MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df7ab70c74f2c0c147746fbcde0fce30a5ac6ddc6dc884f952e23be4fa3af37c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df7ab70c74f2c0c147746fbcde0fce30a5ac6ddc6dc884f952e23be4fa3af37c
SHA3-384 hash: 4c215a0f3126a711dd9bd98c9fcbee7c011d152d954525fc32a9a81c0b93e6c4f0466032225c2d3072d64c2e757c5c65
SHA1 hash: 6ab5a19adc72acb66c3f917a4752d3f3beeca8b4
MD5 hash: 1f5fc9a1198588972cca04ac422d04c3
humanhash: network-south-hydrogen-cardinal
File name:1f5fc9a1198588972cca04ac422d04c3.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:382'648 bytes
First seen:2026-05-03 13:25:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (587 x GuLoader, 130 x RemcosRAT, 84 x EpsilonStealer)
ssdeep 6144:4VGdx6xzX9fpnOdEQT2AdO2ATLoCx7+Mh9wDW/PqBN0gb/7HspH3h5e/kTcBbyy3:UV9BnOdEQT2iO268Cx9wDW+JbT2XHcBD
Threatray 2'394 similar samples on MalwareBazaar
TLSH T1D68412023765C957CD619BB2C8368AF95AAD9CADC639A30783503F7D3DB23411E0D3A5
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon e4e0ccccccc888c8 (1 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT signed

Code Signing Certificate

Organisation:Reproduceredes
Issuer:Reproduceredes
Algorithm:sha256WithRSAEncryption
Valid from:2026-04-08T00:45:00Z
Valid to:2027-04-08T00:45:00Z
Serial number: 7828dd6c61b59d08d95cb24f90179da91187d900
Thumbprint Algorithm:SHA256
Thumbprint: ec88c09f2390e9ffbacb572c7456d5e023204eb8728d116ace3ebf7bf018b38f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RemcosRAT C2:
172.111.169.68:9702

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
172.111.169.68:9702 https://threatfox.abuse.ch/ioc/1805282/

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
GuLoader NSIS
Details
GuLoader
a c2 URL, a useragent string, and a string XOR key
GuLoader
an XOR decryption key and an extracted component
NSIS
extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/33607a99-6818-4255-9ffd-1ebd1467142d/
Malware family:
remcos
Create hunting rule
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-05-03 13:26:52 UTC
Tags:
auto-reg rat remcos
Link:
https://app.any.run/tasks/71e50342-dfee-405f-b268-0f0bff99b9b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/64383/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Delayed reading of the file
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
DNS request
Connection attempt
Sending an HTTP GET request
Сreating synchronization primitives
Setting a keyboard event handler
Connection attempt to an infection source
Creating a window
Searching for the window
Creating a file
Creating a file in the %temp% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/df7ab70c74f2c0c147746fbcde0fce30a5ac6ddc6dc884f952e23be4fa3af37c
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-27T23:53:00Z UTC
Last seen:
2026-05-05T06:58:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Guloader.sb Trojan-Spy.Win32.Xegumumune.sbc Trojan-Dropper.Win32.Injector.sb Trojan-Downloader.Win32.Minix.sb PDM:Trojan.Win32.Generic Trojan.NSIS.Makoob.sba HEUR:Trojan-Downloader.Win32.Minix.gen Backdoor.Win32.Remcos.sb Backdoor.Remcos.TCP.C&C
Link:
https://opentip.kaspersky.com/df7ab70c74f2c0c147746fbcde0fce30a5ac6ddc6dc884f952e23be4fa3af37c/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f38d1efa-cc55-4f33-bd87-85ef6bf22fd2
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1907796
Signature
AI detected suspicious PE digital signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Unusual module load detection (module proxying)
Uses dynamic DNS services
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1907796 Sample: mc6Uz5n9ku.exe Startdate: 03/05/2026 Architecture: WINDOWS Score: 100 27 downgradeload720fflie.duckdns.org 2->27 29 drive.usercontent.google.com 2->29 31 drive.google.com 2->31 39 Suricata IDS alerts for network traffic 2->39 41 Found malware configuration 2->41 43 Antivirus detection for dropped file 2->43 47 9 other signatures 2->47 8 mc6Uz5n9ku.exe 2 30 2->8         started        signatures3 45 Uses dynamic DNS services 27->45 process4 file5 21 C:\Users\user\AppData\Local\...\System.dll, PE32 8->21 dropped 49 Tries to detect virtualization through RDTSC time measurements 8->49 51 Unusual module load detection (module proxying) 8->51 53 Switches to a custom stack to bypass stack traces 8->53 55 Found direct / indirect Syscall (likely to bypass EDR) 8->55 12 mc6Uz5n9ku.exe 4 9 8->12         started        17 mc6Uz5n9ku.exe 8->17         started        signatures6 process7 dnsIp8 33 downgradeload720fflie.duckdns.org 172.111.169.68, 49752, 9702 SOFTLAYERUS United States 12->33 35 drive.google.com 142.250.65.78, 443, 49750 GOOGLEUS United States 12->35 37 drive.usercontent.google.com 142.251.211.97, 443, 49751 GOOGLEUS United States 12->37 23 C:\Users\user\AppData\...\Ubiquitarianism.exe, PE32 12->23 dropped 25 C:\Users\user\AppData\Roaming\kampoistf.dat, data 12->25 dropped 57 Installs a global keyboard hook 12->57 59 Found direct / indirect Syscall (likely to bypass EDR) 12->59 19 mc6Uz5n9ku.exe 12->19         started        file9 signatures10 process11
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/df7ab70c74f2c0c147746fbcde0fce30a5ac6ddc6dc884f952e23be4fa3af37c
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/df7ab70c74f2c0c147746fbcde0fce30a5ac6ddc6dc884f952e23be4fa3af37c/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/df7ab70c74f2c0c147746fbcde0fce30a5ac6ddc6dc884f952e23be4fa3af37c
Threat name:
Win32.Trojan.Ravartar
Create hunting rule
Status:
Malicious
First seen:
2026-04-29 00:55:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
19 of 36 (52.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=355loddu6lamcr3un66n4d6ogcs2y3o4nxeij6ks4i56j6r26n6a._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
515bbef4ce21e056dc31c85364a95a4d0ae71f18772388b54121e5bcccfe604c
RemcosRAT
766741c512b6dc2d37fbdd0691d95f6da405ffb77f5a3d318b6cf9b9f6960c39
RemcosRAT
8ffa90c78b47c3d74ecdf0bbe4296e855daa9567bb29c8f4fbb61e82fd1a2808
RemcosRAT
96f03e7de39c9da07c8980e751e9bd492672af5e56841f0a80820fe6031bfdab
RemcosRAT
b64f5a129e80b30e756466f1ea8d440e8f8aa08de3c04f9e0dd2cacfcfd8d4f3
RemcosRAT
bd38fdb96d8291c903a588adf688f437bc6b8a9dbf319a95c3e83278fb183f00
RemcosRAT
d4fb18f9f92ea06df479f7c2b9974f1b2f56abc318b8804e64b2197656f06ea6
RemcosRAT
d6210cbc747a7c2f1f334d62bcac489e882ac3d13190be999f6fa5b16aec0acc
RemcosRAT
dc8de4880e68d0be6a8aac42d82f896bc158f1e6c9ac63a91bd8c25b17ded181
RemcosRAT
f416ac766e221260d367d12a5ac243376f9778b2b72501007e55c00824e20918
RemcosRAT
+ 2'384 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:lastone discovery persistence rat suricata
Link:
https://tria.ge/reports/260503-qn8yrsdx4m/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Loads dropped DLL
Family: Remcos
Suricata alert: REMCOS RAT Malware Inbound C2 Communication
Suricata alert: REMCOS RAT Malware Outbound C2 Communication
Malware Config
C2 Extraction:
downgradeload720fflie.duckdns.org:9702
trfsgysu28opask02.duckdns.org:9702
trfsgysu28opask03.duckdns.org:9702
trfsgysu28opask04.duckdns.org:9702
trfsgysu28opask05.duckdns.org:9702
trfsgysu28opask06.duckdns.org:9702
Unpacked files
SH256 hash:
df7ab70c74f2c0c147746fbcde0fce30a5ac6ddc6dc884f952e23be4fa3af37c
MD5 hash:
1f5fc9a1198588972cca04ac422d04c3
SHA1 hash:
6ab5a19adc72acb66c3f917a4752d3f3beeca8b4
Link:
https://www.unpac.me/results/fa0357b4-f6ae-4d6f-9fea-326d712a017f/
SH256 hash:
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
MD5 hash:
75ed96254fbf894e42058062b4b4f0d1
SHA1 hash:
996503f1383b49021eb3427bc28d13b5bbd11977
Link:
https://www.unpac.me/results/fa0357b4-f6ae-4d6f-9fea-326d712a017f/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/df7ab70c74f2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_HighConfidence
Create hunting rule
Author:Arrbat
Description:High-confidence detection using unique .NET loader/reflection stubs (Moonshine), NSIS manifests, specific typo/junk strings, and repeating patterns from observed samples. Low FP.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Remcos_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Remcos Payload
Rule name:Sus_All_Windows_PE_Malware
Create hunting rule
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Trojan_Remcos_921ef449
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/64383/

Comments