MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdc90f30bc517219e0f8bb99042e3f2c38fcb2bf61cc7ddf333e05bdb8473cf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 18

Intelligence 18 IOCs YARA 6 File information Comments

SHA256 hash:	fdc90f30bc517219e0f8bb99042e3f2c38fcb2bf61cc7ddf333e05bdb8473cf7
SHA3-384 hash:	f8c376bebf5f755392e36dc709b906ff0c81c829eac4302fa654ab1badca7b6479ac7dbfd2b9603ecf8b2c25f89b200e
SHA1 hash:	0bae2e9373bf5a27e032afbf480d23a4d706ff9d
MD5 hash:	5e420372c7474339b6650cf35db2b34c
humanhash:	mississippi-alaska-single-maine
File name:	fdc90f30bc517219e0f8bb99042e3f2c38fcb2bf61cc7ddf333e05bdb8473cf7
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'392'640 bytes
First seen:	2025-10-09 14:16:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1895460fffad9475fda0c84755ecfee1 (338 x Formbook, 86 x AgentTesla, 56 x a310Logger)
ssdeep	24576:K5EmXFtKaL4/oFe5T9yyXYfP1ijXdafYNrwRO5Mz6nNynFgfnkdGe:KPVt/LZeJbInQRafYNkRO5a6n8n
Threatray	1'542 similar samples on MalwareBazaar
TLSH	T1F855CF0273D18062FF9B92734F9AF6115BBC7A260123A61F13981D79BE701B1563E7A3
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	adrian__luca
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

fdc90f30bc517219e0f8bb99042e3f2c38fcb2bf61cc7ddf333e05bdb8473cf7.exe

Verdict:

Malicious activity

Analysis date:

2025-10-08 14:18:26 UTC

Tags:

auto-startup

Link:

https://app.any.run/tasks/f2db6f10-0c78-4cd7-8878-ce045d3363f7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/31424/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68e672b1277c2bd8bc5de6f1

Tags:

nymeria autorun autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a file

Creating a process from a recently created file

Launching a process

Launching the default Windows debugger (dwwin.exe)

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context autoit compiled-script evasive findstr fingerprint fingerprint keylogger lolbin microsoft_visual_cc netsh obfuscated packed packed packer_detected rasautou threat

Link:

https://www.filescan.io/uploads/68e7cacf5a3bccf09ebf5126/reports/bfbc94ff-d8ea-4464-8199-28bca1a78a71/overview

Verdict:

Malicious

Labled as:

AIT:Trojan.Nymeria

Link:

https://www.hybrid-analysis.com/sample/fdc90f30bc517219e0f8bb99042e3f2c38fcb2bf61cc7ddf333e05bdb8473cf7

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-18T22:36:00Z UTC

Last seen:

2025-10-09T02:49:00Z UTC

Hits:

~10

Detections:

PDM:Trojan.Win32.Generic Trojan.Win32.Strab.sb Trojan.Win32.Inject.sb HEUR:Trojan.Script.AUO.gen

Link:

https://opentip.kaspersky.com/fdc90f30bc517219e0f8bb99042e3f2c38fcb2bf61cc7ddf333e05bdb8473cf7/results?tab=lookup

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ca8ef0c8-e33a-48c4-9805-e7cda40e0a89

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fdc90f30bc517219e0f8bb99042e3f2c38fcb2bf61cc7ddf333e05bdb8473cf7

Verdict:

Malware

YARA:

7 match(es)

Tags:

AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86

Link:

https://app.malva.re/file/5e420372c7474339b6650cf35db2b34c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fdc90f30bc517219e0f8bb99042e3f2c38fcb2bf61cc7ddf333e05bdb8473cf7/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/fdc90f30bc517219e0f8bb99042e3f2c38fcb2bf61cc7ddf333e05bdb8473cf7

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2025-09-21 14:18:52 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 36 (80.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7xeq6mf4kfzbtyhyxomqilr7fq4pzmv7mhgh3xzthyc33ochht3q._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

880334a4f36170bd8c34b574a919596fd3ba56f2a810310feba377f90dfe49af

RemcosRAT

8c548a602595e9ef03eeab8257d07581a7a6824e40a121f22d6a1d780621936b

RemcosRAT

b5d0552aa20ae4bec3f41829abfb9e3b797512bcc9cdb9e6454b63f6a6727cea

RemcosRAT

ba21812f72c2dcca4105bdf0900da27928ba557e93b29d3f4a4ebe17c4a3937e

RemcosRAT

ead9f443d43e6c9548964721edbf937b1cdf9b5d6126682714de2aba4a086078

RemcosRAT

error

RemcosRAT

+ 1'532 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos discovery rat

Link:

https://tria.ge/reports/251009-r477vaznt6/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

Drops startup file

Executes dropped EXE

Remcos

Remcos family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2525660b-45ae-4d51-8d7e-3e9fdbef6329

Unpacked files

SH256 hash:

fdc90f30bc517219e0f8bb99042e3f2c38fcb2bf61cc7ddf333e05bdb8473cf7

MD5 hash:

5e420372c7474339b6650cf35db2b34c

SHA1 hash:

0bae2e9373bf5a27e032afbf480d23a4d706ff9d

Link:

https://www.unpac.me/results/814d95b1-8b73-48dc-89d4-f75515cd788b/

SH256 hash:

e58a9a89e7be5ed83f97c71d212fb1c359c32e9042e3149a1c56775b583676db

MD5 hash:

11691e58dd456ca588d2c05ffeafa683

SHA1 hash:

f04cca689dcb3622aee820c558fcf04ba4face0a

Detections:

win_remcos_w0

win_remcos_auto

Remcos

malware_windows_remcos_rat

win_remcos_rat_unpacked

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Link:

https://www.unpac.me/results/814d95b1-8b73-48dc-89d4-f75515cd788b/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fdc90f30bc51/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	TH_Generic_MassHunt_Win_Malware_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Windows malware mass-hunt rule - 2025
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/31424/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample