MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f73987513db8c06902182a46cd5d43b8d1fbcc8cb167b0b3c7ad45b6f482b64c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 21


Intelligence 21 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f73987513db8c06902182a46cd5d43b8d1fbcc8cb167b0b3c7ad45b6f482b64c
SHA3-384 hash: ba4023d248b1483b253643fe21e9d1037e82dd3b67a8ed6570a2bd628dd7f8b387b4e8a72e18e20bc8dd63f0f67e5442
SHA1 hash: ec495763f11cb342b382456ddeb3ad50e438bf4e
MD5 hash: 3fbce05e044eba074b638e4731ff1c3e
humanhash: don-butter-salami-beryllium
File name:Transferencia n.° 20251127.pdf(65 KB).com
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'226'240 bytes
First seen:2025-11-27 11:57:21 UTC
Last seen:2025-12-08 16:01:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:GQh2brCnRveYepqMKDmfC4KOSSn2k6NR6uI:pIqRveYkqM3fC41p2fI
Threatray 3'987 similar samples on MalwareBazaar
TLSH T16245E01A36D68194E1BB9734AFBA4A1447F0BA17CA32C72FA14605FDCF5638951233B3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
137
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Transferencia n.° 20251127.pdf(65 KB).com
Verdict:
Malicious activity
Analysis date:
2025-11-27 12:00:05 UTC
Tags:
netreactor auto-reg rat remcos remote
Link:
https://app.any.run/tasks/597af88f-d88e-4300-8757-e40e9a3829fd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/41632/
Detection(s):
Win.Packed.Basic-10058585-0
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69283cd66cb1dcd577818846
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process from a recently created file
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process with a hidden window
Running batch commands
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug base64 hacktool masquerade obfuscated obfuscated vbnet
Link:
https://www.filescan.io/uploads/69283cd42cd29ea6300247f5/reports/17cd049a-5887-4c17-91cd-3b61eb06d5b1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f73987513db8c06902182a46cd5d43b8d1fbcc8cb167b0b3c7ad45b6f482b64c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-27T06:25:00Z UTC
Last seen:
2025-11-29T09:07:00Z UTC
Hits:
~1000
Detections:
PDM:Trojan.Win32.Generic Exploit.Win32.BypassUAC.sb Backdoor.Win32.Remcos.sb Backdoor.Win32.Remcos.f HEUR:Trojan.MSIL.InjectorNetT.gen VHO:Backdoor.Win32.Androm.gen Trojan.MSIL.Inject.c Trojan.MSIL.Inject.b
Link:
https://opentip.kaspersky.com/f73987513db8c06902182a46cd5d43b8d1fbcc8cb167b0b3c7ad45b6f482b64c/results?tab=lookup
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99bb6350-8f0f-4199-8803-bbf6f9d21bab
Result
Threat name:
DarkTortilla, Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1821710
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1821710 Sample: Transferencia n.#U00b0 2025... Startdate: 27/11/2025 Architecture: WINDOWS Score: 100 54 cbzr-98pq1.ydns.eu 2->54 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 20 other signatures 2->64 11 Transferencia n.#U00b0 20251127.pdf(65 KB).com.exe 3 2->11         started        15 MS Host.exe 2 2->15         started        17 MS Host.exe 2 2->17         started        signatures3 process4 file5 52 Transferencia n.#U...(65 KB).com.exe.log, ASCII 11->52 dropped 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->72 74 Injects a PE file into a foreign processes 11->74 19 Transferencia n.#U00b0 20251127.pdf(65 KB).com.exe 4 5 11->19         started        22 MS Host.exe 15->22         started        24 MS Host.exe 15->24         started        26 MS Host.exe 17->26         started        28 MS Host.exe 17->28         started        signatures6 process7 file8 46 C:\Users\user\AppData\Roaming\...\MS Host.exe, PE32 19->46 dropped 48 C:\Users\user\...\MS Host.exe:Zone.Identifier, ASCII 19->48 dropped 50 C:\Users\user\AppData\Local\...\install.vbs, data 19->50 dropped 30 wscript.exe 1 19->30         started        process9 signatures10 76 Windows Scripting host queries suspicious COM object (likely to drop second stage) 30->76 33 cmd.exe 1 30->33         started        process11 process12 35 MS Host.exe 3 33->35         started        38 conhost.exe 33->38         started        signatures13 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->66 68 Injects a PE file into a foreign processes 35->68 40 MS Host.exe 35->40         started        44 MS Host.exe 35->44         started        process14 dnsIp15 56 cbzr-98pq1.ydns.eu 178.16.52.243, 2404, 49721 DUSNET-ASDE Germany 40->56 70 Installs a global keyboard hook 40->70 signatures16
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f73987513db8c06902182a46cd5d43b8d1fbcc8cb167b0b3c7ad45b6f482b64c
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/3fbce05e044eba074b638e4731ff1c3e
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f73987513db8c06902182a46cd5d43b8d1fbcc8cb167b0b3c7ad45b6f482b64c/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/f73987513db8c06902182a46cd5d43b8d1fbcc8cb167b0b3c7ad45b6f482b64c
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-27 11:58:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=644youj5xdagsaqyfjdm2xkdxdi7xtemwft3bm6hvvc3n5ecwzga._file
Verdict:
malicious
Label(s):
purecrypter
Create hunting rule
remcos
Create hunting rule
Similar samples:
32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153
RemcosRAT
5324e064b98586e1f727eac2ab089af2c466e9b702af73d7fff281e17f725ee8
RemcosRAT
71deef76733c0d00e1d155a32d3a9306755745406beb9d1dcd46508bc7ed9841
RemcosRAT
7495bdb0be9555982d0aadde5a02917d5cf41af4ad74a73c617b3d632d0e6d6d
RemcosRAT
79da3ea43027ba149ea557a9999d25b1df682d06606e68d39e62a86b01d41f4b
RemcosRAT
aa4ad373d2e9b58a03f4e5526bfec18522c49f75f0980d0fce33469d88506b3c
RemcosRAT
e7f968d64655db242cdc6330cf399c3b5e635b63b2ba734d5e2c2eee5986e9be
RemcosRAT
error
RemcosRAT
fc5a104616191074e73ca74e64056c26e129b75395e57257eebf629772200d21
RemcosRAT
+ 3'977 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:new discovery persistence rat
Link:
https://tria.ge/reports/251127-n488csgj5v/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Remcos
Remcos family
Malware Config
C2 Extraction:
cbzr-98pq1.ydns.eu:2404
wqo9.firewall-gateway.de:4045
code1.ydns.eu:9302
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/29e0fe28-d998-43f6-a84c-ce72cd027347
Unpacked files
SH256 hash:
f73987513db8c06902182a46cd5d43b8d1fbcc8cb167b0b3c7ad45b6f482b64c
MD5 hash:
3fbce05e044eba074b638e4731ff1c3e
SHA1 hash:
ec495763f11cb342b382456ddeb3ad50e438bf4e
Link:
https://www.unpac.me/results/89307d48-9c0b-41b5-8b7e-94525c520429/
SH256 hash:
7d1cc6c6774669872f14a75de73e3e785ef6d063a0c4c817d147e2078d77a61a
MD5 hash:
8445f7f856e34e9303600d717579a6c6
SHA1 hash:
28a54b1d1f14812e3c5fe68cf779c9117c098091
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/89307d48-9c0b-41b5-8b7e-94525c520429/
Parent samples :
3cf22298d51538e4c37de996647c085369b9760381ee876225897ea56ca049b9
326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054
c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb
e344fe526e15e7a798d965e12fa66bbae99c620e2bac85cea2cf39da91e1c2a9
cdefe4487062cf4feeee912c4842224c9f9ee066574205d31efa87aee71f2073
f73987513db8c06902182a46cd5d43b8d1fbcc8cb167b0b3c7ad45b6f482b64c
b02b279161596d4cfb6a031d2354460ab7d4918b0963f24a24560c2014ca9251
f8aa02fae887ea80156c2e8be3940405bfc612434d7efae60320a802a9d15a93
9cc00b1af48acb7af7f3c53d0a1adbe928d4bda26273dd955120ca138bdf2eca
73b63721491b5e5a01059fa28d122d5002710964e3e1ed13450d39e716abf968
d1dac84e05c1f6d563953e4966b4a15dda5ad228298cb9ffaa904108a1e03409
6e2f8c1a53a04332f9e7df00b6b0fc583e7c1dd20d570f503b57294c5e6b977f
a6cb841d8ae8fdf6631fa2e8235f07b946cc38fd08a67e542cdc697506faf462
7f686552b74e86a919d7c4ef8eee991bdc70a3558d886a70ed8a879ecb9781af
2f4de4bd0ba8bff96a2b2f8fe3703d0bea4dac48f6442cbd75677b3da8a4bb4f
db64be725daa15a212f1915938a94b30193123965c66ab4fbf1cbd41643a4e2f
641380dbf40445ebdda6a4fbf21ad32c7e9903fc5ec1c92081e77fc1716e58f0
51e8bfd578ae4e51206ad57e2bf501067e84ee7d0307ada70a1f3a35d907a1bd
6b43ebd7427305bd0d27f813d8a8e7d3c2fbd81a1d150d9d71be3b36461ed9c5
cd100ddc8f101788f2f74afcf44e9cbfcd41139431901c8783505f551986b2a7
1428f464af6827605e046bb527b1f0bef17827bfc495bc61bb663789ea93cd95
7abc66114083c1af5345a564369c5a9a57ede5dc4f8018c679d6fa2073781c19
594c365596c21b70b4e929a54e88f0abdc2f8641956817881418a57508484912
343a0ffbd5b9eb887a4fb642b6a508e49d75338c94c18404c0c4818b21ab1951
2ce473b1702af7cd8c8a391fcaf6e4d6b8687100ee6518e52a02adfc86735dee
e05eeb1ac0c6722a64e69f2fad8dba483cfdfe97a60f2bd123c4fb33715c419f
2f6fa9fa9d46eda7bb675550fff9ce2b075ac46bdbf95a2e3e46aa72b06aa84c
9729a8886a3c9c58f6aff691fa8a812531d7504b1060fe9092206cb39f6ab860
7ab3bc53197f4ab531bf0f24e2ad22f1f199a6f3225099506a49d57f03868dbe
ec831b1de5e2d9c38a3ebd096ef9af1425abc2a866cb042a31600d98c64b5740
SH256 hash:
222b04688d1e2030192b188f099ecfd52bd7af6b986ac93e141a80f2766da879
MD5 hash:
c71e17acab65a4dd054c78c0481c7674
SHA1 hash:
63b0d563f15ab5b92c337ef37d741004623d0f62
Link:
https://www.unpac.me/results/89307d48-9c0b-41b5-8b7e-94525c520429/
SH256 hash:
2673d470353413edfb567ff7479395dc52824db6469520ebe8d91dbca2bccac2
MD5 hash:
e5be1fdba36d5032726313afe4c7dd63
SHA1 hash:
c65ebe77906cec3bcb5e805a327f1aa823be57ca
Link:
https://www.unpac.me/results/89307d48-9c0b-41b5-8b7e-94525c520429/
SH256 hash:
19d457ea6b26ff39e03a7652aaef9e0e963064bad85bbfb0c230a1b127b02e6b
MD5 hash:
3c9eabe479d9776468418b2749cc7328
SHA1 hash:
d04f3e4b97ddc393d052b65ac43171d03b1f03b3
Detections:
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Link:
https://www.unpac.me/results/89307d48-9c0b-41b5-8b7e-94525c520429/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f73987513db8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f73987513db8c06902182a46cd5d43b8d1fbcc8cb167b0b3c7ad45b6f482b64c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe f73987513db8c06902182a46cd5d43b8d1fbcc8cb167b0b3c7ad45b6f482b64c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/41632/

Comments