MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4b394710171888c98115ff1cc8639992a746c3313363565ca8f54b237fc4ec2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4b394710171888c98115ff1cc8639992a746c3313363565ca8f54b237fc4ec2
SHA3-384 hash: 2b55d51abe749433084096653c7631920ae6e2740fc2b245bb251aa48755e739112dd0d95a5a60572e359a3df84a2f98
SHA1 hash: fcfd42755974e442044c42d8537e531333e459a0
MD5 hash: 657d450efe333e708b65eef849dd87d5
humanhash: single-sodium-lactose-two
File name:EPR_Aug_pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'616'016 bytes
First seen:2025-09-15 06:57:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0293eec0b5432ad092f24065016203b2 (21 x GuLoader, 9 x RemcosRAT, 6 x Formbook)
ssdeep 49152:mY/PltBfX6FZ23XvjWG28Z0vxJfw0QZjGLCHIe2:mY/9PX6KyI2xDQ192
Threatray 1'220 similar samples on MalwareBazaar
TLSH T107752396B750D281C2B58F30A879B0467967FF2FB8A5D8073E82763D37B3493425E215
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter adrian__luca
Tags:exe GuLoader RemcosRAT signed

Code Signing Certificate

Organisation:Hgwells
Issuer:Hgwells
Algorithm:sha256WithRSAEncryption
Valid from:2025-08-01T03:22:29Z
Valid to:2026-08-01T03:22:29Z
Serial number: 7f5aed52c276df42eb2bcad10e334de6c091cb5a
Thumbprint Algorithm:SHA256
Thumbprint: 8ae503a4985f1dde85d1c00371a319c080cd3d0936a2389fd092b5c0582a01ac
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
ebcafc03566f11dcb8d60a96af22b0c00aec8961cee113f5458193e2d2a59f33.zip
Verdict:
Malicious activity
Analysis date:
2025-09-14 22:14:34 UTC
Tags:
arch-exec rat remcos auto-reg
Link:
https://app.any.run/tasks/c5855b00-4589-4beb-846e-cc6ac9579d08

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27461/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c73e49d49ea3f1e4b5adf0
Tags:
underscore injection obfusc blic
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context installer masquerade microsoft_visual_cc obfuscated overlay signed
Link:
https://www.filescan.io/uploads/68c7b932dbc6f5a29c450c8c/reports/6a361d00-b9d7-4bf9-adb6-d8af48a6b2d6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e4b394710171888c98115ff1cc8639992a746c3313363565ca8f54b237fc4ec2
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-14T17:45:00Z UTC
Last seen:
2025-09-14T17:45:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/e4b394710171888c98115ff1cc8639992a746c3313363565ca8f54b237fc4ec2/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1cd87f1a-398d-4cc1-88b8-cbc791375efe
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e4b394710171888c98115ff1cc8639992a746c3313363565ca8f54b237fc4ec2
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4b394710171888c98115ff1cc8639992a746c3313363565ca8f54b237fc4ec2/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2025-09-14 21:01:21 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4szzi4ibogeizgarl7y4zbrztevhi3btcm3dkzokr5klen74j3ba._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
033dc2069bd1bc266894ed517e3c0209234dd51cddaa7e9e3d3c56e7b39a1007
RemcosRAT
2e6129b0aa7aed4e1161b9e09d14a2f5637cfd426e97fce1e95b0bee7ac28826
RemcosRAT
2efb64ca1908f95dd095871d6221d5ad1a3dc87a9cb6367d36193d7a3fd112b9
RemcosRAT
5291ecc87ba8dbac74ac3b91f73ceba36b35d6b11455545e4e365859e45d8e5a
RemcosRAT
90b230c7b8c4991a8f657bc8031157a9070c24eb3de9cd074241985dc99489c0
RemcosRAT
ca8cf8aa0bab28b391de182e61cf7f9e8f8464717ab971384b73db628aef7267
RemcosRAT
e2140c6390f7696be2a70de9072137210c6ec238e5586fce237917a2082bbdd9
RemcosRAT
e4b394710171888c98115ff1cc8639992a746c3313363565ca8f54b237fc4ec2
RemcosRAT
error
RemcosRAT
+ 1'210 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos collection discovery installer persistence rat
Link:
https://tria.ge/reports/250915-hrz62avkz2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ad49037d-9f6d-4227-891f-8e55089f72ad
Unpacked files
SH256 hash:
e4b394710171888c98115ff1cc8639992a746c3313363565ca8f54b237fc4ec2
MD5 hash:
657d450efe333e708b65eef849dd87d5
SHA1 hash:
fcfd42755974e442044c42d8537e531333e459a0
Link:
https://www.unpac.me/results/6f640672-b69f-4fe9-9909-a2b4b5bd2842/
SH256 hash:
d6b4121f426953339c1d1a052d3cb10ba32020673aa879932f3782dc9605e119
MD5 hash:
2fc0987840e9db7cc6010ad28b71b849
SHA1 hash:
9c0b1cdc1119b9d0d42890f82044269d9d0524ad
Link:
https://www.unpac.me/results/6f640672-b69f-4fe9-9909-a2b4b5bd2842/
SH256 hash:
7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
MD5 hash:
dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1 hash:
c9206ced48d1e5bc648b1d0f54cccc18bf643a14
Link:
https://www.unpac.me/results/6f640672-b69f-4fe9-9909-a2b4b5bd2842/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e4b394710171/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4b394710171888c98115ff1cc8639992a746c3313363565ca8f54b237fc4ec2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe e4b394710171888c98115ff1cc8639992a746c3313363565ca8f54b237fc4ec2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/27461/

Comments