MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edfd832718f5863a3a83935b653284961ea8c67f4edf9ddfdef6932c11b4fa96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	edfd832718f5863a3a83935b653284961ea8c67f4edf9ddfdef6932c11b4fa96
SHA3-384 hash:	16e8ea4cc4335b3f8d492c30b47f469655030534e0ef9841e6616542a4be1fe4b8dc844a7e67df1a1b7459e8e1827d84
SHA1 hash:	c7198671f7c43a107db35cc03c0b7b75831a728c
MD5 hash:	988d36aba520ee422a9ecf6b13793dc2
humanhash:	uncle-don-tennis-hot
File name:	MPDW-constraintsABV.bat
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	543 bytes
First seen:	2025-06-25 14:19:52 UTC
Last seen:	Never
File type:	bat
MIME type:	text/x-msdos-batch
ssdeep	12:wb4u48zo4JWNDuav3yztVyQJ6by/+MHIwbyu7IWvQ980q2J9aCjqm4:wK8zo4JWt1MNqa+MowbvMRNr+m4
Threatray	1'277 similar samples on MalwareBazaar
TLSH	T18FF0248F29B776C907A000F2C556A891BE5FD0C2B361E50636E68797C73801ED2A74CC
Magika	batch
Reporter	smica83
Tags:	192-30-240-103--55919 bat RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

MPDW-constraintsABV.bat

Verdict:

Malicious activity

Analysis date:

2025-06-25 14:23:08 UTC

Tags:

loader reverseloader rat remcos remote susp-powershell payload

Link:

https://app.any.run/tasks/ee1ea9b3-64b2-4608-80ee-f881ac8690e4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/11109/

Detection(s):

SecuriteInfo.com.PUA.Powershell.Downloader-3.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=685c05c032ed47a3a8d70ab5

Tags:

obfuscate xtreme shell

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Creating a file

Creating a process from a recently created file

Searching for the window

Creating a window

Launching a process

Creating a process with a hidden window

Running batch commands

Downloading the file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated powershell

Link:

https://www.filescan.io/uploads/685c05bbf8f8abe4f8b8e845/reports/9542d522-20b5-480e-a0d9-c8fef1fbdefa/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/edfd832718f5863a3a83935b653284961ea8c67f4edf9ddfdef6932c11b4fa96

Score:

15%

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/edfd832718f5863a3a83935b653284961ea8c67f4edf9ddfdef6932c11b4fa96

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/edfd832718f5863a3a83935b653284961ea8c67f4edf9ddfdef6932c11b4fa96/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/edfd832718f5863a3a83935b653284961ea8c67f4edf9ddfdef6932c11b4fa96

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5x6ygjyy6wdduoudsnnwkmuesypkrrt7j3pz3x6662jsyenu7kla._file

Verdict:

malicious

Label(s):

remcos

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost collection discovery execution persistence rat

Link:

https://tria.ge/reports/250625-rnr6pazpw6/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Remcos

Remcos family

Malware Config

C2 Extraction:

192.30.240.103:55919

Dropper Extraction:

http://paste.ee/d/pnppUzsr/0

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/edfd832718f5863a3a83935b653284961ea8c67f4edf9ddfdef6932c11b4fa96

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/11109/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample