MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e462d1a4674d1c46ee7c3eba187353dc4c6c40863493e67b3d1ab379714f97bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e462d1a4674d1c46ee7c3eba187353dc4c6c40863493e67b3d1ab379714f97bb
SHA3-384 hash: 98820219ed74be70012184ec5f71074ce6d86158dd16c15a60da8812a6da94ba947344b52df11d6222e4087beaf76df2
SHA1 hash: 462c203da1654f63d1b5a2ba9cdc365e9e5ec59a
MD5 hash: 74f26fa6690ab0d5cc8d063fc3531ed6
humanhash: march-west-tennis-zulu
File name:Remittance-Balance-Copy-Pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:967'168 bytes
First seen:2025-06-29 22:12:13 UTC
Last seen:2025-07-07 15:22:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:8bE5ZSf2cuPcNUP72A224OQLY462oJygm07Cjbm:xSOcMLzz32Y462ogHi
Threatray 10 similar samples on MalwareBazaar
TLSH T12725124235259823C6BE0AF54920D13993FE8D5D6662F7CA6FD63EDB34E1B220582F43
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
665
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
rl_e462d1a4674d1c46ee7c3eba187353dc4c6c40863493e67b3d1ab379714f97bb
Verdict:
Malicious activity
Analysis date:
2025-06-29 22:13:18 UTC
Tags:
remcos rat netreactor auto-reg
Link:
https://app.any.run/tasks/a3c6797f-0228-416b-b07a-b57fd74e7ce1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/11574/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3358.16647.18026.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6861ba550fceda814b470c4f
Tags:
shell spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Restart of the analyzed sample
Creating a file
Launching cmd.exe command interpreter
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process from a recently created file
Creating a file in the %temp% directory
Setting a keyboard event handler
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the User Account Control
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/e462d1a4674d1c46ee7c3eba187353dc4c6c40863493e67b3d1ab379714f97bb
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f991d871-3324-4715-ba8d-a6dbb44190bf
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e462d1a4674d1c46ee7c3eba187353dc4c6c40863493e67b3d1ab379714f97bb
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/74f26fa6690ab0d5cc8d063fc3531ed6
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e462d1a4674d1c46ee7c3eba187353dc4c6c40863493e67b3d1ab379714f97bb/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-06-29 19:56:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4rrndjdhjuoen3t4h25bq42t3rggyqeggsj6m6z5dkzxs4kps65q._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
remcos
Create hunting rule
Similar samples:
3021e7589fef17cce2d2dac8424ecc68a61d84cf25762c4caad209aa0a51e68a
RemcosRAT
5f811f675d487ef9d0cd10ba5f095edadcb38eeeedaa5ec897b3994b954d3212
RemcosRAT
6cc2fb149479570c8f47434b33dba731da0b08b48a609011965c878e34c57a5b
RemcosRAT
8ee17d796838ff6f4a61fad087b4486f2859a516d290215cdf3d731bc167ab56
RemcosRAT
e462d1a4674d1c46ee7c3eba187353dc4c6c40863493e67b3d1ab379714f97bb
RemcosRAT
error
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection defense_evasion discovery execution persistence rat trojan
Link:
https://tria.ge/reports/250629-14r1asbp5z/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
UAC bypass
Malware Config
C2 Extraction:
45.88.186.30:2404
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f816c759-c513-4a04-b376-93825d90b044
Unpacked files
SH256 hash:
e462d1a4674d1c46ee7c3eba187353dc4c6c40863493e67b3d1ab379714f97bb
MD5 hash:
74f26fa6690ab0d5cc8d063fc3531ed6
SHA1 hash:
462c203da1654f63d1b5a2ba9cdc365e9e5ec59a
Link:
https://www.unpac.me/results/dd37d9a7-3a55-4b29-bc16-13f0350f8949/
SH256 hash:
d9347777261e7accdbfec4037c601069c2851cb3c659d19770c32d3e5ac488d2
MD5 hash:
6ab6742d810fa9f37bf51e2ceacdb6a4
SHA1 hash:
b845a1fb2ed1191f7d743d9c705879737b38902d
Link:
https://www.unpac.me/results/dd37d9a7-3a55-4b29-bc16-13f0350f8949/
SH256 hash:
dff568003cd80fee590b5c37627bf5bc1ffb1909bd153f42049b2083b042253c
MD5 hash:
3e8e6aa32f74a0e4ff2f40a79b0d1d61
SHA1 hash:
df1aad6a6f20d416d664576baf9cfe5b041ac3f6
Detections:
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/dd37d9a7-3a55-4b29-bc16-13f0350f8949/
Parent samples :
e462d1a4674d1c46ee7c3eba187353dc4c6c40863493e67b3d1ab379714f97bb
99816cd2de501f26cb3227491cf3bf407fba47ed12f8b925a993d7c822b031ae
SH256 hash:
d401440396e051d7c8c55115f7c06a5ef0a83d6f7332dea8da878c7f21df51d5
MD5 hash:
4f7c58d49406123c97272332b4579751
SHA1 hash:
e541bfbbd00dfc2a426d21038d59eb6e7a01e6ae
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/dd37d9a7-3a55-4b29-bc16-13f0350f8949/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e462d1a4674d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e462d1a4674d1c46ee7c3eba187353dc4c6c40863493e67b3d1ab379714f97bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe e462d1a4674d1c46ee7c3eba187353dc4c6c40863493e67b3d1ab379714f97bb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/11574/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments