MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6faf4b04b4af47427346ee41caa3aeb95b7e864458d570ba5111d73cbc70f1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 20


Intelligence 20 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6faf4b04b4af47427346ee41caa3aeb95b7e864458d570ba5111d73cbc70f1c
SHA3-384 hash: cbb70532c998aada669186cab2d2c25e8813ef2668437257f3822c3c932fa8d5c0a3fac293c79a583d2ad25700f8770e
SHA1 hash: e257c186521fff6434d0c0e671d747b4f8e295bc
MD5 hash: 046bf7a3d451768f0b7c0899db426e96
humanhash: tango-zebra-edward-sierra
File name:QUOTATION MTL #009447222.pdf(68KB).com
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:736'776 bytes
First seen:2026-03-24 07:37:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'852 x AgentTesla, 19'779 x Formbook, 12'303 x SnakeKeylogger)
ssdeep 12288:E+7J9np+cUkdyr7aXKsl3GFB++icDFrgW/RfRv+GHCxMhvzkR:xjbma6OWFT9DNgW/OJMJm
Threatray 1 similar samples on MalwareBazaar
TLSH T1B4F401142748DE03E4DF17F42768E23617B45E9DE922D31B8FE96CEB3CA67142A09643
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
RoboSki
a decrypted ReZer0 component and possibly a decryption component
Link:
https://research.acce.ciphertechsolutions.com/results/42f64254-76b7-48a4-bda6-34bf04be5957/
Malware family:
remcos
Create hunting rule
ID:
1
File name:
QUOTATION MTL #009447222.pdf(68KB).com
Verdict:
Malicious activity
Analysis date:
2026-03-24 07:39:02 UTC
Tags:
auto-reg netreactor auto-startup xworm remote rat remcos stealer
Link:
https://app.any.run/tasks/82a407a9-ddee-420c-9faa-518980914e4f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.52847684.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69c23f67390b996474132c56
Tags:
micro shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Restart of the analyzed sample
Creating a file
Launching a process
Creating a process with a hidden window
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Running batch commands
Unauthorized injection to a recently created process
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
VIPKeylogger.Generic
Link:
https://www.hybrid-analysis.com/sample/e6faf4b04b4af47427346ee41caa3aeb95b7e864458d570ba5111d73cbc70f1c
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
Link:
https://opentip.kaspersky.com/e6faf4b04b4af47427346ee41caa3aeb95b7e864458d570ba5111d73cbc70f1c/results?tab=lookup
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab6d6aa4-fb09-438c-9cd8-d0ef71817aba
Result
Threat name:
Remcos, DarkTortilla, XWorm, XpertRAT
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1888018
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Disables UAC (registry)
Disables user account control notifications
Drops PE files to the user root directory
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: Remcos
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Generic Dropper
Yara detected MSIL Injector
Yara detected Remcos RAT
Yara detected XpertRAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1888018 Sample: QUOTATION MTL #009447222.pd... Startdate: 24/03/2026 Architecture: WINDOWS Score: 100 122 wqo9.firewall-gateway.de 2->122 124 code1.ydns.eu 2->124 126 10 other IPs or domains 2->126 136 Suricata IDS alerts for network traffic 2->136 138 Found malware configuration 2->138 140 Malicious sample detected (through community Yara rule) 2->140 142 22 other signatures 2->142 12 QUOTATION MTL #009447222.pdf(68KB).com.exe 3 2->12         started        16 Opera.exe 2->16         started        18 C2H6Y3K1-A7X5-B5F3-N3W1-K4A558N0M337.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 file5 120 QUOTATION MTL #009...f(68KB).com.exe.log, ASCII 12->120 dropped 204 Injects a PE file into a foreign processes 12->204 22 QUOTATION MTL #009447222.pdf(68KB).com.exe 1 12->22         started        206 Writes to foreign memory regions 16->206 208 Allocates memory in foreign processes 16->208 210 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->210 25 AddInProcess32.exe 16->25         started        28 C2H6Y3K1-A7X5-B5F3-N3W1-K4A558N0M337.exe 18->28         started        30 C2H6Y3K1-A7X5-B5F3-N3W1-K4A558N0M337.exe 18->30         started        32 conhost.exe 20->32         started        34 C2H6Y3K1-A7X5-B5F3-N3W1-K4A558N0M337.exe 20->34         started        36 conhost.exe 20->36         started        signatures6 process7 file8 152 Encrypted powershell cmdline option found 22->152 38 powershell.exe 15 21 22->38         started        114 C:\ProgramData\remcos\logs.dat, data 25->114 dropped 154 Maps a DLL or memory area into another process 25->154 156 Installs a global keyboard hook 25->156 158 Unusual module load detection (module proxying) 25->158 43 AddInProcess32.exe 25->43         started        45 AddInProcess32.exe 25->45         started        47 AddInProcess32.exe 25->47         started        49 3 other processes 25->49 signatures9 process10 dnsIp11 128 igw.myfirewall.org 83.217.209.110, 49687, 49688, 49695 INF-NET-ASRU Russian Federation 38->128 106 C:\Users\user\OneDrive.exe, PE32 38->106 dropped 108 C:\Users\user\AppData\Roaming\explorer.exe, PE32 38->108 dropped 110 C:\Users\user\...\backgroundTaskHost.exe, PE32 38->110 dropped 112 C:\Users\user\AppData\Roaming\OUTLOOK.EXE, PE32 38->112 dropped 160 Drops PE files to the user root directory 38->160 162 Potential dropper URLs found in powershell memory 38->162 164 Drops PE files with benign system names 38->164 166 Powershell drops PE file 38->166 51 backgroundTaskHost.exe 3 38->51         started        54 explorer.exe 3 38->54         started        56 OUTLOOK.EXE 2 38->56         started        58 2 other processes 38->58 168 Tries to steal Instant Messenger accounts or passwords 43->168 170 Tries to steal Mail credentials (via file / registry access) 43->170 172 Tries to harvest and steal browser information (history, passwords, etc) 45->172 file12 signatures13 process14 signatures15 144 Hides that the sample has been downloaded from the Internet (zone.identifier) 51->144 146 Injects a PE file into a foreign processes 51->146 60 backgroundTaskHost.exe 51->60         started        63 backgroundTaskHost.exe 51->63         started        65 cmd.exe 54->65         started        68 cmd.exe 54->68         started        148 Writes to foreign memory regions 56->148 150 Allocates memory in foreign processes 56->150 70 InstallUtil.exe 56->70         started        process16 dnsIp17 186 Changes security center settings (notifications, updates, antivirus, firewall) 60->186 188 Disables user account control notifications 60->188 190 Writes to foreign memory regions 60->190 202 3 other signatures 60->202 73 iexplore.exe 60->73         started        78 iexplore.exe 60->78         started        102 C:\Users\user\AppData\Roaming\Opera.exe, PE32 65->102 dropped 192 Uses ping.exe to sleep 65->192 80 Opera.exe 65->80         started        82 conhost.exe 65->82         started        84 PING.EXE 65->84         started        86 PING.EXE 65->86         started        194 Uses ping.exe to check the status of other devices and networks 68->194 88 reg.exe 68->88         started        90 PING.EXE 68->90         started        92 conhost.exe 68->92         started        130 wqo9.firewall-gateway.de 91.92.241.145, 2404, 49697, 49704 THEZONEBG Bulgaria 70->130 104 C:\Users\user\AppData\...\VersionUpdate.exe, PE32 70->104 dropped 196 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 70->196 198 Creates autostart registry keys with suspicious values (likely registry only malware) 70->198 200 Creates multiple autostart registry keys 70->200 file18 signatures19 process20 dnsIp21 132 code1.ydns.eu 128.0.1.9, 52013 M247GB Romania 73->132 116 C2H6Y3K1-A7X5-B5F3-N3W1-K4A558N0M337.exe, PE32 73->116 dropped 118 C:\...\C2H6Y3K1-A7X5-B5F3-N3W1-K4A558N0M337, data 73->118 dropped 174 Creates autostart registry keys with suspicious names 73->174 176 Creates multiple autostart registry keys 73->176 178 Writes to foreign memory regions 73->178 94 notepad.exe 73->94         started        96 WerFault.exe 78->96         started        180 Allocates memory in foreign processes 80->180 182 Hides that the sample has been downloaded from the Internet (zone.identifier) 80->182 184 Injects a PE file into a foreign processes 80->184 98 AddInProcess32.exe 80->98         started        100 AddInProcess32.exe 80->100         started        134 127.0.0.1 unknown unknown 90->134 file22 signatures23 process24
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e6faf4b04b4af47427346ee41caa3aeb95b7e864458d570ba5111d73cbc70f1c
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e6faf4b04b4af47427346ee41caa3aeb95b7e864458d570ba5111d73cbc70f1c/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/e6faf4b04b4af47427346ee41caa3aeb95b7e864458d570ba5111d73cbc70f1c
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-24 07:08:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
15 of 36 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=435pjmcljl2hijzun3sbzkr25ok3p2deiwgvoc5fceoxhs6hb4oa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
xworm
Create hunting rule
Similar samples:
error
RemcosRAT
f9b5586faacc3149e8cc0cbd920bdb8f58a6e8b57bd2acbe9215f61cdd2ea3a3
RemcosRAT
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:xpertrat family:xworm botnet:bkup xx26 botnet:bw-wld collection defense_evasion discovery persistence rat trojan
Link:
https://tria.ge/reports/260324-jggsdafv9p/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks whether UAC is enabled
Obfuscated Files or Information: Command Obfuscation
Program crash
.NET Reactor proctector
Checks computer location settings
Drops startup file
Executes dropped EXE
Windows security modification
Adds policy Run key to start application
Badlisted process makes network request
Downloads MZ/PE file
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Detect Xworm Payload
Remcos
Remcos family
UAC bypass
Windows security bypass
XpertRAT
XpertRAT Core payload
Xpertrat family
Xworm
Xworm family
Malware Config
C2 Extraction:
wqo9.firewall-gateway.de:52013
code1.ydns.eu:52013
rency.ydns.eu:52013
rency.ydns.eu:2404
wqo9.firewall-gateway.de:4045
code1.ydns.eu:9302
Unpacked files
SH256 hash:
e6faf4b04b4af47427346ee41caa3aeb95b7e864458d570ba5111d73cbc70f1c
MD5 hash:
046bf7a3d451768f0b7c0899db426e96
SHA1 hash:
e257c186521fff6434d0c0e671d747b4f8e295bc
Link:
https://www.unpac.me/results/68111303-4a10-4a49-96e6-1500fe61c110/
SH256 hash:
d0b40f68e01f08174c90b6ed73fb2375fd0a5b779b478338652936dab706f2c8
MD5 hash:
46c88f9e8dd61270a6ab44a75d036e46
SHA1 hash:
130496b18bbdb38f960a9750f80c8c925ca72f96
Link:
https://www.unpac.me/results/68111303-4a10-4a49-96e6-1500fe61c110/
SH256 hash:
b9abdf181a8746c43cd3665ce5c45ff33ddb8916b400454a26b2cb3e346bc194
MD5 hash:
e29ddeebef1fd4ef69698fa2ee7b1d65
SHA1 hash:
919b0e3bfc023f595dfb4e83688a96970dc5fa2b
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/68111303-4a10-4a49-96e6-1500fe61c110/
Parent samples :
8b012d3d775bd32f503cb84a6889d786c06623eeb8c840bd8c03073971530f52
88e156291d0a765e5c9b60daa6bd53c6ad75022e63ab286effe120aa6c16c222
316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785
046ebdd9e30338c5c6880ca8e8c7da3c37a3fd05611e9c21310ec5989f98095a
9612b142e2991ff8c9b66b283b9727cd8d2b5afff8521e8bb8806d36dcab5c43
08a1f9ca335c195d028e5f47b94f7e3b56945332b5f503ef60cdbba99c27998f
f034f4756f307c1c27424059cec7bc7f975493377588e086ea94721b38a68999
6a3368fb5ffab1283df539c6f17cb1244b563f5a3ad94d96adcde2dcadab66ae
7c40815633530147ad907fdc252aad2761fe35088020db35c4325dcc0f4d3329
dc31630436166d019ad9472db3b82f498ad0ed02d4cbd6a000d8b0dcee246e3b
d1805bb55498f94da1f9040517f7baaaacf2d4f77cdb6cd44a9436115dd12be9
4fb1c62f75a74fc547b2aa6ce7d8d147419212045f4d0a83d571fb93e4610613
b9abdf181a8746c43cd3665ce5c45ff33ddb8916b400454a26b2cb3e346bc194
94826673c7f54435e62ddb5d187cd852cbbadd0ddeab528bb7ccc0def7f65a73
2804023cb811e89cd1fc6bec5614a689929a3c23f68939142176c7b2fbdd4b9f
e6faf4b04b4af47427346ee41caa3aeb95b7e864458d570ba5111d73cbc70f1c
1079c14f69f1dac1d28b8aea2d9700d699058a6b5005f2b0c609d758549bb74b
057dd07c9fe02bf1560249258a6bbe88a39f8d02a1a754ff655ad83f99341669
f4da176988f23e15f2b5c5a331e2441c57b3257da196df4e0c980940af64a067
f33b8ab9fca177f47dd8cf23417361f2ac63a0832ad322e32a141a3bc9a08287
47053b752966dd81947bb51b6a798f2d9844723bcd7fa2f02cd81ede6f38d5eb
SH256 hash:
bb5ec062568b6553ca2016084521a1120fbd16ed14eb205007510c7c23fe389c
MD5 hash:
f3b1d800931e3fbe5c005906a3d2645f
SHA1 hash:
b99d136a4017fd7f380ae6a29920e54092b9e37f
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/68111303-4a10-4a49-96e6-1500fe61c110/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e6faf4b04b4a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6faf4b04b4af47427346ee41caa3aeb95b7e864458d570ba5111d73cbc70f1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe e6faf4b04b4af47427346ee41caa3aeb95b7e864458d570ba5111d73cbc70f1c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/58915/

Comments