MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d25cb20e8516de827aaac00dd75638290b28d8a4ab4c8721c4f0d9cccd33f2c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d25cb20e8516de827aaac00dd75638290b28d8a4ab4c8721c4f0d9cccd33f2c7
SHA3-384 hash: 9f322151fb033158e3f1d9e4b600ce41c51a20277e5376db9ee09a8fc3b646bb34e23bf719fce8906134068061a4b53b
SHA1 hash: 4beab76aae52f87ededf5231e063b05787863c81
MD5 hash: 496a3b154fc5024bbdc83facc1b3e76b
humanhash: yellow-mississippi-california-vegan
File name:scan.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:737'184 bytes
First seen:2026-01-27 07:36:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 103 x GuLoader, 64 x DiamondFox)
ssdeep 12288:MgN9Fhsuv2/XOm/MpcQPl2J4UEpU6GoHLTYrIenKlf5GCexx6C7uQbd9SkZD:MgN9FhsP/XOqm2pEzgZxxx6CyQbdvR
Threatray 2'527 similar samples on MalwareBazaar
TLSH T162F423042958A077D6B64A321DF9B3757BA43C7E2DB81B0F33A15F0EB4BBAB14814B54
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon a67773555d7973a6 (7 x RemcosRAT, 2 x GuLoader)
Reporter lowmal3
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:Cuve
Issuer:Cuve
Algorithm:sha256WithRSAEncryption
Valid from:2026-01-23T08:34:23Z
Valid to:2027-01-23T08:34:23Z
Serial number: 704b307b3226799f7f07a763ae8001cce2644ce5
Thumbprint Algorithm:SHA256
Thumbprint: dbdb320454c47e6e9c4951e0487c8f1beaca9da0febb0d04b9ed73efc24d8493
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
DE DE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/118c0c8a-3485-42b9-8c6d-ef1249e2b664/
Malware family:
remcos
Create hunting rule
ID:
1
File name:
86ab1a0f919fb2d5c693e3b2c208e0caf2c20ec4e25c6aab40c351fd37f7d324.zip
Verdict:
Malicious activity
Analysis date:
2026-01-27 05:16:21 UTC
Tags:
arch-exec remcos rat auto-reg
Link:
https://app.any.run/tasks/b0d44d85-74f2-44a7-b0c3-10a84c05add8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/50345/
Detection(s):
SecuriteInfo.com.Trojan.Loader.1575.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69784a256fa3eed1652f56e5
Tags:
injection obfusc crypt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis overlay signed similar-threat
Link:
https://www.filescan.io/uploads/69786b3a4156786ccbd9a216/reports/850446ab-ab8f-47a1-945c-4517b67b7bce/overview
Verdict:
Malicious
Labled as:
Malware_52.7
Link:
https://www.hybrid-analysis.com/sample/d25cb20e8516de827aaac00dd75638290b28d8a4ab4c8721c4f0d9cccd33f2c7
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-26T23:49:00Z UTC
Last seen:
2026-01-29T04:38:00Z UTC
Hits:
~1000
Detections:
Trojan.NSIS.Makoob.sba Backdoor.Win32.Remcos.sb HEUR:Trojan.Win32.GuLoader.gen Trojan-Dropper.Win32.Injector.sb Trojan-Downloader.Win32.Minix.sb Trojan.Win32.Guloader.sb VHO:Backdoor.Win32.Remcos.gen
Link:
https://opentip.kaspersky.com/d25cb20e8516de827aaac00dd75638290b28d8a4ab4c8721c4f0d9cccd33f2c7/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e893a4d2-be9d-413c-8b04-0468be52120b
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1858132
Signature
AI detected suspicious PE digital signature
Antivirus / Scanner detection for submitted sample
Found direct / indirect Syscall (likely to bypass EDR)
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Unusual module load detection (module proxying)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d25cb20e8516de827aaac00dd75638290b28d8a4ab4c8721c4f0d9cccd33f2c7
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d25cb20e8516de827aaac00dd75638290b28d8a4ab4c8721c4f0d9cccd33f2c7/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2026-01-27 02:35:55 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2joledufc3pie6vkyag5ovryfefsrwfevngioioe6dm4ztjt6ldq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2f731c4e77c2f98dc59b327c57460f954aa7185f09503465447e45a714d8b073
RemcosRAT
551863be2e92aa2d319a92cda72bc2123233ee3a7e965ee691fd70d88c21d772
RemcosRAT
7788389325c248982f12f85fb57d62b7f3b702e87ac1e371c5544a6e7b8262b6
RemcosRAT
7aa20099672e8dc0f13bde889491b9db5f38b58a1a3bb80e39b17689cc512e00
RemcosRAT
8b12af481c0add9d0d208b62113612e08ed203e02a9d4416e175293c80be7b18
RemcosRAT
8f5dafd87c0924562343468b7fa70d3895ba14a623fcacde05f8dff2a1824055
RemcosRAT
940b8f326d32d185fd4254207aaa70408e3b62ea4685935b15e33de37d3c1dac
RemcosRAT
a509d90eaa00df8640c180439726fc0ed487dc30d236e19d1fc1514782e23671
RemcosRAT
b5d44eb79bb60df60b30f4157e958cb1a84c6ed93f2fb3767e96c573c27092e4
RemcosRAT
ecc38b2d94c70426a8c8ffb8d0414c048023731d37153f2ac50e62d966505143
RemcosRAT
error
RemcosRAT
+ 2'517 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:remotehost collection discovery downloader persistence rat
Link:
https://tria.ge/reports/260127-jf22xsfz3a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detected Nirsoft tools
NirSoft MailPassView
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Malware Config
C2 Extraction:
194.156.79.17:2404
Unpacked files
SH256 hash:
d25cb20e8516de827aaac00dd75638290b28d8a4ab4c8721c4f0d9cccd33f2c7
MD5 hash:
496a3b154fc5024bbdc83facc1b3e76b
SHA1 hash:
4beab76aae52f87ededf5231e063b05787863c81
Link:
https://www.unpac.me/results/33b77284-4338-4515-b6f5-6e963e634d54/
SH256 hash:
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
MD5 hash:
6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 hash:
070ea80e2192abc42f358d47b276990b5fa285a9
Link:
https://www.unpac.me/results/33b77284-4338-4515-b6f5-6e963e634d54/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d25cb20e8516/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe d25cb20e8516de827aaac00dd75638290b28d8a4ab4c8721c4f0d9cccd33f2c7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/50345/

Comments