MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcc20a9327c8d27cf24b5a51797d22f670d1d4de38ed8b66130d01ecb0b15800. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 8

Intelligence 8 IOCs 1 YARA 5 File information Comments

SHA256 hash:	dcc20a9327c8d27cf24b5a51797d22f670d1d4de38ed8b66130d01ecb0b15800
SHA3-384 hash:	4ed2d5b78df4ce3bb9aac820867077ffcf5d28a2224642b4c3b6c1ebceaa03567b582d68d7161bb24ad6040cfc7de29d
SHA1 hash:	9addc6297448010718ea5220e2a731b2ea3bb5a3
MD5 hash:	13233bb47fe9e458087debda6487a4bb
humanhash:	single-illinois-moon-oxygen
File name:	Room Reservation.rar
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	362'165 bytes
First seen:	2025-08-29 16:14:46 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	6144:hfrYJ7j5ecQyNaSw92A52xHMQGmcGCsi6pczakqDz3B63IumJsiqzFDzOXN1VDwA:tYx5vCxclGZZsZ2zwXR6YumJsinN1VMA
TLSH	T1557423D8240ADA2351716F81EC9EDBEABA4B060D416835F9B3779DCBF0784470725EC5
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	FatzQatz
Tags:	acrobat-adobe-com booking mauasas35safael1-duckdns-org rar remcos RemcosRAT

FatzQatz

Phishing email contains Acrobat Adobe Link link, led to a malicious RAR download page.

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
104.250.169.71:1771	https://threatfox.abuse.ch/ioc/1577724/

Intelligence

File Origin

# of uploads :

# of downloads :

411

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Room Reservation.exe
File size:	382'489 bytes
SHA256 hash:	f96bd02dd102b92f6e980f6b8e53a51205eb588a1bb29f3f96aaaa9e0d4f93da
MD5 hash:	b6d5a379b847db54979569ef86ec9e73
MIME type:	application/x-dosexec
Signature	RemcosRAT

Vendor Threat Intelligence

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68b1d240eb163e0ec18310e8

Tags:

injection injector virus

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug guloader installer microsoft_visual_cc nsis overlay

Link:

https://www.filescan.io/uploads/68b1d23a39a6221faa75395d/reports/57bf5eed-a1c7-4b28-873b-d563c3f70e32/overview

Verdict:

Suspicious

Labled as:

Trojan.Downloader

Link:

https://www.hybrid-analysis.com/sample/dcc20a9327c8d27cf24b5a51797d22f670d1d4de38ed8b66130d01ecb0b15800

Verdict:

Malicious

File Type:

Rar

First seen:

2025-08-26T21:51:00Z UTC

Last seen:

2025-08-26T21:51:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/dcc20a9327c8d27cf24b5a51797d22f670d1d4de38ed8b66130d01ecb0b15800/results?tab=lookup

Verdict:

inconclusive

YARA:

1 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Rar Archive

Link:

https://app.malva.re/file/13233bb47fe9e458087debda6487a4bb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dcc20a9327c8d27cf24b5a51797d22f670d1d4de38ed8b66130d01ecb0b15800/

Threat name:

Win32.Trojan.Nemesis

Status:

Malicious

First seen:

2025-08-29 16:16:09 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

17 of 36 (47.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3tbavezhzdjhz4slljixs7jc6zyndvg6hdwywzqtbua6zmfrlaaa._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:send discovery persistence rat

Link:

https://tria.ge/reports/250829-ty1a6afq2v/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Remcos

Remcos family

Malware Config

C2 Extraction:

mauasas35safael1.duckdns.org:1771
mauasas35safael1.duckdns.org:1772
mauasas35safael2.duckdns.org:1771
mauasas35safael3.duckdns.org:1771
mauasas35safael4.duckdns.org:1771
mauasas35safael5.duckdns.org:1771

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/dcc20a9327c8d27cf24b5a51797d22f670d1d4de38ed8b66130d01ecb0b15800

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)