MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edc3f3398feb2bd97457a5da5b03c5438fd385baaae78c8c5f62bfde8bd1e768. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: edc3f3398feb2bd97457a5da5b03c5438fd385baaae78c8c5f62bfde8bd1e768
SHA3-384 hash: 07567e5aa6878aa1bb8edf2ef4e9b18ca83a3ea743a0c6d66accffafa2bb4ffc0e85ecd91c2e12762e18eb1223d86ce4
SHA1 hash: 8567b39a0fc68c41f468c04f282e2ad82bded5f5
MD5 hash: f0a3602e3f587b3955ca5f34c589b288
humanhash: king-mango-cup-michigan
File name:edc3f3398feb2bd97457a5da5b03c5438fd385baaae78c8c5f62bfde8bd1e768
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:356'856 bytes
First seen:2025-12-08 15:26:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dda1a1d1f8a1d13ae0297b47046b26e (65 x Formbook, 45 x GuLoader, 28 x RemcosRAT)
ssdeep 6144:snPdudwD6P/uU4fGi1A2VS2NGxbkS12m3oQO0az3VvAXs7tyVnbRk:snPdGPaAEgIg2mZO0a9cKtV
TLSH T1E3742234F094C497CFD22B319CF2536F1BE959760591AB9B23108E7E7CB0690EC6AB91
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon c4dadadad2f492c2 (110 x GuLoader, 49 x RemcosRAT, 23 x VIPKeylogger)
Reporter adrian__luca
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:Lotuko
Issuer:Lotuko
Algorithm:sha256WithRSAEncryption
Valid from:2025-10-15T08:07:12Z
Valid to:2026-10-15T08:07:12Z
Serial number: 10904085f57755d9d7f02fc28cbdcd8252cbfc71
Thumbprint Algorithm:SHA256
Thumbprint: 089394d1c978f1f40d738895e3258e1294b990da3cf695c52640ed86f63f2d0d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
GuLoader NSIS
Details
GuLoader
a c2 URL, a useragent string, and a string XOR key
GuLoader
an XOR decryption key and an extracted component
NSIS
extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/1f0d9a39-7409-4cd5-bb04-c12e08a57226/
Malware family:
guloader
Create hunting rule
ID:
1
File name:
edc3f3398feb2bd97457a5da5b03c5438fd385baaae78c8c5f62bfde8bd1e768
Verdict:
Malicious activity
Analysis date:
2025-12-08 22:54:19 UTC
Tags:
guloader remcos rat auto-reg remote stealer mpress
Link:
https://app.any.run/tasks/4a93ac07-97d7-46f1-84f5-152141dcf83f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/43492/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6936ee95db58e1a2c22b9290
Tags:
uloader virus nsis blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Searching for the window
Creating a file
Delayed reading of the file
DNS request
Connection attempt
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis overlay signed
Link:
https://www.filescan.io/uploads/6936ee20d12d1c79d42ad191/reports/1c6c9c1c-efd9-4c7a-84e2-35c05eaa6f6a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/edc3f3398feb2bd97457a5da5b03c5438fd385baaae78c8c5f62bfde8bd1e768
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-21T01:15:00Z UTC
Last seen:
2025-12-10T06:32:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/edc3f3398feb2bd97457a5da5b03c5438fd385baaae78c8c5f62bfde8bd1e768/results?tab=lookup
Gathering data
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/edc3f3398feb2bd97457a5da5b03c5438fd385baaae78c8c5f62bfde8bd1e768
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/f0a3602e3f587b3955ca5f34c589b288
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/edc3f3398feb2bd97457a5da5b03c5438fd385baaae78c8c5f62bfde8bd1e768/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2025-11-21 04:43:30 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5xb7gomp5mv5s5cxuxnfwa6fioh5hbn2vltyzdc7mk755c6r45ua._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
error
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:remotehost collection discovery downloader persistence rat
Link:
https://tria.ge/reports/251208-svd33sdr31/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detected Nirsoft tools
NirSoft MailPassView
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Malware Config
C2 Extraction:
91.231.222.23:2404
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b937a2f2-fb0f-43a1-b5ac-1f97b532a1ae
Unpacked files
SH256 hash:
edc3f3398feb2bd97457a5da5b03c5438fd385baaae78c8c5f62bfde8bd1e768
MD5 hash:
f0a3602e3f587b3955ca5f34c589b288
SHA1 hash:
8567b39a0fc68c41f468c04f282e2ad82bded5f5
Link:
https://www.unpac.me/results/dfa07c69-365f-4d00-8122-7f04d78baeeb/
SH256 hash:
4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
MD5 hash:
1d8f01a83ddd259bc339902c1d33c8f1
SHA1 hash:
9f7806af462c94c39e2ec6cc9c7ad05c44eba04e
Link:
https://www.unpac.me/results/dfa07c69-365f-4d00-8122-7f04d78baeeb/
SH256 hash:
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
MD5 hash:
4add245d4ba34b04f213409bfe504c07
SHA1 hash:
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
Link:
https://www.unpac.me/results/dfa07c69-365f-4d00-8122-7f04d78baeeb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/edc3f3398feb2bd97457a5da5b03c5438fd385baaae78c8c5f62bfde8bd1e768

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/43492/

Comments