MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f350851cc9dfeb4619cc5d14444e3849c0c25db429b31d8c50c56579dffa889a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f350851cc9dfeb4619cc5d14444e3849c0c25db429b31d8c50c56579dffa889a
SHA3-384 hash: d76efef92cac87082f34ed425cfb036c50a948a53ff03d3d536a506f978940ea6e3bf04c00542e7e4b6fb7f0e746e085
SHA1 hash: 3a46d0ee8d5bbebc6e075a055b7e34b7251ac3fe
MD5 hash: 4d2a14572275427b3271a89f3f334f95
humanhash: maine-uniform-timing-sad
File name:doc01149220250116135405.pdf.LNK
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:202'571 bytes
First seen:2025-04-11 06:57:23 UTC
Last seen:2025-07-14 13:45:28 UTC
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 6144:sb4o6FNy7vdQNhQlAFUUHihqAnG/VNmxl:sb/aNy7FQNhQuVzFmxl
Threatray 137 similar samples on MalwareBazaar
TLSH T1B214E160CE6B3FCDFE550BFD08BF3B064D4C6D323E22C8E5D55B180B46389A655A192A
Magika lnk
Reporter abuse_ch
Tags:192-227-173-59 lnk RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.LNK.PowerShell.Download-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f8c4e11dba888a93d039d7
Tags:
autorun cobalt delphi lien
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/f350851cc9dfeb4619cc5d14444e3849c0c25db429b31d8c50c56579dffa889a/results/dashboard
Payload URLs
URL
File name
https://huadongrubbercable.com/customer-order/friday/r.txt','C:\\ProgramData\\HEW.GIF');
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade powershell
Link:
https://www.filescan.io/uploads/67f8bd7f2d430c849e1348e7/reports/66d22ea6-feda-496c-9077-4639b51612c9/overview
Verdict:
Malicious
Labled as:
PWSH.Downloader.D.Generic
Link:
https://www.hybrid-analysis.com/sample/f350851cc9dfeb4619cc5d14444e3849c0c25db429b31d8c50c56579dffa889a
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1662861
Signature
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sample uses process hollowing technique
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell DownloadFile
Sigma detected: Remcos
Sigma detected: Suspicious Creation with Colorcpl
Sigma detected: Suspicious PowerShell Download and Execute Pattern
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1662861 Sample: doc01149220250116135405.pdf... Startdate: 11/04/2025 Architecture: WINDOWS Score: 100 66 www.ambiopharmconsultingltd.com 2->66 68 huadongrubbercable.com 2->68 70 geoplugin.net 2->70 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 21 other signatures 2->84 9 powershell.exe 14 22 2->9         started        14 rundll32.exe 2->14         started        16 rundll32.exe 3 2->16         started        signatures3 process4 dnsIp5 72 huadongrubbercable.com 198.54.114.164, 443, 49685 NAMECHEAP-NETUS United States 9->72 62 C:\ProgramData\CHROME.PIF, PE32 9->62 dropped 100 Drops PE files with a suspicious file extension 9->100 102 Found suspicious powershell code related to unpacking or dynamic code loading 9->102 104 Powershell drops PE file 9->104 18 CHROME.PIF 8 9->18         started        22 conhost.exe 1 9->22         started        24 Ckshqelu.PIF 14->24         started        26 Ckshqelu.PIF 16->26         started        file6 signatures7 process8 file9 60 C:\Users\user\Links\Ckshqelu.PIF, PE32 18->60 dropped 86 Windows shortcut file (LNK) starts blacklisted processes 18->86 88 Drops PE files with a suspicious file extension 18->88 90 Writes to foreign memory regions 18->90 98 2 other signatures 18->98 28 colorcpl.exe 6 16 18->28         started        33 cmd.exe 1 18->33         started        35 cmd.exe 1 18->35         started        37 cmd.exe 1 18->37         started        92 Allocates memory in foreign processes 24->92 94 Allocates many large memory junks 24->94 96 Creates a thread in another existing process (thread injection) 24->96 39 SndVol.exe 24->39         started        41 colorcpl.exe 26->41         started        signatures10 process11 dnsIp12 74 www.ambiopharmconsultingltd.com 192.227.173.59, 2556, 49694, 49695 AS-COLOCROSSINGUS United States 28->74 76 geoplugin.net 178.237.33.50, 49696, 80 ATOM86-ASATOM86NL Netherlands 28->76 64 C:\ProgramData\file\logs.dat, data 28->64 dropped 114 Contains functionality to bypass UAC (CMSTPLUA) 28->114 116 Detected Remcos RAT 28->116 118 Contains functionalty to change the wallpaper 28->118 122 7 other signatures 28->122 43 recover.exe 14 28->43         started        46 recover.exe 1 28->46         started        48 recover.exe 28->48         started        50 recover.exe 28->50         started        120 Uses schtasks.exe or at.exe to add and modify task schedules 33->120 52 conhost.exe 33->52         started        54 conhost.exe 35->54         started        56 schtasks.exe 1 35->56         started        58 conhost.exe 37->58         started        file13 signatures14 process15 signatures16 106 Tries to steal Mail credentials (via file registry) 43->106 108 Tries to harvest and steal browser information (history, passwords, etc) 43->108 110 Tries to steal Instant Messenger accounts or passwords 46->110 112 Tries to steal Mail credentials (via file / registry access) 46->112
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f350851cc9dfeb4619cc5d14444e3849c0c25db429b31d8c50c56579dffa889a/
Threat name:
Win32.Trojan.WinLnk
Create hunting rule
Status:
Malicious
First seen:
2025-04-11 06:58:10 UTC
File Type:
Binary
Extracted files:
1
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6niikhgj37vumgomlukeitryjhamexnufgzr3dcqyvsxtx72rcna._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
04a99b035ce8db252d8a4cf8d8f74fb4be7a0f7392776b0c1b27ff2463935647
RemcosRAT
061b716c6ca8262d658b5877cd23d1013e90831193da7e19cd03ca0f22b176bc
RemcosRAT
34c11f6af211f7bc8411e99e4ac10ff5232e9b30d72962852cd2fd20e43c3f01
RemcosRAT
4e83dca9f0fc2e50b3c4b2abd8161e2ee5857286ae7bf9ffa5c789cdf2542052
RemcosRAT
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
RemcosRAT
a3114edcd192349ce4a5638983bf46a73b279e4bb2962fe263b32e4ea8465b9a
RemcosRAT
b66c4188710385ce8216d9d60df0b0a33b2800379fdf1843f8ddc558eff1b38a
RemcosRAT
ee7490fcb05940962fdcb68469dcbd15e0d4739f0e74e55a161597314552de95
RemcosRAT
error
RemcosRAT
+ 127 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader collection discovery execution trojan
Link:
https://tria.ge/reports/250411-hrhxrassg1/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Malware Config
Dropper Extraction:
https://huadongrubbercable.com/customer-order/friday/r.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f350851cc9dfeb4619cc5d14444e3849c0c25db429b31d8c50c56579dffa889a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Large_filesize_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_SuspiciousCommands
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects LNK file with suspicious content
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments