MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df3d5ee897b28da580030a4776d2aec2d4d9b05667c6e1995fef8c41a5cde7b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df3d5ee897b28da580030a4776d2aec2d4d9b05667c6e1995fef8c41a5cde7b7
SHA3-384 hash: 407cb34ed464c160996ca382ae80318e3a96142f79e7a9e27336dbaaae6f76463a63fb9de4b6dbd56b995c1b98942132
SHA1 hash: 7494aa48b3e972598387c0d7a5461a2c780482e3
MD5 hash: 64768470c6f5ae45b8f140bfc46e453b
humanhash: happy-apart-delta-finch
File name:IMG_123306062026.lnk
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:66'001'783 bytes
First seen:2026-05-08 10:39:34 UTC
Last seen:2026-05-20 16:35:14 UTC
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8lLJ/BqD+ff8bidlcRxSKalqHLCo/9wNFO8yuN6rFpro2zFVrabqOl:8NxoSrdSxfaaH9AO8dezzFRauO
Threatray 180 similar samples on MalwareBazaar
TLSH T1C7E705045EFA8794F3B24E3866AE32074837BF16DD75DA480164558C00A6A13AB36F37
Magika lnk
Reporter abuse_ch
Tags:lnk RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
67
Origin country :
SE SE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/08902715-d888-4969-85ef-96a13b9ff083/
Gathering data
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/df3d5ee897b28da580030a4776d2aec2d4d9b05667c6e1995fef8c41a5cde7b7/results/dashboard
Payload URLs
URL
File name
http://tina.gautengsound.co.za/co.js
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
BZC.YAX.Pantera.54
Link:
https://www.hybrid-analysis.com/sample/df3d5ee897b28da580030a4776d2aec2d4d9b05667c6e1995fef8c41a5cde7b7
Verdict:
Malicious
File Type:
lnk
First seen:
2026-05-07T04:32:00Z UTC
Last seen:
2026-05-10T05:52:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan.Multi.Miner.gen PDM:Trojan.Win32.Generic HEUR:Trojan.Script.Generic HEUR:Trojan.WinLNK.Agent.gen
Link:
https://opentip.kaspersky.com/df3d5ee897b28da580030a4776d2aec2d4d9b05667c6e1995fef8c41a5cde7b7/results?tab=lookup
Result
Threat name:
Remcos, PhantomGate
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1910652
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates multiple autostart registry keys
Creates processes via WMI
Detected Remcos RAT
Excessive usage of taskkill to terminate processes
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell creates an autostart link
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: PowerShell DownloadFile
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Register Wscript In Run Key
Sigma detected: Remcos
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected PhantomGate
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1910652 Sample: IMG_123306062026.lnk Startdate: 08/05/2026 Architecture: WINDOWS Score: 100 103 tina.gautengsound.co.za 2->103 105 cestfininewdns.vip 2->105 107 16 other IPs or domains 2->107 121 Sigma detected: Register Wscript In Run Key 2->121 123 Suricata IDS alerts for network traffic 2->123 125 Found malware configuration 2->125 127 27 other signatures 2->127 10 powershell.exe 1 19 2->10         started        15 cmd.exe 1 2->15         started        17 powershell.exe 2->17         started        19 12 other processes 2->19 signatures3 process4 dnsIp5 113 raw.githubusercontent.com 185.199.108.133, 443, 49710, 49711 FASTLYUS Netherlands 10->113 115 yaso.su 172.67.213.5, 443, 49705, 49715 CLOUDFLARENETUS United States 10->115 117 bitbucket.org 104.192.142.24, 443, 49706, 49716 AMAZON-AESUS United States 10->117 99 C:\ProgramData\ribnmSp.js, ASCII 10->99 dropped 171 Windows shortcut file (LNK) starts blacklisted processes 10->171 173 Suspicious powershell command line found 10->173 175 Creates multiple autostart registry keys 10->175 21 RegAsm.exe 10->21         started        26 powershell.exe 10->26         started        28 conhost.exe 10->28         started        177 Wscript starts Powershell (via cmd or directly) 15->177 179 Tries to download and execute files (via powershell) 15->179 30 powershell.exe 19 20 15->30         started        119 104.192.142.25, 443, 49723, 49727 AMAZON-AESUS United States 17->119 181 Writes to foreign memory regions 17->181 183 Modifies the context of a thread in another process (thread injection) 17->183 185 Injects a PE file into a foreign processes 17->185 38 3 other processes 17->38 32 powershell.exe 19->32         started        34 powershell.exe 19->34         started        36 powershell.exe 19->36         started        40 11 other processes 19->40 file6 signatures7 process8 dnsIp9 109 cestfininewdns.vip 83.142.209.242, 2404, 49712, 49713 PL-METROINTERNETPL Ukraine 21->109 91 C:\Users\user\AppData\Local\Temp\TH3643.tmp, MS-DOS 21->91 dropped 93 C:\Users\user\AppData\Local\Temp\TH3603.tmp, MS-DOS 21->93 dropped 95 C:\Users\user\AppData\Local\Temp\TH35C4.tmp, MS-DOS 21->95 dropped 129 Contains functionality to bypass UAC (CMSTPLUA) 21->129 131 Detected Remcos RAT 21->131 133 Contains functionality to steal Chrome passwords or cookies 21->133 149 6 other signatures 21->149 47 4 other processes 21->47 49 2 other processes 26->49 135 Creates processes via WMI 28->135 111 tina.gautengsound.co.za 129.232.170.186, 49698, 80 xneeloZA South Africa 30->111 97 C:\Users\Public\fa2.js, ASCII 30->97 dropped 137 Suspicious powershell command line found 30->137 139 Suspicious execution chain found 30->139 141 Found suspicious powershell code related to unpacking or dynamic code loading 30->141 143 Powershell creates an autostart link 30->143 42 wscript.exe 1 30->42         started        45 Acrobat.exe 20 57 30->45         started        145 Windows shortcut file (LNK) starts blacklisted processes 32->145 147 Creates multiple autostart registry keys 32->147 51 2 other processes 32->51 53 2 other processes 34->53 55 2 other processes 36->55 57 2 other processes 38->57 59 5 other processes 40->59 file10 signatures11 process12 signatures13 151 Suspicious powershell command line found 42->151 153 Wscript starts Powershell (via cmd or directly) 42->153 155 Windows Scripting host queries suspicious COM object (likely to drop second stage) 42->155 167 2 other signatures 42->167 61 AcroCEF.exe 92 45->61         started        157 Tries to steal Mail credentials (via file registry) 47->157 159 Tries to steal Instant Messenger accounts or passwords 47->159 161 Tries to steal Mail credentials (via file / registry access) 47->161 169 2 other signatures 47->169 64 taskkill.exe 49->64         started        70 3 other processes 49->70 163 Windows shortcut file (LNK) starts blacklisted processes 51->163 66 cmd.exe 51->66         started        68 conhost.exe 51->68         started        72 4 other processes 53->72 74 4 other processes 55->74 76 4 other processes 57->76 165 Excessive usage of taskkill to terminate processes 59->165 78 8 other processes 59->78 process14 signatures15 187 Windows shortcut file (LNK) starts blacklisted processes 61->187 189 Suspicious powershell command line found 61->189 80 AcroCEF.exe 3 61->80         started        191 Creates processes via WMI 64->191 193 Excessive usage of taskkill to terminate processes 66->193 83 conhost.exe 66->83         started        85 taskkill.exe 66->85         started        87 taskkill.exe 66->87         started        89 taskkill.exe 66->89         started        process16 dnsIp17 101 23.202.152.182, 443, 49704 AKAMAI-ASN1EU United States 80->101
Gathering data
Verdict:
Malicious
Threat:
Family.REMCOSRAT
Link:
https://tip.neiki.dev/file/df3d5ee897b28da580030a4776d2aec2d4d9b05667c6e1995fef8c41a5cde7b7
Threat name:
Shortcut.Trojan.Pantera
Create hunting rule
Status:
Malicious
First seen:
2026-05-07 07:35:57 UTC
File Type:
Binary
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=346v52exwkg2laadbjdxnuvoylkntmcwm7dodgk756gedjon463q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
08e51e36a95e7aa0b388ccab1aa085836ed86b2ef8c0ccc21f10f700029e31a9
RemcosRAT
2060843297ed37182ee31e4e94afc86a7821f6493125cdbc6391d28a7f933330
RemcosRAT
4013853381bb2c28ddff061b1a208e886f2b52a31073cea40e4cdb5ec431d58b
RemcosRAT
457ce298b2b36aba99ce04072e8dd1388c374a8d1fab4234ef009f01cd49a656
RemcosRAT
a20c0d8c528213634c00f34a21d192cb91998890eab02db5d60a3f12560730ed
RemcosRAT
ec16924f17c2b41aea206ee5de28accb1de198076730259bb0117109c45f9c5b
RemcosRAT
f9f2a7fe68739a20d05d05581b08aed976acfb72bf7398d78f57eb70f8fb101e
RemcosRAT
+ 170 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost adware collection defense_evasion discovery execution persistence rat spyware
Link:
https://tria.ge/reports/260508-mqtp3sfy9t/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Contacts third-party web service commonly abused for C2
Indicator Removal: File Deletion
Checks computer location settings
Deletes itself
Loads dropped DLL
Badlisted process makes network request
Detected Nirsoft tools
Family: Remcos
Process spawned unexpected child process
Malware Config
C2 Extraction:
cestfininewdns.vip:2404
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/df3d5ee897b28da580030a4776d2aec2d4d9b05667c6e1995fef8c41a5cde7b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Large_filesize_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.
Rule name:PDF_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_Big_Link_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspiciously big LNK file - maybe with embedded content
Reference:Internal Research
Rule name:SUSP_LNK_Big_Link_File_RID2EDD
Create hunting rule
Author:Florian Roth
Description:Detects a suspiciously big LNK file - maybe with embedded content
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments