MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9015194f6a3d0f5b47447924127b970690bb1ea0d957ce412e0c83ba604c9aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9015194f6a3d0f5b47447924127b970690bb1ea0d957ce412e0c83ba604c9aa
SHA3-384 hash: f77337484d3f02957e72729462ef83ca929af47fc99ac05191e5f7843075aacd0d0e8243f037d10876a81a578fc4aee1
SHA1 hash: 7f5678f2771d99fee87d30f50b0e4060f5196710
MD5 hash: 4e50e8da0f46df334c393a334f3c19a9
humanhash: july-robert-echo-saturn
File name:DHM6454.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:726'568 bytes
First seen:2025-03-05 14:05:10 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 12288:cuHf9uj95g5ZtEEB/sIL/XJ+5Hkc+RWhln0JjNAbKtOSJErycb80GTqJcDOSen78:g95g5ZtEEB/sS2k0l+jNRbErycbUDdUY
Threatray 513 similar samples on MalwareBazaar
TLSH T16FF4123CCFA5BED8871EB1D4116E3F4E419E2F83B969AB4CB2D204954904B85EFB644C
Magika vba
Reporter abuse_ch
Tags:bat RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
45.74.46.39:3990

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.74.46.39:3990 https://threatfox.abuse.ch/ioc/1441495/

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHM6454.bat
Verdict:
No threats detected
Analysis date:
2025-03-05 14:09:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/66eeb1d8-00f5-4499-a1e7-e2d258e30115

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan-Downloader.VBS.Agent.6900.6845.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c85b0cc668b65489bf302a
Tags:
obfuscate autorun xtreme shell
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/67c85a26e95d0f9029e458bc/reports/a491b0b5-b271-4035-8b86-d01da291e2ac/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/d9015194f6a3d0f5b47447924127b970690bb1ea0d957ce412e0c83ba604c9aa
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
Batch Injector, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1630133
Signature
.NET source code contains a sample name check
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
Yara detected Batch Injector
Yara detected Powershell decode and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1630133 Sample: DHM6454.bat Startdate: 05/03/2025 Architecture: WINDOWS Score: 100 61 sarok7lmoutsg1.duckdns.org 2->61 63 geoplugin.net 2->63 71 Suricata IDS alerts for network traffic 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 79 15 other signatures 2->79 8 cmd.exe 1 2->8         started        11 cmd.exe 1 2->11         started        13 cmd.exe 1 2->13         started        15 2 other processes 2->15 signatures3 77 Uses dynamic DNS services 61->77 process4 signatures5 85 Suspicious powershell command line found 8->85 87 Bypasses PowerShell execution policy 8->87 17 cmd.exe 3 8->17         started        20 conhost.exe 8->20         started        22 cmd.exe 2 11->22         started        24 conhost.exe 11->24         started        26 cmd.exe 2 13->26         started        28 conhost.exe 13->28         started        30 cmd.exe 2 15->30         started        32 cmd.exe 2 15->32         started        34 2 other processes 15->34 process6 signatures7 69 Suspicious powershell command line found 17->69 36 powershell.exe 4 34 17->36         started        41 conhost.exe 17->41         started        43 conhost.exe 22->43         started        45 powershell.exe 22->45         started        47 conhost.exe 26->47         started        49 powershell.exe 26->49         started        55 2 other processes 30->55 51 conhost.exe 32->51         started        53 powershell.exe 32->53         started        process8 dnsIp9 65 sarok7lmoutsg1.duckdns.org 45.74.46.39, 3990, 49710 M247GB United States 36->65 67 geoplugin.net 178.237.33.50, 49721, 80 ATOM86-ASATOM86NL Netherlands 36->67 57 C:\Users\user\AppData\Roaming\kalmzots.dat, data 36->57 dropped 59 C:\Users\user\...\StartupScript_3ddea058.cmd, ASCII 36->59 dropped 81 Found suspicious powershell code related to unpacking or dynamic code loading 36->81 83 Installs a global keyboard hook 36->83 file10 signatures11
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d9015194f6a3d0f5b47447924127b970690bb1ea0d957ce412e0c83ba604c9aa
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d9015194f6a3d0f5b47447924127b970690bb1ea0d957ce412e0c83ba604c9aa/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3eavdfhwupiplndui6jecj5zobuqxmpkbwkxzzas4dedxjqezgva._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
remcos
Create hunting rule
Similar samples:
1d6a540ec5c26039979eb96d9c53b949694d5e95b7bedd7f941f49336c06534e
RemcosRAT
3d00bc1dd8a3a44661a7a4ed462d401b872d06d7111713d795ffc6327c82ad8d
RemcosRAT
4816f58220b5e07a83eb4a918fe200eb7317472efee4f9f1b27ab3de2a01ff9e
RemcosRAT
4cfc84d46074142fa3204777ac1a0cbd7ea155fcaf0739388df5d098abf8d7f4
RemcosRAT
ad4e305243eea4eb48308ce4bccd6b999ed93f9810a82236987187fda9e12de1
RemcosRAT
b0e00df53609548413531846ab86d5e717ed814d7f57c503e49f927aabebec58
RemcosRAT
error
RemcosRAT
f96d8c627027bb1530f7e499e6e86c8f6b1724a2edab6e4faeaf10fea74be0ae
RemcosRAT
+ 503 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250305-rd1ebazydz/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9015194f6a3d0f5b47447924127b970690bb1ea0d957ce412e0c83ba604c9aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Remcos_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Remcos Payload
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments