MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd20ff871c01baf34e31d6097525890246be32f90a163afe449c70969d9edd0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd20ff871c01baf34e31d6097525890246be32f90a163afe449c70969d9edd0d
SHA3-384 hash: 60fb97fcc6cc8b7d9c3667cf58a5c0097e3602d030df653b4eb7ab4e43ae18e50452c6c4decbe34f20eddf44d1c3ab48
SHA1 hash: a11a9791c159ec7506067ec2f1877deee0d7ddf8
MD5 hash: 6e8404f074ec87c3e9336c53790ceab7
humanhash: washington-lithium-venus-victor
File name:IMG_6355476.B2Z.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:5'873 bytes
First seen:2025-08-06 20:42:15 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 96:bQbGJm6w0Mon1Q0+8H+8TDWRxv6T9kbuAdNcl9An:bQbQmRu1Q0+VqWRxv6eqAdNclyn
Threatray 19 similar samples on MalwareBazaar
TLSH T1BCC12851C497EC11C90E57AD3BE9E37645D980668C238330EE0BDB8472EF556136B1EA
Magika javascript
Reporter abuse_ch
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6893be881e8a59ee04e6b442
Tags:
obfuscate xtreme spawn
Verdict:
Malicious
Labled as:
Trojan.Script.Heuristic
Link:
https://www.hybrid-analysis.com/sample/fd20ff871c01baf34e31d6097525890246be32f90a163afe449c70969d9edd0d
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1751816
Signature
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates processes via WMI
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Found Tor onion address
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Remcos
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1751816 Sample: IMG_6355476.B2Z.js Startdate: 06/08/2025 Architecture: WINDOWS Score: 100 37 167.160.161.80 ASN-QUADRANET-GLOBALUS United States 2->37 39 star-azurefd-prod.trafficmanager.net 2->39 41 8 other IPs or domains 2->41 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 14 other signatures 2->61 10 wscript.exe 1 2->10         started        14 svchost.exe 1 1 2->14         started        signatures3 process4 dnsIp5 43 historylab.infy.uk 185.27.134.59, 49692, 49706, 80 WILDCARD-ASWildcardUKLimitedGB United Kingdom 10->43 77 System process connects to network (likely due to code injection or exploit) 10->77 79 Suspicious powershell command line found 10->79 81 Wscript starts Powershell (via cmd or directly) 10->81 83 4 other signatures 10->83 16 powershell.exe 14 16 10->16         started        45 127.0.0.1 unknown unknown 14->45 signatures6 process7 dnsIp8 33 archive.org 207.241.224.2, 443, 49693 INTERNET-ARCHIVEUS United States 16->33 35 ia803206.us.archive.org 207.241.234.126, 443, 49694 INTERNET-ARCHIVEUS United States 16->35 47 Found Tor onion address 16->47 49 Writes to foreign memory regions 16->49 51 Found suspicious powershell code related to unpacking or dynamic code loading 16->51 53 Injects a PE file into a foreign processes 16->53 20 MSBuild.exe 16->20         started        23 MSBuild.exe 2 16->23         started        25 conhost.exe 16->25         started        27 MSBuild.exe 16->27         started        signatures9 process10 signatures11 63 Contains functionalty to change the wallpaper 20->63 65 Contains functionality to steal Chrome passwords or cookies 20->65 67 Contains functionality to inject code into remote processes 20->67 75 3 other signatures 20->75 69 Detected Remcos RAT 23->69 71 Writes to foreign memory regions 23->71 73 Maps a DLL or memory area into another process 23->73 29 iexplore.exe 1 23->29         started        process12 process13 31 conhost.exe 29->31         started       
Score:
20%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/fd20ff871c01baf34e31d6097525890246be32f90a163afe449c70969d9edd0d
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fd20ff871c01baf34e31d6097525890246be32f90a163afe449c70969d9edd0d/
Threat name:
Script-JS.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-08-05 12:58:01 UTC
File Type:
Text (JavaScript)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7uqp7by4ag5pgtrr2yexkjmjajdl4mxzbildv7setryjnhm63ugq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
00c925206d3ceb1af4aa2dd2cd5d666fc7a203242ea0a9ba4d3d60a4fdaae1ee
RemcosRAT
049812e47d5334275a82320a30608d9a8e3fb192c340980f67e31375c96eae70
RemcosRAT
0c60a7a985dc3e5dae7aedcccdd5370fc106959e12c59a1744744260a9cdb833
RemcosRAT
11ea3046a5ea0ca54c9efee2b7a7f9da06d2a5bed1bb41447673d4ae0374c2d3
RemcosRAT
267d2243fe320cdb65604a5d385dc0b1405596e8874fe4262f687d9f413ebf4c
RemcosRAT
65c11f3f48285943334d96b4a9d8292b517020f40dcc3989648accdb7dfadc60
RemcosRAT
8343e66198955a3fad718a52fc9ce96bba5cb2862ef76fce04591a047943cbcb
RemcosRAT
a8d6f66d16d98baefb54cba98117106ad64788310db9112d1980b4ec302b5310
RemcosRAT
b27ff5ca901be9f35f0a72a72ec97be60097a6b65829403583e98e7ccc4827b1
RemcosRAT
dcc5e50b7931f67538ba5a423ec6366db60c0ef297f7d93fd5bbeeb0542cc87c
RemcosRAT
error
RemcosRAT
+ 9 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/250806-zha9zss1d1/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: JavaScript
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Malware Config
Dropper Extraction:
https://archive.org/download/msi_20250801/MSI.png
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments