MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec71e978e1b6a9f3b598bc5329fa4f29ef602bd9a4993844d18c93e2d46eccc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec71e978e1b6a9f3b598bc5329fa4f29ef602bd9a4993844d18c93e2d46eccc9
SHA3-384 hash: 6068fe2760724d0a215f9c4dda789964599468f06e3b030b7be1f6fe3f6d4d529e0ca92bf9078b4ed09cbb5bbb819775
SHA1 hash: ba5a91f481ec940f3e4c3c9d3b33344eb4ece4f1
MD5 hash: 712b6d55d454847ef30e1e1e0e4009b6
humanhash: alabama-lemon-eighteen-moon
File name:dropper64.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:496'128 bytes
First seen:2025-08-21 07:04:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 21b10bcbac6fcce20fa8ed75e32bed96 (1 x RemcosRAT)
ssdeep 12288:uNWCkWdX1lMe/uye43o5c3gnZZDuPyLwgmTQImdXY:uNWCkWtd/Q6EZZDuPbUIm
TLSH T11AB4D04A776410B9E877C238C9A3964AF6B274160B7093CF136487BD5F2B7E1693E312
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
tinynuke
Create hunting rule
ID:
1
File name:
2to1ep.bin
Verdict:
Malicious activity
Analysis date:
2025-08-21 06:55:25 UTC
Tags:
auto metasploit framework python github stealc stealer backdoor phishing storm1747 tycoon generic lumma miner anydesk tool payload tinynuke koistealer koiloader koi clickfix loader vidar modiloader xworm rat redline telegram coinminer agenttesla xtinyloader vipkeylogger keylogger pyinstaller cobaltstrike nanocore n-w0rm worm koadic amadey botnet meterpreter njrat xred asyncrat quasar bruteratel evasion snake gh0st purelogsstealer purecrypter dbatloader formbook reverseloader metastealer pastebin clipper diamotrix arch-scr
Link:
https://app.any.run/tasks/782dab80-59e9-4f4b-a0a0-80300805d038

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22687/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a6c527c2f5296a1a287887
Tags:
autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process from a recently created file
Searching for synchronization primitives
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug exploit explorer fingerprint lolbin packed powerloader schtasks
Link:
https://www.filescan.io/uploads/68a6c5ada4bdac9f5ba254a1/reports/547b7b82-fdbd-4a69-ad38-640754f75e5a/overview
Verdict:
Malicious
Labled as:
Trojan.Loader.Marte.6.Generic
Link:
https://www.hybrid-analysis.com/sample/ec71e978e1b6a9f3b598bc5329fa4f29ef602bd9a4993844d18c93e2d46eccc9
Malware family:
Gapz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b297fb90-b5c8-44fc-abf3-731358ca3f93
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1761780
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1761780 Sample: dropper64.exe Startdate: 21/08/2025 Architecture: WINDOWS Score: 88 37 Multi AV Scanner detection for submitted file 2->37 39 Joe Sandbox ML detected suspicious sample 2->39 7 dropper64.exe 1 1 2->7         started        11 ebecabcdbbbdc.exe 2->11         started        13 ebecabcdbbbdc.exe 2->13         started        15 ebecabcdbbbdc.exe 2->15         started        process3 file4 35 C:\ProgramData\ebecabcdbbbdc.exe, PE32+ 7->35 dropped 41 Found evasive API chain (may stop execution after checking mutex) 7->41 43 Injects code into the Windows Explorer (explorer.exe) 7->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 7->45 49 4 other signatures 7->49 17 schtasks.exe 1 7->17         started        19 explorer.exe 44 7 7->19 injected 47 Multi AV Scanner detection for dropped file 11->47 21 schtasks.exe 1 11->21         started        23 schtasks.exe 1 13->23         started        25 schtasks.exe 1 15->25         started        signatures5 process6 process7 27 conhost.exe 17->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ec71e978e1b6a9f3b598bc5329fa4f29ef602bd9a4993844d18c93e2d46eccc9
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/712b6d55d454847ef30e1e1e0e4009b6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec71e978e1b6a9f3b598bc5329fa4f29ef602bd9a4993844d18c93e2d46eccc9/
Verdict:
Malicious
Threat:
Trojan.Win32.Reline
Link:
https://tip.neiki.dev/file/ec71e978e1b6a9f3b598bc5329fa4f29ef602bd9a4993844d18c93e2d46eccc9
Threat name:
Win64.Trojan.PowerLoader
Create hunting rule
Status:
Malicious
First seen:
2025-08-21 02:29:45 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ry6s6hbw2u7hnmyxrjst6spfhxwak6zusmtqrgrrsj6fvdozteq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:jajaja discovery execution infostealer persistence pyinstaller spyware
Link:
https://tria.ge/reports/250821-hxtlfazydw/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects Pyinstaller
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
RedLine
RedLine payload
Redline family
Malware Config
C2 Extraction:
176.46.152.46:1911
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/21cc08bb-57a0-43c9-b604-ba15301f1844
Unpacked files
SH256 hash:
ec71e978e1b6a9f3b598bc5329fa4f29ef602bd9a4993844d18c93e2d46eccc9
MD5 hash:
712b6d55d454847ef30e1e1e0e4009b6
SHA1 hash:
ba5a91f481ec940f3e4c3c9d3b33344eb4ece4f1
Detections:
win_sdbbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/0973f917-3b7a-4325-ba70-96772cc755d2/
SH256 hash:
c3e701d9e09d4819a69514742c7eaf40843b9a32ab71fee990ef0b07678b23c6
MD5 hash:
6f56c0b8170326ae9a67ede7b1d0287f
SHA1 hash:
43eaebf64f8118ec76f33bc33035af45dfe6bcf8
Link:
https://www.unpac.me/results/0973f917-3b7a-4325-ba70-96772cc755d2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ec71e978e1b6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:win_sdbbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.sdbbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe ec71e978e1b6a9f3b598bc5329fa4f29ef602bd9a4993844d18c93e2d46eccc9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3603903/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/22687/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::ConvertSidToStringSidA
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetSidSubAuthorityCount
ADVAPI32.dll::GetSidSubAuthority
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::ShellExecuteA
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIntdll.dll::NtQueryInformationThread
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::GetTempFileNameA
KERNEL32.dll::GetTempPathA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA
ADVAPI32.dll::LookupAccountNameA
ADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
ADVAPI32.dll::RegSetValueExW

Comments