MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb27c96a09f6c81ef8baca23b0024fc1c26dd3c9b2fa0a5b728cb56e1e2425af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 20


Intelligence 20 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb27c96a09f6c81ef8baca23b0024fc1c26dd3c9b2fa0a5b728cb56e1e2425af
SHA3-384 hash: 956627904a22164ee88a56e11c8dcf694c2afb4ff99c27e18c72da5a323df6e1f4f9a985e2be371c51159c732bc71882
SHA1 hash: 4c6f37929cb4777bd0fab2de73cb868c2453b3be
MD5 hash: 2c3182f4aa16fd3c249557366ac6de37
humanhash: fish-nebraska-paris-muppet
File name:Shipper VGM Declaration Form(CFS).pdf.scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'004'544 bytes
First seen:2025-10-21 06:48:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:s2f7Nh7ETnPPGaPiP/6FN4g6jPh1ElETc:/f7NCTnPeaPVTp6jf/I
Threatray 1'622 similar samples on MalwareBazaar
TLSH T1B52512056B1AEF52E8A21BF80D71E37117B4AE5CA815D31B4FD93CDBB4B9F142818A43
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
_eb27c96a09f6c81ef8baca23b0024fc1c26dd3c9b2fa0a5b728cb56e1e2425af.exe
Verdict:
Malicious activity
Analysis date:
2025-10-21 06:50:59 UTC
Tags:
remcos rat auto-reg
Link:
https://app.any.run/tasks/ecf88bce-6999-4083-916b-41204e0e0f1e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33603/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f72cfead6ce0f5ad403f17
Tags:
underscore lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the %temp% directory
Launching a process
Reading critical registry keys
Launching a service
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin masquerade obfuscated packed packed packer_detected tracker vbnet
Link:
https://www.filescan.io/uploads/68f72d09fd2d7e012f4bc241/reports/31311dfb-03b4-47e5-a83d-8b0ed607fb54/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/eb27c96a09f6c81ef8baca23b0024fc1c26dd3c9b2fa0a5b728cb56e1e2425af
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-21T03:19:00Z UTC
Last seen:
2025-10-23T05:06:00Z UTC
Hits:
~1000
Detections:
Backdoor.Win32.Remcos.f Backdoor.Win32.Androm PDM:Trojan.Win32.Badex.c Trojan-Dropper.Win32.Injector.sb Trojan.MSIL.Inject.sb PDM:Trojan.Win32.Generic HEUR:Backdoor.MSIL.Remcos.gen Trojan.MSIL.Taskun.sb Trojan.MSIL.Crypt.sb
Link:
https://opentip.kaspersky.com/eb27c96a09f6c81ef8baca23b0024fc1c26dd3c9b2fa0a5b728cb56e1e2425af/results?tab=lookup
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1dda4949-f91d-46c6-ab6b-9a484fa2ceba
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1798933
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1798933 Sample: Shipper VGM Declaration For... Startdate: 21/10/2025 Architecture: WINDOWS Score: 100 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 19 other signatures 2->68 9 Shipper VGM Declaration Form(CFS).pdf.scr.exe 3 2->9         started        13 Acrobat-Reader.exe 2 2->13         started        15 Acrobat-Reader.exe 2->15         started        17 Acrobat-Reader.exe 2 2->17         started        process3 file4 58 Shipper VGM Declar...FS).pdf.scr.exe.log, ASCII 9->58 dropped 82 Injects a PE file into a foreign processes 9->82 19 Shipper VGM Declaration Form(CFS).pdf.scr.exe 2 4 9->19         started        23 Acrobat-Reader.exe 13->23         started        25 Acrobat-Reader.exe 15->25         started        27 Acrobat-Reader.exe 15->27         started        29 Acrobat-Reader.exe 17->29         started        signatures5 process6 file7 48 C:\ProgramData\...\Acrobat-Reader.exe, PE32 19->48 dropped 50 C:\...\Acrobat-Reader.exe:Zone.Identifier, ASCII 19->50 dropped 70 Creates autostart registry keys with suspicious names 19->70 31 Acrobat-Reader.exe 3 19->31         started        signatures8 process9 signatures10 84 Injects a PE file into a foreign processes 31->84 34 Acrobat-Reader.exe 4 4 31->34         started        process11 dnsIp12 60 104.250.180.178, 49690, 49691, 7902 M247GB United States 34->60 52 C:\Users\user\AppData\Local\Temp\TH59F0.tmp, MS-DOS 34->52 dropped 54 C:\Users\user\AppData\Local\Temp\TH59B1.tmp, MS-DOS 34->54 dropped 56 C:\Users\user\AppData\Local\Temp\TH5981.tmp, PE32 34->56 dropped 72 Maps a DLL or memory area into another process 34->72 39 svchost.exe 2 34->39         started        42 svchost.exe 1 34->42         started        44 svchost.exe 1 34->44         started        46 2 other processes 34->46 file13 signatures14 process15 signatures16 74 Tries to steal Mail credentials (via file registry) 39->74 76 Tries to harvest and steal browser information (history, passwords, etc) 39->76 78 Tries to steal Instant Messenger accounts or passwords 42->78 80 Tries to steal Mail credentials (via file / registry access) 42->80
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/eb27c96a09f6c81ef8baca23b0024fc1c26dd3c9b2fa0a5b728cb56e1e2425af
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.47 Win 32 Exe x86
Link:
https://app.malva.re/file/2c3182f4aa16fd3c249557366ac6de37
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eb27c96a09f6c81ef8baca23b0024fc1c26dd3c9b2fa0a5b728cb56e1e2425af/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/eb27c96a09f6c81ef8baca23b0024fc1c26dd3c9b2fa0a5b728cb56e1e2425af
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-10-21 06:28:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5mt4s2qj63eb56f2zir3aaspyhbg3u6jwl5auw3srs2w4hreewxq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
admintool_mailpassview
Create hunting rule
remcos
Create hunting rule
nirsoft
Create hunting rule
Similar samples:
144eea2b04b77c59b219ca2d9cfb622efccb3289302a23ef42f5aa8644bbd1d6
RemcosRAT
46bc7a8c15a8f6bb2b34df5c9595eebfc50713aa0e51783bfe88a1aa36b85dad
RemcosRAT
4e334ecb7d9d523704490dfa106cd65cd0779436afed6b22f701f7f16f5d35f5
RemcosRAT
8ee17d796838ff6f4a61fad087b4486f2859a516d290215cdf3d731bc167ab56
RemcosRAT
e462d1a4674d1c46ee7c3eba187353dc4c6c40863493e67b3d1ab379714f97bb
RemcosRAT
eb27c96a09f6c81ef8baca23b0024fc1c26dd3c9b2fa0a5b728cb56e1e2425af
RemcosRAT
ec83e63ec2b758afdcc2404676ec3c3c37730613e762e4a5b090202bc7b9ad74
RemcosRAT
error
RemcosRAT
f90560c78443e9c83537a185ade54fabfe18a33fecfd8c38417e90df249d93b3
RemcosRAT
+ 1'612 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection discovery persistence rat
Link:
https://tria.ge/reports/251021-hlk5xsslap/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
104.250.180.178:7902
Unpacked files
SH256 hash:
eb27c96a09f6c81ef8baca23b0024fc1c26dd3c9b2fa0a5b728cb56e1e2425af
MD5 hash:
2c3182f4aa16fd3c249557366ac6de37
SHA1 hash:
4c6f37929cb4777bd0fab2de73cb868c2453b3be
Link:
https://www.unpac.me/results/65f7409d-de31-4579-ba43-a1866324819c/
SH256 hash:
13f9aa7358219b18b86b95804b71639cce1c93f209bd98b5bfb80fac2d0d4610
MD5 hash:
46cdca89bfa4983246f9d565c1c73823
SHA1 hash:
098edc63ebd3221d3e4d819a30e9cefd54964ee7
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/65f7409d-de31-4579-ba43-a1866324819c/
SH256 hash:
9f2bdadb8926bf6157c7487e994ec28657f9415fd2fdf97a5ba82ba12e24046a
MD5 hash:
0e1119a6df48b550ad1353d136297ef3
SHA1 hash:
3f89b2297c1e0a29932eb25741a51538e005d565
Link:
https://www.unpac.me/results/65f7409d-de31-4579-ba43-a1866324819c/
SH256 hash:
6d0e29ee3a788bd9c6960e1c560572f9bbe5d7ae16e40d7f9237ee2d88d5d536
MD5 hash:
ca5d4ee8a3d4d7b4e6d2b4758f6f6b71
SHA1 hash:
e6204ed9c9a998f19cf0016506bc53dffddf0654
Detections:
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/65f7409d-de31-4579-ba43-a1866324819c/
Parent samples :
afcb9a98287b5852b6fd25a60e9fdee42c3039054de5150e3a77e18944ec7c80
fb51ffcffd134849ebc6114eacc45a0bd9f2430188fd33064217df5b4cd41508
75a4146af3520c8bb236cfe21ef507eec5f8a082ab20f4dfad55765b6fc04049
ed68e937c49334eb99ff5ca7bb6b7c45645c3335c11f344f460378a5991323a5
27ca89e42083ae8b80f5ebbf9fd9882630af96303f262b7437aab1b2fb8d256a
55d8ae2d11aeb76c2214d735c46917541ac04febc6b2f8ac998d1173b838b5ce
2c7e7bf4cd14456572dd850552354b46e89d511300f5dce48561a4f347f8d4b2
eb27c96a09f6c81ef8baca23b0024fc1c26dd3c9b2fa0a5b728cb56e1e2425af
31ceaea6cb2e484b7ff1fdd6dcf0fdd999898548c5b5504e23561acbd1df53a0
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/eb27c96a09f6c81ef8baca23b0024fc1c26dd3c9b2fa0a5b728cb56e1e2425af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe eb27c96a09f6c81ef8baca23b0024fc1c26dd3c9b2fa0a5b728cb56e1e2425af

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33603/

Comments