade net_reactor obfuscated packed packed unsafe vbnet
Link:
https://www.filescan.io/uploads/69c0c5d42000fc76c3f7f8f8/reports/b883ddb2-de27-4438-b6d7-869ba6aab1b1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d1805bb55498f94da1f9040517f7baaaacf2d4f77cdb6cd44a9436115dd12be9
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
Link:
https://opentip.kaspersky.com/d1805bb55498f94da1f9040517f7baaaacf2d4f77cdb6cd44a9436115dd12be9/results?tab=lookup
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dcf847d8-42be-4f40-902e-54c734812fa7
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1887400
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Unusual module load detection (module proxying)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1887400 Sample: b#U5317#U5ddd SO3611-0421 K... Startdate: 23/03/2026 Architecture: WINDOWS Score: 100 64 Suricata IDS alerts for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 19 other signatures 2->70 9 b#U5317#U5ddd SO3611-0421 KEELUNG - #U4e2d#U9060 EVER MAGUS V-1432-004E (AAS3-D3E-003E) .pdf.scr.exe 3 2->9         started        13 Edge.exe 2 2->13         started        15 Edge.exe 2 2->15         started        17 Edge.exe 2->17         started        process3 file4 60 b#U5317#U5ddd SO36...E) .pdf.scr.exe.log, ASCII 9->60 dropped 86 Injects a PE file into a foreign processes 9->86 19 b#U5317#U5ddd SO3611-0421 KEELUNG - #U4e2d#U9060 EVER MAGUS V-1432-004E (AAS3-D3E-003E) .pdf.scr.exe 2 4 9->19         started        23 conhost.exe 9->23         started        25 Edge.exe 13->25         started        27 Edge.exe 15->27         started        29 Edge.exe 17->29         started        signatures5 process6 file7 50 C:\ProgramDatadgedge.exe, PE32 19->50 dropped 52 C:\ProgramData\...dge.exe:Zone.Identifier, ASCII 19->52 dropped 72 Creates autostart registry keys with suspicious names 19->72 31 Edge.exe 3 19->31         started        signatures8 process9 signatures10 88 Antivirus detection for dropped file 31->88 90 Multi AV Scanner detection for dropped file 31->90 92 Found hidden mapped module (file has been removed from disk) 31->92 94 3 other signatures 31->94 34 Edge.exe 4 4 31->34         started        39 Edge.exe 31->39         started        process11 dnsIp12 62 172.94.15.100, 49693, 49694, 6075 VOXILITYGB United States 34->62 54 C:\Users\user\AppData\Local\Temp\THC2D2.tmp, MS-DOS 34->54 dropped 56 C:\Users\user\AppData\Local\Temp\THC17A.tmp, MS-DOS 34->56 dropped 58 C:\Users\user\AppData\Local\Temp\THC10B.tmp, MS-DOS 34->58 dropped 74 Maps a DLL or memory area into another process 34->74 41 svchost.exe 1 34->41         started        44 svchost.exe 1 34->44         started        46 svchost.exe 34->46         started        48 2 other processes 34->48 file13 signatures14 process15 signatures16 76 Tries to steal Instant Messenger accounts or passwords 41->76 78 Tries to harvest and steal browser information (history, passwords, etc) 41->78 80 Tries to steal Mail credentials (via file / registry access) 44->80 82 Tries to steal Mail credentials (via file registry) 46->82 84 Unusual module load detection (module proxying) 46->84
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d1805bb55498f94da1f9040517f7baaaacf2d4f77cdb6cd44a9436115dd12be9
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d1805bb55498f94da1f9040517f7baaaacf2d4f77cdb6cd44a9436115dd12be9/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/d1805bb55498f94da1f9040517f7baaaacf2d4f77cdb6cd44a9436115dd12be9
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2gafxnkutd4u3ipzaqcrp552vkwpfvhxptnwzvcksq3bcxorfpuq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
49af01f9215248c4f6a5e180940b0ad6c1b7bf596b8b9c4eb8251a4dc81eacad
RemcosRAT
86bd0fb523c233fe4e82fbb0f614482c65736dea768816f6d0b44cecbdb07535
RemcosRAT
a8997f7b77f90d348f1a55cde634f4e89a6cbef5f5914391663f31e69a244275
RemcosRAT
be2142e2818d4df10efca8b223a823dae8dbcc0679e8e19a94fa9ae729c34273
RemcosRAT
d1805bb55498f94da1f9040517f7baaaacf2d4f77cdb6cd44a9436115dd12be9
RemcosRAT
error
RemcosRAT
+ 2'179 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/260323-fenalaev9r/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Unpacked files
SH256 hash:
d1805bb55498f94da1f9040517f7baaaacf2d4f77cdb6cd44a9436115dd12be9
MD5 hash:
c9741c83dadc26e3ae291207d494e91f
SHA1 hash:
e5d929209bd61a0522ecaf4c1662dcb0f220456b
Link:
https://www.unpac.me/results/91cbd301-156e-4e77-8bca-185b3fda0f7c/
SH256 hash:
0cb56e30226f2c165c131d7ed52e3f1cb6524baaa59ced2562ca3f2424571abc
MD5 hash:
61c512cc35c583c4d066f6d7f2726296
SHA1 hash:
6233237b8cda39500d478cf93b1c9f8af44d472d
Detections:
win_remcos_auto
Create hunting rule
win_remcos_w0
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/91cbd301-156e-4e77-8bca-185b3fda0f7c/
Parent samples :
eef6a2be2d108d13d18f38a61013bab9be3290a8a8f1a2ef1b632731367372d0
a8997f7b77f90d348f1a55cde634f4e89a6cbef5f5914391663f31e69a244275
014f82191da6caeb5662632441b2793fa4ed776f53913b5bac0d47133796397b
52a553cb4f8949d238242a420e1e2ff71fe479d5bf6d59f2dba9aa3e566b0ce5
4957eae300223c437c380ab6b66ed5f90dc8820f225a377c1824b63b0b1d7481
49af01f9215248c4f6a5e180940b0ad6c1b7bf596b8b9c4eb8251a4dc81eacad
d1805bb55498f94da1f9040517f7baaaacf2d4f77cdb6cd44a9436115dd12be9
SH256 hash:
b9abdf181a8746c43cd3665ce5c45ff33ddb8916b400454a26b2cb3e346bc194
MD5 hash:
e29ddeebef1fd4ef69698fa2ee7b1d65
SHA1 hash:
919b0e3bfc023f595dfb4e83688a96970dc5fa2b
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/91cbd301-156e-4e77-8bca-185b3fda0f7c/
Parent samples :
8b012d3d775bd32f503cb84a6889d786c06623eeb8c840bd8c03073971530f52
88e156291d0a765e5c9b60daa6bd53c6ad75022e63ab286effe120aa6c16c222
316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785
046ebdd9e30338c5c6880ca8e8c7da3c37a3fd05611e9c21310ec5989f98095a
9612b142e2991ff8c9b66b283b9727cd8d2b5afff8521e8bb8806d36dcab5c43
08a1f9ca335c195d028e5f47b94f7e3b56945332b5f503ef60cdbba99c27998f
f034f4756f307c1c27424059cec7bc7f975493377588e086ea94721b38a68999
6a3368fb5ffab1283df539c6f17cb1244b563f5a3ad94d96adcde2dcadab66ae
7c40815633530147ad907fdc252aad2761fe35088020db35c4325dcc0f4d3329
dc31630436166d019ad9472db3b82f498ad0ed02d4cbd6a000d8b0dcee246e3b
d1805bb55498f94da1f9040517f7baaaacf2d4f77cdb6cd44a9436115dd12be9
4fb1c62f75a74fc547b2aa6ce7d8d147419212045f4d0a83d571fb93e4610613
b9abdf181a8746c43cd3665ce5c45ff33ddb8916b400454a26b2cb3e346bc194
94826673c7f54435e62ddb5d187cd852cbbadd0ddeab528bb7ccc0def7f65a73
2804023cb811e89cd1fc6bec5614a689929a3c23f68939142176c7b2fbdd4b9f
SH256 hash:
0321fd36862318b1d774cf02c32992fe4a9625b24d202a1d5bcd49ca01141176
MD5 hash:
d06a21196d9254e51b7244fd6dfe16bb
SHA1 hash:
b9a7f3150e9d6caa0a7eca1cf36e84f015c299f6
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/91cbd301-156e-4e77-8bca-185b3fda0f7c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1805bb55498f94da1f9040517f7baaaacf2d4f77cdb6cd44a9436115dd12be9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Remcos_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Remcos Payload
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Trojan_Remcos_921ef449
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe d1805bb55498f94da1f9040517f7baaaacf2d4f77cdb6cd44a9436115dd12be9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/58750/

Comments