MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7a7b1d0ebf9cbb2760f3795b42b1b39596ab0eabf1cb12417ba2e8e42494708. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 22


Intelligence 22 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7a7b1d0ebf9cbb2760f3795b42b1b39596ab0eabf1cb12417ba2e8e42494708
SHA3-384 hash: 5efa0eaeb59d127f5f6ba4869c42cf733d023a66056992445b1b86b132786447afc397a35b5e8c9d30f089d4ca8a7781
SHA1 hash: 4f908945bd414f1d9f349aeab88ca55ada8351cd
MD5 hash: 2f6d0c6a6797793678b2a1b601cb2cad
humanhash: florida-iowa-hotel-floor
File name:iKC90FHBmaDcNOM.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:881'664 bytes
First seen:2025-11-28 09:50:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:WAZoY82CkCAkcyW6A5Rx5lEr34J3z3KqDVfEBYF:WAZXf7kcyMDlJ3z6qD9G
TLSH T1D71523A12368CA23C48027F19936C2B953B42E4EA403D26B8FDCCEDBBD57F429D54719
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
104.37.174.84:3566

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
104.37.174.84:3566 https://threatfox.abuse.ch/ioc/1660224/

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
iKC90FHBmaDcNOM.exe
Verdict:
Malicious activity
Analysis date:
2025-11-28 09:53:13 UTC
Tags:
rat remcos stealer tool mpress
Link:
https://app.any.run/tasks/33fe3215-5907-43b3-9c1b-0aee19d0f779

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/41708/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692970606657e3433281c612
Tags:
crypted keylog lien remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Connection attempt
Setting a keyboard event handler
Sending a custom TCP request
Searching for synchronization primitives
Reading critical registry keys
Creating a file in the %temp% directory
Launching a service
Changing a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/6929705d1b65ca0bb92673b9/reports/b7093580-242a-47f9-a4b9-7eccad501db7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e7a7b1d0ebf9cbb2760f3795b42b1b39596ab0eabf1cb12417ba2e8e42494708
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-28T04:33:00Z UTC
Last seen:
2025-11-28T06:19:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/e7a7b1d0ebf9cbb2760f3795b42b1b39596ab0eabf1cb12417ba2e8e42494708/results?tab=lookup
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/12dd31f7-acb0-4ac3-b1c3-f7e8a1ee3dbf
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1822065
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1822065 Sample: iKC90FHBmaDcNOM.exe Startdate: 28/11/2025 Architecture: WINDOWS Score: 100 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 8 other signatures 2->41 7 iKC90FHBmaDcNOM.exe 3 2->7         started        process3 file4 29 C:\Users\user\...\iKC90FHBmaDcNOM.exe.log, ASCII 7->29 dropped 49 Contains functionality to bypass UAC (CMSTPLUA) 7->49 51 Contains functionalty to change the wallpaper 7->51 53 Contains functionality to steal Chrome passwords or cookies 7->53 55 7 other signatures 7->55 11 iKC90FHBmaDcNOM.exe 4 2 7->11         started        16 WMIADAP.exe 18 10 7->16         started        18 iKC90FHBmaDcNOM.exe 7->18         started        20 iKC90FHBmaDcNOM.exe 7->20         started        signatures5 process6 dnsIp7 33 104.37.174.84, 3566, 49718, 49719 MAJESTIC-HOSTING-01US United States 11->33 31 C:\ProgramData\@@@\logs.dat, data 11->31 dropped 57 Detected Remcos RAT 11->57 59 Maps a DLL or memory area into another process 11->59 61 Installs a global keyboard hook 11->61 22 iKC90FHBmaDcNOM.exe 1 11->22         started        25 iKC90FHBmaDcNOM.exe 1 11->25         started        27 iKC90FHBmaDcNOM.exe 14 11->27         started        file8 signatures9 process10 signatures11 43 Tries to steal Instant Messenger accounts or passwords 22->43 45 Tries to steal Mail credentials (via file / registry access) 22->45 47 Tries to harvest and steal browser information (history, passwords, etc) 25->47
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e7a7b1d0ebf9cbb2760f3795b42b1b39596ab0eabf1cb12417ba2e8e42494708
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.30 Win 32 Exe x86
Link:
https://app.malva.re/file/2f6d0c6a6797793678b2a1b601cb2cad
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e7a7b1d0ebf9cbb2760f3795b42b1b39596ab0eabf1cb12417ba2e8e42494708/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/e7a7b1d0ebf9cbb2760f3795b42b1b39596ab0eabf1cb12417ba2e8e42494708
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-11-28 08:40:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=46t3duhl7hf3e5qpg6k3iky3hfmwvmhkx4olcjaxxixi4qsji4ea._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
error
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection discovery rat spyware stealer
Link:
https://tria.ge/reports/251128-lt3xgscl2y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Reads user/profile data of web browsers
Detected Nirsoft tools
NirSoft MailPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
104.37.174.84:3566
Verdict:
Malicious
Tags:
Remcos
YARA:
n/a
Link:
https://app.threat.zone/submission/189da955-5d5a-40af-a4c1-04880b60ffe0
Unpacked files
SH256 hash:
e7a7b1d0ebf9cbb2760f3795b42b1b39596ab0eabf1cb12417ba2e8e42494708
MD5 hash:
2f6d0c6a6797793678b2a1b601cb2cad
SHA1 hash:
4f908945bd414f1d9f349aeab88ca55ada8351cd
Link:
https://www.unpac.me/results/5054c27e-af3a-4bf6-85e2-a898814d41ba/
SH256 hash:
3aa8ce5d4766e6fa27c0f3e031c1425b79322fc25ced61c68998ddd0fe84afe0
MD5 hash:
62963935f4f4a7a5d71e15077781146b
SHA1 hash:
374f566ec38e44ea82e0aef8c79417067b37f003
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/5054c27e-af3a-4bf6-85e2-a898814d41ba/
Parent samples :
5fc5368bad8a8b519f2c392b97c458d9425307b00d52aaadea20eba58e8eeb24
707fdafc56b969ced0f79032c766da29582068ae2630074ec8d41c4d53a73773
ac7a2d43da192df88b772d5f18ad2fbfff501236b4593c0e608474fedde91508
a0f0d732fb63ac2e8801fb5f3a7f969952a7fbdb8b2a782c64cb1c1c14bda72c
4528e9b7d05236ab6a225911e8978af4a7d49bc0221b5529d40ee85b60b0dae7
0be718f7b7a74c02cb6e13cf89c32e36e3385d3c8d6bf11459e8a43afafe4ab4
35c4d93f942a492df6f2c7a905cc0c05d8d0013f8361ef0453762ce8ed74a6c8
93d8f58337eb1309d7fadafe6707dde3a7d20d65870d05a689b3c2f264e61193
74ace00f731591af315dda87a91dcad538db3fab7a62d9e8612eef59dc128bde
e7a7b1d0ebf9cbb2760f3795b42b1b39596ab0eabf1cb12417ba2e8e42494708
165b528fb02e35b12a59a311102a8bef74ec2f0bf908864fd7fa7ed8f917261e
SH256 hash:
304b523d1e3f7c96ba8c5142158d9b062b493dab2ed0ba7014da6ce0186f5885
MD5 hash:
4b3000f96db4b5c5b1b33968fb5a4840
SHA1 hash:
ba1f127ee3358e5159c38ccdd0d3730b230fd8f0
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/5054c27e-af3a-4bf6-85e2-a898814d41ba/
SH256 hash:
b709907641259451070d2864e5372df1d16b9744f9423ad4c7482b89f330c617
MD5 hash:
a2ffd3d42d8442840c8f998f4a4d9229
SHA1 hash:
d62f543a95126dc4284a8ff05e0d81e590f81de1
Detections:
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/5054c27e-af3a-4bf6-85e2-a898814d41ba/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e7a7b1d0ebf9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e7a7b1d0ebf9cbb2760f3795b42b1b39596ab0eabf1cb12417ba2e8e42494708

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/41708/

Comments