MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e80861f2196fcab3985e686094a14beb8bfbf6ebda37b466d9f514f4dec86b12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e80861f2196fcab3985e686094a14beb8bfbf6ebda37b466d9f514f4dec86b12
SHA3-384 hash: bd8d6f09b24b8d4dfdfe8139f1d36f4425ade3e364ad292d98ff60a821324d0c1986eea895241d101002048dc9c74d99
SHA1 hash: b01ae2525e445cc8cc8c711ceda31f57ad26029e
MD5 hash: 25ccae5c7d8f2cc87db5d8eec201e12a
humanhash: london-hawaii-gee-oklahoma
File name:Maersk Shipping_doc.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:945'874 bytes
First seen:2025-09-18 06:32:43 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 24576:RxfCmWs4RUEJlBDjwagBww1uhGKymnnYe/1ZG:TOmErzbnY+4
Threatray 1'031 similar samples on MalwareBazaar
TLSH T13B15F13ECEF2FCD4432EB0D0A95E3B1B128C1B93F5640B6CFAD418A61859605DF76668
Magika batch
Reporter abuse_ch
Tags:bat Maersk RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Maersk Shipping_doc.bat
Verdict:
No threats detected
Analysis date:
2025-09-18 06:37:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/110ca816-b81d-45bf-a836-67050e11c31b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28074/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cba8352432032546476388
Tags:
obfuscate xtreme shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated
Link:
https://www.filescan.io/uploads/68cba8be73287948292e657d/reports/5b798151-d124-4fe6-bbf3-f2cc43ea3bd6/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/e80861f2196fcab3985e686094a14beb8bfbf6ebda37b466d9f514f4dec86b12
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-09-17T22:04:00Z UTC
Last seen:
2025-09-17T22:04:00Z UTC
Hits:
~10000
Link:
https://opentip.kaspersky.com/e80861f2196fcab3985e686094a14beb8bfbf6ebda37b466d9f514f4dec86b12/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1779747
Signature
.NET source code contains a sample name check
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1779747 Sample: Maersk Shipping_doc.bat Startdate: 18/09/2025 Architecture: WINDOWS Score: 100 51 api.ipify.org 2->51 53 api.findip.net 2->53 63 Suricata IDS alerts for network traffic 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 14 other signatures 2->69 11 cmd.exe 1 2->11         started        signatures3 process4 signatures5 79 Suspicious powershell command line found 11->79 14 cmd.exe 1 11->14         started        16 conhost.exe 11->16         started        process6 process7 18 cmd.exe 3 14->18         started        signatures8 61 Suspicious powershell command line found 18->61 21 powershell.exe 9 53 18->21         started        26 conhost.exe 18->26         started        process9 dnsIp10 55 192.3.177.145, 49690, 49691, 49692 AS-COLOCROSSINGUS United States 21->55 57 api.findip.net 172.67.214.3, 443, 49694 CLOUDFLARENETUS United States 21->57 59 2 other IPs or domains 21->59 43 C:\Users\user\AppData\Local\Temp\TH376C.tmp, PE32+ 21->43 dropped 45 C:\Users\user\AppData\Local\Temp\TH373C.tmp, MS-DOS 21->45 dropped 47 C:\Users\user\AppData\Local\Temp\TH372B.tmp, MS-DOS 21->47 dropped 49 4 other malicious files 21->49 dropped 71 Contains functionality to bypass UAC (CMSTPLUA) 21->71 73 Detected Remcos RAT 21->73 75 Attempt to bypass Chrome Application-Bound Encryption 21->75 77 10 other signatures 21->77 28 sc.exe 14 21->28         started        31 sc.exe 1 21->31         started        33 RmClient.exe 1 21->33         started        35 23 other processes 21->35 file11 signatures12 process13 signatures14 81 Tries to steal Mail credentials (via file registry) 28->81 83 Tries to harvest and steal browser information (history, passwords, etc) 28->83 85 Tries to steal Instant Messenger accounts or passwords 31->85 87 Tries to steal Mail credentials (via file / registry access) 31->87 37 WerFault.exe 16 35->37         started        39 conhost.exe 35->39         started        41 msedge.exe 35->41         started        process15
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e80861f2196fcab3985e686094a14beb8bfbf6ebda37b466d9f514f4dec86b12
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e80861f2196fcab3985e686094a14beb8bfbf6ebda37b466d9f514f4dec86b12/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5aegd4qzn7flhgc6nbqjjikl5of7x5xl3i33izwz6ukpjxwinmja._file
Verdict:
malicious
Label(s):
admintool_mailpassview
Create hunting rule
nirsoft
Create hunting rule
remcos
Create hunting rule
donut_injector
Create hunting rule
Similar samples:
2f4337e60d9fb98342035e3b6233af010cc1a6c8801b1a3b23a59b60025e680f
RemcosRAT
3509fb04e772680941a132634df2000b73406c6aa34effaad055904237337fe5
RemcosRAT
3e2d372a69cc2489159da3251620c9f09f89a184a454b87a8c8382bb309333d9
RemcosRAT
55fe10713916a9cdac684c3a3fa263d625152a878ad98284d441b38355b57825
RemcosRAT
737262c8a965c09d0b6744aef7951b0edd0ef8edd9b1c2a1ca97d04b586feb1c
RemcosRAT
d051ba598d31d4c4d86deda039a1b6ac05fe4c21764479b9c895e641992dcc26
RemcosRAT
e2a70b214b0d1f0a2f22955d257fa2189e1c9108987248ec44a30b2fe717a386
RemcosRAT
error
RemcosRAT
+ 1'021 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
collection credential_access discovery execution stealer
Link:
https://tria.ge/reports/250918-hdx5hsxpy5/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Badlisted process makes network request
Uses browser remote debugging
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Malware family:
WebBrowserPassView
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e80861f2196f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e80861f2196fcab3985e686094a14beb8bfbf6ebda37b466d9f514f4dec86b12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/28074/

Comments