MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df42728a561dd9bdef18a9d5e8f3795137ace647bbcfda68fc2108c1372fe5e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RemcosRAT


Vendor detections: 20


Intelligence 20 IOCs YARA 26 File information Comments

SHA256 hash: df42728a561dd9bdef18a9d5e8f3795137ace647bbcfda68fc2108c1372fe5e9
SHA3-384 hash: 4f91d1ba9b24192b595d1091aa4628a93bf6e31a6486d6d3a5108d59fb9f95014584edacede99b0385e383b3650fd449
SHA1 hash: 85ae553ede2681c17f5722aa7b62c726cfb082b9
MD5 hash: 451752995564964160b9a762ab13ed29
humanhash: florida-red-yankee-ack
File name:103_FT26187MJC6J_12220260706CBAFKENXXXX0706130123-pdf.exe
Download: download sample
Signature RemcosRAT
File size:1'403'392 bytes
First seen:2026-07-06 14:15:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'097 x AgentTesla, 20'115 x Formbook, 12'356 x SnakeKeylogger)
ssdeep 24576:RASvV0L6O3AozfYTDbr/NLkqMItNOEqu7OTXzQ37aIhvx+RgqvH:RASN0LlcT/jpSIfPn3p1x+K0
Threatray 100 similar samples on MalwareBazaar
TLSH T1A25512085798D903C42E57B86474D2B81B786E69F912E3171EE8BEEFBD777228C10187
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter proxylife
Tags:exe RemcosRAT

Intelligence


File Origin
# of uploads :
1
# of downloads :
150
Origin country :
AR AR
Vendor Threat Intelligence
Malware family:
ID:
1
File name:
_df42728a561dd9bdef18a9d5e8f3795137ace647bbcfda68fc2108c1372fe5e9.exe
Verdict:
Malicious activity
Analysis date:
2026-07-06 14:16:52 UTC
Tags:
rat remcos auto-reg

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Tags:
underscore keylog micro word
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a service
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Setting a keyboard event handler
DNS request
Connection attempt
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed vbnet
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-07-06T11:35:00Z UTC
Last seen:
2026-07-08T07:14:00Z UTC
Hits:
~10
Detections:
Trojan-Spy.Win32.Xegumumune.sbc Trojan-Dropper.Win32.Injector.sb Backdoor.Win32.Remcos.e HEUR:Trojan-Spy.MSIL.Noon.gen Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Backdoor.Win32.Remcos.sb Backdoor.Win32.Androm.sb PDM:Trojan.Win32.Generic Trojan.MSIL.Dnoper.sb
Gathering data
Threat name:
Win32.Trojan.Ravartar
Status:
Malicious
First seen:
2026-07-06 14:16:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:remcos botnet:remotehost adware defense_evasion discovery execution persistence ransomware rat spyware trojan
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
Boot or Logon Autostart Execution: Active Setup
Command and Scripting Interpreter: PowerShell
Family: Remcos
UAC bypass
Malware Config
C2 Extraction:
kjdesss.ddns.net:2404
Unpacked files
SH256 hash:
df42728a561dd9bdef18a9d5e8f3795137ace647bbcfda68fc2108c1372fe5e9
MD5 hash:
451752995564964160b9a762ab13ed29
SHA1 hash:
85ae553ede2681c17f5722aa7b62c726cfb082b9
SH256 hash:
9e4022fe8e51c04c1313400570211a071ed5ebea034e441445dca125c798300f
MD5 hash:
9b3cd44b8b04c4edac9c1b6bb2ad42f1
SHA1 hash:
eda8ed8acc179c914de979fcdd07ab2d3cbd2944
Detections:
win_remcos_auto win_remcos_w0 Remcos
SH256 hash:
fb441a65855b02fc1a4fb6de2c403517c931c61d223da6a13d5a361fd7807f1c
MD5 hash:
904ffaf5811d2287b90bb3282ffe6682
SHA1 hash:
5e9f84068008963decfca57ab63c92237b72d425
Detections:
win_remcos_auto win_remcos_w0 Remcos
SH256 hash:
f9a106a2947263b92c86160c1635a315dbb93c69bdaec8ff17c3b63aef83cc14
MD5 hash:
4c52ede89c43b2bc9405ea48b822a336
SHA1 hash:
1d4c18c8455a084602037422309a3fcafc30db69
SH256 hash:
57484a3efea11f73f094397b6b880070e8d166dab0dc662c071dbee9ed7b4830
MD5 hash:
33ccd938ff80c85d0da595ed12a2d0c4
SHA1 hash:
28e007256f614439be6c236e9254f37ff1fa223e
Detections:
win_remcos_auto win_remcos_w0 Remcos
SH256 hash:
6cd6903d12ecb90f404656bd20485cf78c4415a5127be56857835587f41f5703
MD5 hash:
08dbb4b6925de4b0de846e3d6d1bdf4d
SHA1 hash:
d330a660ac76fdbe27efb0be77aa85ceb75da71e
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Rule name:pe_imphash
Rule name:Remcos
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Rule name:Remcos_unpacked_PulseIntel
Author:PulseIntel
Description:Remcos Payload
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Trojan_Remcos_921ef449
Author:Elastic Security
Rule name:Windows_Trojan_Remcos_b296e965
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Author:Matthew @ Embee_Research

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments