MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddf18913e974e0d83e4f65d4fb9b20e98974bf87cc414af05184fe20bc0f6e87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 27 File information Comments

SHA256 hash:	ddf18913e974e0d83e4f65d4fb9b20e98974bf87cc414af05184fe20bc0f6e87
SHA3-384 hash:	a748e04db3af1eef45f5a8cd9d9aca74572da3ec154767ece0478996aa78db7a754304489f80c1712649bbbefcb5d02d
SHA1 hash:	c7a6062daacb7ad3d6d0a89bd1bf90fcf650ad26
MD5 hash:	0ecf5b200685e740a0270380a506723a
humanhash:	beer-jersey-west-fruit
File name:	EXCEL.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'275'400 bytes
First seen:	2026-02-27 16:44:57 UTC
Last seen:	2026-02-27 17:42:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'741 x Formbook, 12'286 x SnakeKeylogger)
ssdeep	24576:SeI5aO7XTl9kE8EqKd0cerovv7eDd+3p4emyUADnr:aUiXpOu+ovzGd+3paJADnr
TLSH	T1424512581789C417CAEA53BA29B1F1784B7DAEDBB510C3564FECBCEBBD217101808396
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	BastianHein
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/4b336a41-b1c2-478c-9b6e-4ed68f252525/

Malware family:

amadey

ID:

File name:

virusvippro.exe

Verdict:

Malicious activity

Analysis date:

2026-02-26 14:03:12 UTC

Tags:

auto metasploit framework github amadey botnet stealer stealc possible-phishing anti-evasion telegram phishing clickfix python barys powershell maskgram xenorat rat anydesk rmm-tool generic action1rmm screenconnect tool remote maskgramstealer tinynuke miner meterpreter backdoor havoc koistealer koiloader loader wannacry ransomware cobaltstrike guloader cryptowall njrat remcos vidar xred networm amus asyncrat smb bruteratel formbook sheet pyinstaller redline stealerium pastebin coinminer gh0st cryptolocker bladabindi pushware adware scan smbscan donutloader putty noescape wiper gotohttp ghostsocks proxyware whitesnakestealer xworm

Link:

https://app.any.run/tasks/1cf7f269-638c-477f-9a92-9fcd7b08a3e9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/54896/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a1c85fc950ab5d9ab22519

Tags:

autorun office macro virus

Verdict:

Malicious

Labled as:

Adware.Generic

Link:

https://www.hybrid-analysis.com/sample/ddf18913e974e0d83e4f65d4fb9b20e98974bf87cc414af05184fe20bc0f6e87

Result

Gathering data

Malware family:

KeyBase

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9f57e702-9669-46e0-b377-b35bb6241d6b

Score:

85%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ddf18913e974e0d83e4f65d4fb9b20e98974bf87cc414af05184fe20bc0f6e87

Gathering data

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/ddf18913e974e0d83e4f65d4fb9b20e98974bf87cc414af05184fe20bc0f6e87/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/ddf18913e974e0d83e4f65d4fb9b20e98974bf87cc414af05184fe20bc0f6e87

Threat name:

Win32.Trojan.Redlinestealer

Status:

Malicious

First seen:

2026-02-26 15:56:16 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 36 (61.11%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3xyyse7jotqnqpspmxkpxgza5gexjp4hzrauv4crqt7cbpapn2dq._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:2026 discovery rat

Link:

https://tria.ge/reports/260227-t9m5zagw8g/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Drops startup file

Remcos

Remcos family

Malware Config

C2 Extraction:

rency.ydns.eu:2404
wqo9.firewall-gateway.de:4045
code1.ydns.eu:9302

Unpacked files

SH256 hash:

ddf18913e974e0d83e4f65d4fb9b20e98974bf87cc414af05184fe20bc0f6e87

MD5 hash:

0ecf5b200685e740a0270380a506723a

SHA1 hash:

c7a6062daacb7ad3d6d0a89bd1bf90fcf650ad26

Link:

https://www.unpac.me/results/ad7d8216-f34a-419e-958d-04fa7b088546/

SH256 hash:

d4e15793ff3e2748d7f4240c2508def971bf03030f6fd63bdb37f9ffee054a9c

MD5 hash:

4bf854a72f8d9fc6a123490a5c10e975

SHA1 hash:

5cbc77db2b8ad31afbd498a19dbcdc884fcbcd81

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/ad7d8216-f34a-419e-958d-04fa7b088546/

SH256 hash:

1d505ea8bbeba5f8dafdba977e3798970abec0ded018eca8c8c1d71a510d5b36

MD5 hash:

15185513dcfc65611ee21ddee6d3b94d

SHA1 hash:

76f1da946c7257494d9c81ae3691b4c14063afcd

Link:

https://www.unpac.me/results/ad7d8216-f34a-419e-958d-04fa7b088546/

SH256 hash:

3d2513aef57950b4fbaa6595bdd45cb50534eb7e27f059eb71758b42ff6509dc

MD5 hash:

3d67305123746bc4b006a04fedbaf05e

SHA1 hash:

9925c9dfaf0321be5f52fb24f7179cb53dfe71e5

Detections:

win_remcos_auto

win_remcos_w0

Remcos

malware_windows_remcos_rat

win_remcos_rat_unpacked

INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer

Link:

https://www.unpac.me/results/ad7d8216-f34a-419e-958d-04fa7b088546/

Parent samples :

8109a0528091c8be7fc71e941604672f1cfba50a020c9b4fce74be6e092764f4
7419b292f77e62623a70a50d129c225c4d26fb53282f573f4e7f57242bbf946f
a0b526925bb48806b6ea9abd3d7edae9097c315bd491c37ece9103b1471c1c5e
5cf7d883f29fd1ef93f0f744413f97d419985587544d36b5326f7e8cd3828a66
e3ccebebae0ce58740624ec86b74e6325e0384b3181fc493b022720c378b9a4e
1bd50faa3a761deff7f9b94efb42cac9ee9b074e5296ec721a089f34af9e972a
ddf18913e974e0d83e4f65d4fb9b20e98974bf87cc414af05184fe20bc0f6e87

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ddf18913e974/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ddf18913e974e0d83e4f65d4fb9b20e98974bf87cc414af05184fe20bc0f6e87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	iexplorer_remcos Create hunting rule
Author:	iam-py-test
Description:	Detect iexplorer being taken over by Remcos

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Remcos_921ef449 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

Rule name:	win_remcos_rat_unpacked Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	win_remcos_w0 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	yarahub_win_remcos_rat_unpacked_aug_2023 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

exe ddf18913e974e0d83e4f65d4fb9b20e98974bf87cc414af05184fe20bc0f6e87

(this sample)

Cape

https://www.capesandbox.com/analysis/54896/

URLhaus

https://urlhaus.abuse.ch/url/3657580/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3786901/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample