MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e646f69ab13559c8f45cf9ec17c23b359bfd93a61d4932da2d81aab6f25c9d79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 20


Intelligence 20 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e646f69ab13559c8f45cf9ec17c23b359bfd93a61d4932da2d81aab6f25c9d79
SHA3-384 hash: 5db069afc92f18a171eeb57a5ee45e7f5bbee2d3dd5c97389bbc32d60ff0e6abaeaa57adef11aaf6ce1560d3db8fba01
SHA1 hash: c3808e859eaf84e26e5038b5cad6f89c1330cefd
MD5 hash: a0752b7d87c5675f9bffe36ae20c169b
humanhash: tango-iowa-violet-wyoming
File name:Swift_JulyDue_ 2025 Remittance0989 pdf.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'091'072 bytes
First seen:2025-08-04 13:10:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 24576:itEH2HrrQtbDu7ZyjAQ2fzp2qiTeMG9BS/4SmYVZyqO+/KI4:itI0rQCYYNMTe3i4SHS+/K
Threatray 1'246 similar samples on MalwareBazaar
TLSH T1FF3511113359DEB2F9BABB71AA60E13103642D555CE5D34E0EDEBECB386678108F1A42
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Swift_JulyDue_ 2025 Remittance0989 pdf.bat
Verdict:
Malicious activity
Analysis date:
2025-08-04 13:11:39 UTC
Tags:
rat remcos remote auto-sch-xml stealer mpress
Link:
https://app.any.run/tasks/dcc732be-911a-4a95-a423-eaff25d5a323

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18789/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.14525.24065.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6890b1540b4775fb21361806
Tags:
virus micro lien msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/6890b14f183d4c2019addd08/reports/fc6f9f4e-76ed-47da-9306-c551a859fe79/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e646f69ab13559c8f45cf9ec17c23b359bfd93a61d4932da2d81aab6f25c9d79
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8bdb5aba-0c83-4918-b217-624a024bed04
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1749858
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1749858 Sample: Swift_JulyDue_ 2025 Remitta... Startdate: 04/08/2025 Architecture: WINDOWS Score: 100 60 gigle.duckdns.org 2->60 62 geoplugin.net 2->62 74 Suricata IDS alerts for network traffic 2->74 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 82 17 other signatures 2->82 8 Swift_JulyDue_ 2025 Remittance0989 pdf.bat.exe 7 2->8         started        12 btZzYi.exe 5 2->12         started        signatures3 80 Uses dynamic DNS services 60->80 process4 file5 46 C:\Users\user\AppData\Roaming\btZzYi.exe, PE32 8->46 dropped 48 C:\Users\user\...\btZzYi.exe:Zone.Identifier, ASCII 8->48 dropped 50 C:\Users\user\AppData\Local\...\tmpF00D.tmp, XML 8->50 dropped 52 Swift_JulyDue_ 202...989 pdf.bat.exe.log, ASCII 8->52 dropped 84 Adds a directory exclusion to Windows Defender 8->84 14 Swift_JulyDue_ 2025 Remittance0989 pdf.bat.exe 4 16 8->14         started        19 powershell.exe 23 8->19         started        21 powershell.exe 23 8->21         started        23 schtasks.exe 1 8->23         started        86 Multi AV Scanner detection for dropped file 12->86 88 Contains functionality to bypass UAC (CMSTPLUA) 12->88 90 Contains functionalty to change the wallpaper 12->90 92 3 other signatures 12->92 25 btZzYi.exe 12->25         started        27 schtasks.exe 12->27         started        signatures6 process7 dnsIp8 64 gigle.duckdns.org 139.28.219.37, 49717, 49719, 65237 M247GB Romania 14->64 66 geoplugin.net 178.237.33.50, 49720, 80 ATOM86-ASATOM86NL Netherlands 14->66 54 C:\Users\user\AppData\Local\Temp\TH6737.tmp, MS-DOS 14->54 dropped 56 C:\Users\user\AppData\Local\Temp\TH6513.tmp, MS-DOS 14->56 dropped 58 C:\Users\user\AppData\Local\Temp\TH6495.tmp, PE32 14->58 dropped 68 Detected Remcos RAT 14->68 70 Maps a DLL or memory area into another process 14->70 29 RmClient.exe 2 14->29         started        32 RmClient.exe 14->32         started        34 RmClient.exe 14->34         started        72 Loading BitLocker PowerShell Module 19->72 36 WmiPrvSE.exe 19->36         started        38 conhost.exe 19->38         started        40 conhost.exe 21->40         started        42 conhost.exe 23->42         started        44 conhost.exe 27->44         started        file9 signatures10 process11 signatures12 94 Tries to steal Mail credentials (via file registry) 29->94 96 Tries to harvest and steal browser information (history, passwords, etc) 29->96 98 Tries to steal Instant Messenger accounts or passwords 32->98 100 Tries to steal Mail credentials (via file / registry access) 32->100
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e646f69ab13559c8f45cf9ec17c23b359bfd93a61d4932da2d81aab6f25c9d79
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.45 Win 32 Exe x86
Link:
https://app.malva.re/file/a0752b7d87c5675f9bffe36ae20c169b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e646f69ab13559c8f45cf9ec17c23b359bfd93a61d4932da2d81aab6f25c9d79/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/e646f69ab13559c8f45cf9ec17c23b359bfd93a61d4932da2d81aab6f25c9d79
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-08-04 07:52:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4zdpngvrgvm4r5c47hwbpqr3gwn73e5gdvetfwrnqgvln4s4tv4q._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
remcos
Create hunting rule
Similar samples:
179fe62017bb17cf9b0ecaf118ec8a3bb14b351b448e6df3c029f29bf4385103
RemcosRAT
60682c9e70f15ee5e31dc5c054417386098c475be469994ea54b5c56847d4aaf
RemcosRAT
6400bf9fe56615568b8bd3ec6967fb72393b9df9a6bba89860ca95d8102afbf8
RemcosRAT
c7e099c60f551279ad41d2f35a001e14082346f15e312560771dac7302964da9
RemcosRAT
e646f69ab13559c8f45cf9ec17c23b359bfd93a61d4932da2d81aab6f25c9d79
RemcosRAT
error
RemcosRAT
+ 1'236 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos collection discovery execution persistence rat
Link:
https://tria.ge/reports/250804-qenaps1scw/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
gigle.duckdns.org:65237
Verdict:
Malicious
Tags:
Remcos
YARA:
n/a
Link:
https://app.threat.zone/submission/ddec4b46-4fbf-4003-8514-1748e5d4bfc6
Unpacked files
SH256 hash:
e646f69ab13559c8f45cf9ec17c23b359bfd93a61d4932da2d81aab6f25c9d79
MD5 hash:
a0752b7d87c5675f9bffe36ae20c169b
SHA1 hash:
c3808e859eaf84e26e5038b5cad6f89c1330cefd
Link:
https://www.unpac.me/results/2b357f25-f24e-4f46-b618-65660baea42c/
SH256 hash:
7b457e79525fdb79fc6a01ecb8ec904ef7dd2b57ae5b9229fc3fed807ba24149
MD5 hash:
7bb566e4739a4252f2bf73076cd289d0
SHA1 hash:
00e87658b74e5b71eece71b5dc92c7ad518145fd
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/2b357f25-f24e-4f46-b618-65660baea42c/
Parent samples :
bde181e1225b6cb39fadcaf7a03659dcb8ba059eee626219b994f739b90e028c
e646f69ab13559c8f45cf9ec17c23b359bfd93a61d4932da2d81aab6f25c9d79
3645c06970210b79497c43087a250f575d11106851521861c8b068e434c280f7
ded67530b43d631ec743606859227570de9e18ce9d61a72b2641fdaff6dc78e6
229143d66574d5d01e18ec3078b0d3de25b91c21dfb79e9f75032a7d8d555f68
ef2a54c5688d0e055fffd22394c168c81f80ec4a8ab33ceb87e70a6eddf97942
SH256 hash:
8e9f7ff5252a763ab6bf2587791cdf63e1e6a15dea54756537ee85e48c681e46
MD5 hash:
9682289feaf230755ebca8c32e7661fa
SHA1 hash:
7a0b56123b5d5cec30ae6f961cf3f1ce3194cc85
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2b357f25-f24e-4f46-b618-65660baea42c/
SH256 hash:
30fb513d52d50faded27e8230fa9c703426ea7ffcf7c911b712f1ada690892ee
MD5 hash:
fbd880abf067b8321e8e7536612a59ee
SHA1 hash:
eb6f904e43fd29af95bdd8c68b9bd06170161adb
Detections:
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/2b357f25-f24e-4f46-b618-65660baea42c/
Malware family:
WebBrowserPassView
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e646f69ab135/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e646f69ab13559c8f45cf9ec17c23b359bfd93a61d4932da2d81aab6f25c9d79

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe e646f69ab13559c8f45cf9ec17c23b359bfd93a61d4932da2d81aab6f25c9d79

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/18789/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments