MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de28a07fec641d376b8ab08762afd7873384106e24052ee8bfdaf85cb7ce2db1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de28a07fec641d376b8ab08762afd7873384106e24052ee8bfdaf85cb7ce2db1
SHA3-384 hash: d4ab87daf0dd54390a2c061c41354e5f453e54f597e299bda985186b35a3a3d61be6c266b9a9887750ca3e0ff1384add
SHA1 hash: be398156a617484d78d5769f40a9bbacaabc85f6
MD5 hash: d8c0568a985f0ed0aac34f9106c600df
humanhash: minnesota-football-cup-ceiling
File name:25-DSC-0034.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:735'232 bytes
First seen:2025-07-21 06:48:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'795 x AgentTesla, 19'693 x Formbook, 12'274 x SnakeKeylogger)
ssdeep 12288:/aEBLDYVl4yBFVol96R3EX3yvEEs+sR3:PB3YVl4aul9d3yvOv
Threatray 1'196 similar samples on MalwareBazaar
TLSH T10FF419DA138878C1C3BE277B58747850F7F1A4CA9AC69689C4E4CDF6BFF59802B94181
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 31e8c8d9c8d8c873 (3 x RemcosRAT)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
34
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
25-DSC-0034.exe
Verdict:
No threats detected
Analysis date:
2025-07-21 07:45:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a1ac91fa-3fb8-4aca-88c8-70503dd03b43

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16046/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687de2f884b37dd61ef028d6
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a window
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/de28a07fec641d376b8ab08762afd7873384106e24052ee8bfdaf85cb7ce2db1
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f9336afc-d566-4ef6-a8c3-c2fbb285937a
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1740847
Signature
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/de28a07fec641d376b8ab08762afd7873384106e24052ee8bfdaf85cb7ce2db1
Verdict:
inconclusive
YARA:
11 match(es)
Tags:
.Net Executable PE (Portable Executable) SOS: 0.50 Win 32 Exe x86
Link:
https://app.malva.re/file/d8c0568a985f0ed0aac34f9106c600df
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/de28a07fec641d376b8ab08762afd7873384106e24052ee8bfdaf85cb7ce2db1/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-07-21 02:51:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
19 of 22 (86.36%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3yuka77mmqoto24kwcdwfl6xq4zyiedoeqcs52f73l4fzn6ofwyq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
35a6d781fe7c48d8f17d0f3623eefe00f22f1e61e986903f44d33032c1dcc5dd
RemcosRAT
36f0e0b31d5b901268c65a2d5dd8b48a0e9c9b00a329c10be9a7be625fe5d84d
RemcosRAT
a5feb7f9ad863058e9c223ff48f3bf9ea0a565dfc13ac15d8a79635be5cb82b2
RemcosRAT
bcd1c816b9e32f30b205d3e311dbdadd97d4a85e4448fac94a1b178cbf8ba3b2
RemcosRAT
cab60ea77933503a6d40950463a8d3ebad5d61a9b5be86864db77a914b4c4457
RemcosRAT
error
RemcosRAT
+ 1'186 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos discovery rat
Link:
https://tria.ge/reports/250721-hlj8mafn8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Remcos
Remcos family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4be94387-dfd3-401f-8b80-7e4aa5a24654
Unpacked files
SH256 hash:
de28a07fec641d376b8ab08762afd7873384106e24052ee8bfdaf85cb7ce2db1
MD5 hash:
d8c0568a985f0ed0aac34f9106c600df
SHA1 hash:
be398156a617484d78d5769f40a9bbacaabc85f6
Link:
https://www.unpac.me/results/79e4b41f-9998-433d-a5d7-487bf43a0e57/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/de28a07fec641d376b8ab08762afd7873384106e24052ee8bfdaf85cb7ce2db1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe de28a07fec641d376b8ab08762afd7873384106e24052ee8bfdaf85cb7ce2db1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/16046/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments