MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3f94e84769fc8d25b081f44226b89c332f7ffe21564939aa0be868a4ca2d7a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 19 File information Comments

SHA256 hash:	e3f94e84769fc8d25b081f44226b89c332f7ffe21564939aa0be868a4ca2d7a5
SHA3-384 hash:	450933b69884e4501212b65883971b2e9ea9076079560347900bc1da212be32245781dd4925e2e9b9be481b6edb26d21
SHA1 hash:	e8f1039543a4db4e3e102bf3378076074bfe4e00
MD5 hash:	04320c30e2446ea733b50bd58b580828
humanhash:	cat-asparagus-nuts-missouri
File name:	REQUEST FOR QUOTATION.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'020'416 bytes
First seen:	2025-06-02 21:21:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:vjMtUbZrkrz/mUBsKED6gle84Db9I3xSiEZ6ZMY+MI/n8UF2Sq/VJ:bRlrkrzuUmKELe8N3x7EZ6ZM7MIUUF2S
Threatray	4'162 similar samples on MalwareBazaar
TLSH	T14A25E1093926BF03C6B64BF80A55D13417F85EDEA01EE25B4EE6BCDF34A5F241880A57
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	smica83
Tags:	exe HUN RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

460

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

REQUEST FOR QUOTATION.exe

Verdict:

Malicious activity

Analysis date:

2025-06-02 21:24:04 UTC

Tags:

remcos rat netreactor

Link:

https://app.any.run/tasks/f60ce868-276e-4294-bc5c-8539a65bfb30

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/6914/

Detection(s):

SecuriteInfo.com.Variant.Genie8DN.405.335.4257.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=683df6a88bd5d68a12e3e153

Tags:

backdoor spawn shell

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

DNS request

Connecting to a non-recommended domain

Connection attempt

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/683e1611fd02ed5e05945007/reports/ef978c7e-8297-48af-8e19-b86b77fa1db8/overview

Verdict:

Malicious

Labled as:

Genie8DN.Generic

Link:

https://www.hybrid-analysis.com/sample/e3f94e84769fc8d25b081f44226b89c332f7ffe21564939aa0be868a4ca2d7a5

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d81220db-08ba-490f-9b75-fe879d563461

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1704369

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Uses threadpools to delay analysis

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e3f94e84769fc8d25b081f44226b89c332f7ffe21564939aa0be868a4ca2d7a5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e3f94e84769fc8d25b081f44226b89c332f7ffe21564939aa0be868a4ca2d7a5/

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Malicious

First seen:

2025-06-02 08:37:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4p4u5bdwt7enewyid5cce24jymzpp77ccvsjhgvax2diutfc26sq._file

Verdict:

malicious

Label(s):

unc_loader_037

remcos

RemcosRAT

70029840a2c10f707e5b6bee6a48c4c7fb1fc3efe79215d7bb01c5e2967848cb

RemcosRAT

dc8e0752010c76c6815c5631eb656e8e8f179be1a794c5f6679e5072d6ffe496

RemcosRAT

+ 4'152 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost discovery execution rat

Link:

https://tria.ge/reports/250602-z7gs3aej5y/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Remcos

Remcos family

Malware Config

C2 Extraction:

airtoncomeplast.duckdns.org:7822

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/924ca814-5533-40a8-bf75-5c93ad15b6cb

Unpacked files

SH256 hash:

e3f94e84769fc8d25b081f44226b89c332f7ffe21564939aa0be868a4ca2d7a5

MD5 hash:

04320c30e2446ea733b50bd58b580828

SHA1 hash:

e8f1039543a4db4e3e102bf3378076074bfe4e00

Link:

https://www.unpac.me/results/e39076ea-a708-48db-880b-734acc76ff28/

SH256 hash:

a01dd993290c7b91b20ca6a7e446bf4edabc2c85c832b4b824f396788f7f5a02

MD5 hash:

17e4960eabeb73f49f12ac8736b408e4

SHA1 hash:

2f56f8828137dc6e47d77d7e52541a748f092ba6

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/e39076ea-a708-48db-880b-734acc76ff28/

Parent samples :

f636541370318e8253c2eaf75c41e3cfe01b53e750a76c59bf17a894136de3c1
e3f94e84769fc8d25b081f44226b89c332f7ffe21564939aa0be868a4ca2d7a5
d73ad9264e737d95a1cdeed413d7015a18e2f1f679ebf56a2973c97ead7b1447
83885d6469d809b0709f82c75605005fed02c3cbdde2a8d8e74589608d45b40b
24d845c266dc1d2fdd1af6df8cc3c206d2b570ac6df249147664310b13a28371

SH256 hash:

ad7a63b1487dcd4ff7071e9bfee4999e0e0c33c3f7ad16b35659d0910036230e

MD5 hash:

3150061eccc784ac1ab4835c5b80992a

SHA1 hash:

65f76a62dd904692c95ff5621c00a3af0fb286a0

Detections:

win_remcos_w0

win_remcos_auto

Remcos

malware_windows_remcos_rat

win_remcos_rat_unpacked

INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer

Link:

https://www.unpac.me/results/e39076ea-a708-48db-880b-734acc76ff28/

Parent samples :

dc8e0752010c76c6815c5631eb656e8e8f179be1a794c5f6679e5072d6ffe496
e3f94e84769fc8d25b081f44226b89c332f7ffe21564939aa0be868a4ca2d7a5
24d845c266dc1d2fdd1af6df8cc3c206d2b570ac6df249147664310b13a28371

SH256 hash:

7bca28e0ec51b512e951898eecfc405aba1c4f543a1d736055ba764087a6e0f0

MD5 hash:

c8c56e3261dd6973ae1bc5bb93d15ae3

SHA1 hash:

9b028e75c899eafac9d07169bc5276f896779232

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/e39076ea-a708-48db-880b-734acc76ff28/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e3f94e84769f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	iexplorer_remcos Create hunting rule
Author:	iam-py-test
Description:	Detect iexplorer being taken over by Remcos

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

Rule name:	win_remcos_rat_unpacked Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	win_remcos_w0 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	yarahub_win_remcos_rat_unpacked_aug_2023 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/6914/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample