MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0be0a8c8c741e821bea2b66c2aea511e33da9aaf9199a30f6df4dd1ba36f980. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 5 File information Comments

SHA256 hash:	e0be0a8c8c741e821bea2b66c2aea511e33da9aaf9199a30f6df4dd1ba36f980
SHA3-384 hash:	01623c9627ae9d9c8d14086e172c4478c3723ec0480594bbd82c67ad9b6d7e648c81b3c0ae5be5b8c1285749c7f35bf7
SHA1 hash:	a1087b7f46cc33dcf794bb53bb180f7e4796fd3a
MD5 hash:	e2ad1bddc8d34238225a5cfbb456bef8
humanhash:	romeo-indigo-nebraska-equal
File name:	RC7.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	165'376 bytes
First seen:	2026-05-03 16:32:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'011 x AgentTesla, 19'916 x Formbook, 12'332 x SnakeKeylogger)
ssdeep	3072:y9aH7fFuyMf1pX9VHQy3+T9V6ys2IEEUAzMlzriX5ZUblMq9Cb:y9aHjFF0zB3+TDNNlriXz4lMq9C
Threatray	3'927 similar samples on MalwareBazaar
TLSH	T1C2F302B341F48266CAF9F4F66D6EE3400BE5F11BAF67895D04EC9860BC7509980F22B4
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	BastianHein
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

EvilCoder XWorm

Details

EvilCoder

extracted components, their filepaths, and possibly registry installation

XWorm

a version, a filepath, a mutex, a c2 socket address or a dead-drop resolver URL, and possibly cryptocurrency wallets and a Telegram URL

Link:

https://research.acce.ciphertechsolutions.com/results/3284f661-950e-44b4-a8ad-30a76fdcb429/

Malware family:

n/a

ID:

File name:

RC7.exe

Verdict:

Malicious activity

Analysis date:

2026-05-02 05:53:26 UTC

Tags:

auto-reg auto-startup

Link:

https://app.any.run/tasks/2cb3bc3a-dfd5-48c3-a296-4aadb7f0b709

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/64414/

Detection(s):

Win.Packed.Packy-10033570-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Creating a process from a recently created file

Creating a process with a hidden window

Creating a window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a file in the %temp% directory

Launching a process

Enabling the 'hidden' option for recently created files

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Creating a file in the mass storage device

Connection attempt to an infection source

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Enabling threat expansion on mass storage devices

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed reconnaissance unsafe vbnet

Link:

https://www.filescan.io/uploads/69f778db9b72a1a5304c1fbd/reports/4eaef8c8-a08a-454c-a8a3-6b655562315c/overview

Verdict:

Malicious

Labled as:

Jalapeno.Generic

Link:

https://www.hybrid-analysis.com/sample/e0be0a8c8c741e821bea2b66c2aea511e33da9aaf9199a30f6df4dd1ba36f980

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-04-26T17:18:00Z UTC

Last seen:

2026-05-04T06:29:00Z UTC

Hits:

~100

Detections:

HEUR:Trojan-Dropper.MSIL.Agent.gen Backdoor.MSIL.XWorm.c Trojan-Spy.Win32.Xegumumune.sbc Backdoor.Win32.Remcos.e Trojan.MSIL.DOTHETUK.sb Backdoor.Win32.Remcos.sb Backdoor.Win32.Remcos.f Backdoor.Remcos.TCP.C&C Trojan.WinLNK.Agent.fb HEUR:Trojan-PSW.MSIL.Coins.gen Trojan-Spy.Win32.Stealer.sb Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Inject.sb Trojan.MSIL.Dnoper.sb Trojan.MSIL.Agent.sb Trojan-Dropper.Win32.Agent.sb PDM:Trojan.Win32.Tasker.cust Backdoor.Win32.Androm.sb Backdoor.Agent.TCP.C&C Backdoor.MSIL.XWorm.b PDM:Trojan.Win32.Generic Exploit.Win32.BypassUAC.sb Trojan-Spy.Win64.Agent.sb Trojan-Dropper.Win32.Injector.sb PDM:Worm.Win32.Generic Trojan.Win32.Agent.sb HEUR:Trojan.MSIL.PowerShell.gen

Link:

https://opentip.kaspersky.com/e0be0a8c8c741e821bea2b66c2aea511e33da9aaf9199a30f6df4dd1ba36f980/results?tab=lookup

Malware family:

ModernLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/888d4f88-70f1-42d7-a078-323e5f07cb6c

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e0be0a8c8c741e821bea2b66c2aea511e33da9aaf9199a30f6df4dd1ba36f980

Verdict:

inconclusive

YARA:

11 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.21 Win 32 Exe x86

Link:

https://app.malva.re/file/e2ad1bddc8d34238225a5cfbb456bef8

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/e0be0a8c8c741e821bea2b66c2aea511e33da9aaf9199a30f6df4dd1ba36f980/

Verdict:

Malicious

Threat:

Family.DESTINY_STEALER

Link:

https://tip.neiki.dev/file/e0be0a8c8c741e821bea2b66c2aea511e33da9aaf9199a30f6df4dd1ba36f980

Threat name:

Win32.Trojan.XWormRAT

Status:

Malicious

First seen:

2026-04-28 01:47:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

31 of 36 (86.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4c7avdemoqpieg7kfntmflvfchrt3knk7emzumhw35g5dorw7gaa._file

Verdict:

malicious

Label(s):

xworm

nightcoreloader

remcos

RemcosRAT

3dd9a087a124f08ae4a29d420a2362544c8a0f32e1a9bdfb1b2b3fac1789d753

RemcosRAT

54b9dd7abfafb0f4c6c909d163890dba6f8c546ee582c1163547b73c679bbd0b

RemcosRAT

6ac7d044c280196e619571271b51b3a37280a347405f6362ad239cb62eabf4c0

RemcosRAT

7f418aa89e1a6200adcfe264ec8428f7e45e3c381ca37206cb147abdd0e80a68

RemcosRAT

error

RemcosRAT

f9b5586faacc3149e8cc0cbd920bdb8f58a6e8b57bd2acbe9215f61cdd2ea3a3

RemcosRAT

+ 3'917 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:destiny_stealer family:remcos family:xworm botnet:bazarai credential_access defense_evasion discovery execution persistence rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/260503-t2rs7adv9s/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Kills process with taskkill

Modifies data under HKEY_USERS

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Browser Information Discovery

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Windows directory

Suspicious use of SetThreadContext

Adds Run key to start application

Deobfuscate/Decode Files or Information

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds policy Run key to start application

Command and Scripting Interpreter: PowerShell

Uses browser remote debugging

Detected Nirsoft tools

NirSoft EdgeCookiesView

NirSoft WebBrowserPassView

Detect Xworm Payload

Family: Destiny Stealer

Family: Remcos

Family: Xworm

Suricata alert: REMCOS RAT Malware Inbound C2 Communication

Suricata alert: REMCOS RAT Malware Outbound C2 Communication

Malware Config

C2 Extraction:

23.132.164.14:5000
23.132.164.14:8888

Unpacked files

SH256 hash:

e0be0a8c8c741e821bea2b66c2aea511e33da9aaf9199a30f6df4dd1ba36f980

MD5 hash:

e2ad1bddc8d34238225a5cfbb456bef8

SHA1 hash:

a1087b7f46cc33dcf794bb53bb180f7e4796fd3a

Link:

https://www.unpac.me/results/a784a25e-c199-47b5-93e1-a78ce403a663/

SH256 hash:

7774dac493990bdd2e6ebb9fd26fe17d26cb625fd4bf4e953c51142dbfa7c851

MD5 hash:

2de9be905272b46b98c347fe8298ae30

SHA1 hash:

e264e308329c4c7a190793de8184ac67ff4b9cbd

Link:

https://www.unpac.me/results/a784a25e-c199-47b5-93e1-a78ce403a663/

SH256 hash:

cd6681a50dfe439931f3aeb2792691749f3b2e6746f453d63cf6262423a427d5

MD5 hash:

87e31666f77f704f121c4b2155e2e785

SHA1 hash:

be015e45e65b83415e21a1b116f4b0aa789e793b

Link:

https://www.unpac.me/results/a784a25e-c199-47b5-93e1-a78ce403a663/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)