MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc06752bce3e55d5122cc6588af713c966feb9133b2f3ae44d7086f7295a76c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 19


Intelligence 19 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc06752bce3e55d5122cc6588af713c966feb9133b2f3ae44d7086f7295a76c6
SHA3-384 hash: 5bcf46e61bbdf6fdcde61bf8ee7d6a37ebf8f46703ea5a8a36192750285d6864c9b2c98dab4a351a4215585ce4a27a3c
SHA1 hash: 211ecf6f93b76cea50d64368dcff40a3ca5ade90
MD5 hash: 95c795b57adb42f24cec6d6adb7bdc1b
humanhash: white-april-wisconsin-mobile
File name:NSGICqPiD1bNo4n.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:994'816 bytes
First seen:2025-11-24 14:41:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:Ftzu6iXzOVNMSPsmsF2oWBOChyT9xY8yTmeqhFFs1:7q6U6VNpsoOBXyCVZo
Threatray 1'805 similar samples on MalwareBazaar
TLSH T1192512612699EA02E8B60FB409B5E2B897B5BD59A421C3068EFFBCDF78757415D003C3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
NSGICqPiD1bNo4n.exe
Verdict:
Malicious activity
Analysis date:
2025-11-24 14:52:51 UTC
Tags:
remcos rat auto-sch-xml remote evasion stealer
Link:
https://app.any.run/tasks/333b87dd-b1e5-449a-b095-8395a92b0097

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/41296/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69246f0f5d7fac83ebf27329
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
DNS request
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/69246ef1deea95d50b257963/reports/2d862bf0-da10-4ea1-bd11-224fa68bd639/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/dc06752bce3e55d5122cc6588af713c966feb9133b2f3ae44d7086f7295a76c6
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-17T04:49:00Z UTC
Last seen:
2025-11-18T08:08:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Agent.sb Trojan.Agent.HTTP.C&C Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb HEUR:Trojan.MSIL.Taskun.sb Trojan-Dropper.Win32.Injector.sb Trojan-Dropper.Win32.Agent.sb Trojan.MSIL.Crypt.sb PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Noon.gen Backdoor.Win32.Remcos.sb
Link:
https://opentip.kaspersky.com/dc06752bce3e55d5122cc6588af713c966feb9133b2f3ae44d7086f7295a76c6/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8cf750a4-ba9e-45cc-ad21-99d004358b97
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dc06752bce3e55d5122cc6588af713c966feb9133b2f3ae44d7086f7295a76c6
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.38 Win 32 Exe x86
Link:
https://app.malva.re/file/95c795b57adb42f24cec6d6adb7bdc1b
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dc06752bce3e55d5122cc6588af713c966feb9133b2f3ae44d7086f7295a76c6/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/dc06752bce3e55d5122cc6588af713c966feb9133b2f3ae44d7086f7295a76c6
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-11-18 04:28:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3qdhkk6ohzk5kermyzmiv5ytzftp5oithmxtvzcnocdpokk2o3da._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
unc_loader_078
Create hunting rule
remcos
Create hunting rule
Similar samples:
0f34330b58ea8d40bff07b3acfba87984f4e1197632b23f7147cc0ff5a9212f9
RemcosRAT
8090d733578327c6b42ba49b4dba0ac43fb8cbeffb0d565cbd6609b93e13dd5b
RemcosRAT
8ebd003e1a80ebe1ca3d678c0d308ea45c060c2eeda6771dffe4e3772a1cfd61
RemcosRAT
aa7130af56cb7b9d0cc21651e5032fd8a0a002222e1338f7c05a54437fa023b3
RemcosRAT
da667f87b118e222887a612d5f45bb74d329872e1042b21af36555fb75b7288c
RemcosRAT
dc06752bce3e55d5122cc6588af713c966feb9133b2f3ae44d7086f7295a76c6
RemcosRAT
error
RemcosRAT
+ 1'795 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos defense_evasion discovery execution persistence rat trojan
Link:
https://tria.ge/reports/251124-r3hkssgj6y/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Remcos
Remcos family
UAC bypass
Malware Config
C2 Extraction:
37.120.155.34:2469
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f118588b-2832-4691-ad5d-f65115571c1f
Unpacked files
SH256 hash:
dc06752bce3e55d5122cc6588af713c966feb9133b2f3ae44d7086f7295a76c6
MD5 hash:
95c795b57adb42f24cec6d6adb7bdc1b
SHA1 hash:
211ecf6f93b76cea50d64368dcff40a3ca5ade90
Link:
https://www.unpac.me/results/e2873045-6160-4102-ae48-63272adfdb32/
SH256 hash:
0748253bb84d8fd3277d926bee9aae97560c37921ccb3d1dbf3199fae3e62a20
MD5 hash:
0b2dd04f55951e3d7e42268c47161128
SHA1 hash:
1b4cd4e9944032fe88cac5dc0c5fc46d2189b327
Link:
https://www.unpac.me/results/e2873045-6160-4102-ae48-63272adfdb32/
SH256 hash:
b697f5bc215fc82f85842c32f2ff3ea82a983b479fda069ca443a534cc7b7167
MD5 hash:
22163fe98af1d905e5ac534d1144f9e6
SHA1 hash:
5178047d67c2bb384acd8e2f55749c8daefc99e8
Detections:
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/e2873045-6160-4102-ae48-63272adfdb32/
Parent samples :
935472ec0746ee4c02fbf1e4306d8995955d1d8be8dd6ba19933928d3c4fa5a3
dc06752bce3e55d5122cc6588af713c966feb9133b2f3ae44d7086f7295a76c6
7cc6b476fa83fe157ece10867c61b37587d9d425e26bf26ef16b5f13d38f2c44
4e34822a9cccaf17a60bee19d98b6663bb1d81134a490d5812f4b399b40694bd
99562c4b1720a4d4289d7563e2b40e3910f8295587ab07d0b95cc81a91fe309b
e401c37dcfe4433d2b0fdbe449f905554b5449d397eb18e2c78cca0b10dc113b
SH256 hash:
2a57406f0f8281bdeb18d420cce27bb19e028a88928ab1f3511ee7af2ec2f5c7
MD5 hash:
0df7c2ff58ca622ba7e71982a954014b
SHA1 hash:
79eb427202c2ba6137230b6806b3f1d915aff1ca
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e2873045-6160-4102-ae48-63272adfdb32/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc06752bce3e55d5122cc6588af713c966feb9133b2f3ae44d7086f7295a76c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe dc06752bce3e55d5122cc6588af713c966feb9133b2f3ae44d7086f7295a76c6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/41296/

Comments