MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5a7610bff9baba9698bd70bc333f1741a2af5639037fd671bef5e67b5b74027. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 18

Intelligence 18 IOCs YARA 4 File information Comments

SHA256 hash:	f5a7610bff9baba9698bd70bc333f1741a2af5639037fd671bef5e67b5b74027
SHA3-384 hash:	9c50b81d01467efba7e1de8e6d4c7a88237f76ba8061efe21d713d83ab412a6b7aa5d5e9d697e8728f361f4a638cb214
SHA1 hash:	014dd44210ab1c65c61180a9381de4d26b6c4a48
MD5 hash:	744f7af7f591cdda9b68b9017e616584
humanhash:	hot-football-nine-oscar
File name:	f5a7610bff9baba9698bd70bc333f1741a2af5639037fd671bef5e67b5b74027
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'224'704 bytes
First seen:	2026-02-05 15:22:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'795 x AgentTesla, 19'692 x Formbook, 12'274 x SnakeKeylogger)
ssdeep	24576:dY35OSmzu6F9EsfV9VkfucelFeZ4F6LcZs16QoiLEphcVOoiViyZQ8+FmwL82:d+OXbF9EsfV9guZYm6Rc8IpKYoiViyDB
Threatray	2'038 similar samples on MalwareBazaar
TLSH	T1104512586798CB02D9F60FF00D75E7750BB87EAAF811D1494EEABCDB3824B41A844367
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	adrian__luca
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/0e0c694d-dd05-4679-a84e-ca4575b47d74/

Malware family:

remcos

ID:

File name:

f5a7610bff9baba9698bd70bc333f1741a2af5639037fd671bef5e67b5b74027

Verdict:

Malicious activity

Analysis date:

2026-02-05 18:09:24 UTC

Tags:

remcos rat auto-startup susp-lnk

Link:

https://app.any.run/tasks/e97823a6-0ed1-4ce4-82e5-8d0e09f480c7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/52009/

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6984b5bbae5379bb6609c368

Tags:

dropper shell sage

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/f5a7610bff9baba9698bd70bc333f1741a2af5639037fd671bef5e67b5b74027

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-20T04:33:00Z UTC

Last seen:

2026-02-05T12:01:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/f5a7610bff9baba9698bd70bc333f1741a2af5639037fd671bef5e67b5b74027/results?tab=lookup

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f16db79c-4e02-4860-9a8b-7524d4163e1a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f5a7610bff9baba9698bd70bc333f1741a2af5639037fd671bef5e67b5b74027

Gathering data

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/f5a7610bff9baba9698bd70bc333f1741a2af5639037fd671bef5e67b5b74027/

Threat name:

ByteCode-MSIL.Spyware.AsyncRAT

Status:

Malicious

First seen:

2026-02-05 15:22:50 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 36 (52.78%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6wtwcc77tov2s2ml24f4gm7roqncv5ldsa372zy355pgpnnxiatq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

8090d733578327c6b42ba49b4dba0ac43fb8cbeffb0d565cbd6609b93e13dd5b

RemcosRAT

b5c978f16a11c1bc6589e5b4b78d08fec1cea4cf2df5df9c67b1eda26e485f6d

RemcosRAT

error

RemcosRAT

f5a7610bff9baba9698bd70bc333f1741a2af5639037fd671bef5e67b5b74027

RemcosRAT

f9040a4e04ed7681ad1fbcd20d52f0b4393652ad64ba0006cb1b3968f0d5e851

RemcosRAT

+ 2'028 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos discovery rat

Link:

https://tria.ge/reports/260205-sr21qsh13f/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Drops startup file

Remcos

Remcos family

Malware Config

C2 Extraction:

37.120.155.34:2469

Unpacked files

SH256 hash:

f5a7610bff9baba9698bd70bc333f1741a2af5639037fd671bef5e67b5b74027

MD5 hash:

744f7af7f591cdda9b68b9017e616584

SHA1 hash:

014dd44210ab1c65c61180a9381de4d26b6c4a48

Link:

https://www.unpac.me/results/12b7fdfd-8dc6-410c-86b2-090f56b1ac5b/

SH256 hash:

b697f5bc215fc82f85842c32f2ff3ea82a983b479fda069ca443a534cc7b7167

MD5 hash:

22163fe98af1d905e5ac534d1144f9e6

SHA1 hash:

5178047d67c2bb384acd8e2f55749c8daefc99e8

Detections:

win_remcos_auto

win_remcos_w0

Remcos

malware_windows_remcos_rat

win_remcos_rat_unpacked

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Link:

https://www.unpac.me/results/12b7fdfd-8dc6-410c-86b2-090f56b1ac5b/

Parent samples :

935472ec0746ee4c02fbf1e4306d8995955d1d8be8dd6ba19933928d3c4fa5a3
dc06752bce3e55d5122cc6588af713c966feb9133b2f3ae44d7086f7295a76c6
7cc6b476fa83fe157ece10867c61b37587d9d425e26bf26ef16b5f13d38f2c44
4e34822a9cccaf17a60bee19d98b6663bb1d81134a490d5812f4b399b40694bd
99562c4b1720a4d4289d7563e2b40e3910f8295587ab07d0b95cc81a91fe309b
e401c37dcfe4433d2b0fdbe449f905554b5449d397eb18e2c78cca0b10dc113b
f5a7610bff9baba9698bd70bc333f1741a2af5639037fd671bef5e67b5b74027

SH256 hash:

d4c5416bc2a5af3b1774ff39cb97559b60e9637b65e202e9d35cf1693f3ce471

MD5 hash:

6767996995d8a605a650adfb85503744

SHA1 hash:

b94096e4454ad8f0279c329b5a00a4578363d8d8

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/12b7fdfd-8dc6-410c-86b2-090f56b1ac5b/

Parent samples :

c6aa56afa7a6941d9bb8786b07e192ea996d3a133c992285b58349cc5c204561
bf46723d199408eb636dfbb7d50ef97fad7c96be7aedca35fa350c92a7492a4e
44ece3fd771b241e7adb7b8a46317aa0dce39aa4b815912805de4dc6ff631ae4
5f947957f8b2c4cc8609167eaec826c9855e15c55dac3926c33b2a0c003cf773
a803802107f3ee132802204825112c350470951b753d8b48fc17883ddf25e4a5
a3c7847164f2c9a18c8c6bed01241b84fffbd6d866195e92f556ba0a596d0428
5c0bdefeb2e965c9cb1aa42e28b84b31e11693b4438c47e97be98fb1b496d940
6a6af729bcfe6c368c81300a7b3f078b6077b365d7dad49b9c0bc4d1ee3f71b2
fada71925be3d53eee961507cb43bc2ee409d406770c7ddb7f2f06afae85a456
53b4317fd9a0cf301121a76a516891ce941588e2b372a82324e36eea5ee3f91e
2b42f648d1f3c2eea55de8351293b7e66b5c2d0ecbedd7d0ed86602aa55b9dd0
f5a7610bff9baba9698bd70bc333f1741a2af5639037fd671bef5e67b5b74027
13b8455a49d494f7779ed76e3e4b00709f8280aba86707b43c574e48b3ee077b
553d904e1d73497fc05af9b9fa570cd6ea72043a445b2c358ce27bc84d28d226
c6ac154cdae1af6162838edac8932c897bff937af6fbdfd58f2ef72ae52f56b5
2cb898129b7c5b150e304f06c25310018e4f7f48a0afe42d08530e37ad64534c
ae7ed5d4188ca36ea5710c5a47082c450d9d174b6d5cda500976f4058be4e9f8
2a86c8ae8cabbeb5909a0240fef9bd50fbf422f9d3d6a54c4a4e5c255dae3ddf
0e1ea2bee6ebd3ca2bbcaa814faaddf1d6dc53bf81e2695a609a8f45ceffda9d
579ab0f67ffe302e779f7f73696fabbc2c5678a912960952d179ca94d883c533
c287d9bdbeb5f8ef2e712e5dbf5df9753aeea692c8924a413b56708a2c55f693
87bfc21e2066c7ad2849cb46789fa7559f874ef64a628599012ff1b20bafe4dc
70922729b97c0c5d372b02a37927dfaeaae90678a583fd95c3c8b483e1a57e31
081a30496d35fc471cd6e333bbf116f016fd3b9984a17f6d479dceb7c8ce0ca3

SH256 hash:

aa08e5a6c9be5f2d0486bcfa9c8077f73b3d30aa10e462a7716920d3a4a103c0

MD5 hash:

47ac4408b4aada73df87094ca9ae3d0b

SHA1 hash:

cf02aa7b20f022de6ec5cfdfd354eb3952b0a285

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/12b7fdfd-8dc6-410c-86b2-090f56b1ac5b/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f5a7610bff9b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f5a7610bff9baba9698bd70bc333f1741a2af5639037fd671bef5e67b5b74027

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/52009/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample