MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c25fdd6e72006a4896e82aef58f05e9177a07d75aeff4eeb85dd7138ffb52f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c25fdd6e72006a4896e82aef58f05e9177a07d75aeff4eeb85dd7138ffb52f6
SHA3-384 hash: 9b88f44b8ccd659d87413f1cd0ad0b084d3df7192a750b7c488b03f0fbf90df6f9fa9338e2ae3c5ec6b9d5e0fe8bd8e8
SHA1 hash: b9f5aa5cc4bf86809654b970644961a480b487a7
MD5 hash: bc01e251a9e62034fe6704d01ebf4fd5
humanhash: island-high-batman-washington
File name:paste.ee_d_ktyPclYy.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'400'060 bytes
First seen:2025-04-02 09:40:47 UTC
Last seen:2025-04-02 10:35:04 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 3072:mtntntntntntntntntntnytntntntntntntntntntnytntntntntntntntntntng:XT
Threatray 1 similar samples on MalwareBazaar
TLSH T10755A199976B1D56F4C3939A8DBC1C9058DD7ED268E7338CE73A09A82E0953DE793030
Magika javascript
Reporter TomU
Tags:abby-work-gd js RemcosRAT


Avatar
TomU
downloaded from

SHA256 hash: e7e78105c3946eb6ec2297a39ece3865c41f918d75d2a428ef53ef98ba0ad300
MD5 hash: 2d3da9702f38fc55c9abe1cb4e4242fc
File name: PR3001789.js

Intelligence

File Origin
# of uploads :
3
# of downloads :
310
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilJS.NothingFromNothing.20250403.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ed08abcfd0a37f830c3615
Tags:
autorun xtreme shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive obfuscated obfuscated overlay powershell
Link:
https://www.filescan.io/uploads/67ed0647f274bf2d8e2e1337/reports/c4eaa084-ee25-47b5-9cff-39962e3f9193/overview
Verdict:
Suspicious
Labled as:
Trojan.Script.Heuristic
Link:
https://www.hybrid-analysis.com/sample/0c25fdd6e72006a4896e82aef58f05e9177a07d75aeff4eeb85dd7138ffb52f6
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1654536
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654536 Sample: paste.ee_d_ktyPclYy.js Startdate: 02/04/2025 Architecture: WINDOWS Score: 100 48 paste.ee 2->48 50 ip.3006.filemail.com 2->50 52 11 other IPs or domains 2->52 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 70 17 other signatures 2->70 9 wscript.exe 1 1 2->9         started        12 cmd.exe 1 2->12         started        14 taskkill.exe 1 2->14         started        16 2 other processes 2->16 signatures3 68 Connects to a pastebin service (likely for C&C) 48->68 process4 dnsIp5 76 JScript performs obfuscated calls to suspicious functions 9->76 78 Suspicious powershell command line found 9->78 80 Wscript starts Powershell (via cmd or directly) 9->80 82 2 other signatures 9->82 19 powershell.exe 14 17 9->19         started        24 powershell.exe 7 12->24         started        26 conhost.exe 12->26         started        28 conhost.exe 14->28         started        46 127.0.0.1 unknown unknown 16->46 signatures6 process7 dnsIp8 54 ip.3006.filemail.com 193.30.119.106, 443, 49692 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese unknown 19->54 56 paste.ee 23.186.113.60, 443, 49694 KLAYER-GLOBALNL Reserved 19->56 44 fb0f69e6-a9ed-4f51-8c81-e8407f45f638.inf, Windows 19->44 dropped 72 Writes to foreign memory regions 19->72 74 Injects a PE file into a foreign processes 19->74 30 MSBuild.exe 2 15 19->30         started        34 cmd.exe 1 19->34         started        36 conhost.exe 19->36         started        38 cmstp.exe 8 7 19->38         started        40 schtasks.exe 1 24->40         started        file9 signatures10 process11 dnsIp12 58 abby.work.gd 176.65.134.41, 2413, 49699 DIOGELO-ASGB Germany 30->58 60 geoplugin.net 178.237.33.50, 49700, 80 ATOM86-ASATOM86NL Netherlands 30->60 84 Contains functionalty to change the wallpaper 30->84 86 Contains functionality to steal Chrome passwords or cookies 30->86 88 Contains functionality to register a low level keyboard hook 30->88 96 3 other signatures 30->96 90 Suspicious powershell command line found 34->90 92 Wscript starts Powershell (via cmd or directly) 34->92 42 conhost.exe 34->42         started        94 Uses schtasks.exe or at.exe to add and modify task schedules 36->94 signatures13 process14
Score:
87%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0c25fdd6e72006a4896e82aef58f05e9177a07d75aeff4eeb85dd7138ffb52f6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c25fdd6e72006a4896e82aef58f05e9177a07d75aeff4eeb85dd7138ffb52f6/
Threat name:
Script-JS.Trojan.Remcos
Create hunting rule
Status:
Suspicious
First seen:
2025-04-02 06:21:06 UTC
File Type:
Text (JavaScript)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bqs73vxheadkjcloqkxpldyf5elxub6xllx7j3vylxlrhd73kl3a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
7c0946cd8a228f35db68a9bd702e283a3ab9f41113bede7ed206e9af5f824c9e
RemcosRAT
error
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:abb discovery execution rat
Link:
https://tria.ge/reports/250402-lnyetat1gv/
Behaviour
Kills process with taskkill
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Blocklisted process makes network request
Remcos
Remcos family
Malware Config
C2 Extraction:
abby.work.gd:2413
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c25fdd6e72006a4896e82aef58f05e9177a07d75aeff4eeb85dd7138ffb52f6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Java Script (JS) js 0c25fdd6e72006a4896e82aef58f05e9177a07d75aeff4eeb85dd7138ffb52f6

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
URLhaus
https://urlhaus.abuse.ch/url/3499131/

Comments