MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c60a7a985dc3e5dae7aedcccdd5370fc106959e12c59a1744744260a9cdb833. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c60a7a985dc3e5dae7aedcccdd5370fc106959e12c59a1744744260a9cdb833
SHA3-384 hash: 08f83a195b9d932c4abacd783a3f3df600f4bf6d77ebac904b531dbf96a71b06bec62224d1bbddaae236f034476b6d1a
SHA1 hash: 177b79e4f3ecb144705e089f8951c63bb9b5831e
MD5 hash: 3320d94624d5ae559f595104a892ce10
humanhash: hamper-stream-music-yellow
File name:IMG_894556778889.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'669 bytes
First seen:2025-08-06 20:43:15 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 48:hGkIRzt+h8I3k5LohM3mkLkuwfYnuA3XZd7PBlXiKlYkI0WZTpEiGE0nB/fhn:hGz1t+6QyLohM3fgumYn7Jd7PzXiK2kn
Threatray 15 similar samples on MalwareBazaar
TLSH T1DA51CA107922FD09023FB21F52756D309C9E8A004392CD585B1A7FC76E0B9037EF9A2C
Magika javascript
Reporter abuse_ch
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6893bea511d7f9b979e639b6
Tags:
obfuscate xtreme shell
Verdict:
Suspicious
Labled as:
Trojan.Script.Heuristic
Link:
https://www.hybrid-analysis.com/sample/0c60a7a985dc3e5dae7aedcccdd5370fc106959e12c59a1744744260a9cdb833
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1751809
Signature
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Creates processes via WMI
Found suspicious powershell code related to unpacking or dynamic code loading
Found Tor onion address
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1751809 Sample: IMG_894556778889.js Startdate: 06/08/2025 Architecture: WINDOWS Score: 100 25 paste.ee 2->25 27 ia903206.us.archive.org 2->27 29 archive.org 2->29 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected Powershell download and execute 2->45 49 9 other signatures 2->49 9 wscript.exe 1 2->9         started        13 wscript.exe 2->13         started        signatures3 47 Connects to a pastebin service (likely for C&C) 25->47 process4 dnsIp5 31 paste.ee 23.186.113.60, 443, 49687, 49688 KLAYER-GLOBALNL Reserved 9->31 51 System process connects to network (likely due to code injection or exploit) 9->51 53 Suspicious powershell command line found 9->53 55 Wscript starts Powershell (via cmd or directly) 9->55 57 4 other signatures 9->57 15 powershell.exe 14 17 9->15         started        signatures6 process7 dnsIp8 33 archive.org 207.241.224.2, 443, 49689 INTERNET-ARCHIVEUS United States 15->33 35 ia903206.us.archive.org 207.241.234.116, 443, 49690 INTERNET-ARCHIVEUS United States 15->35 37 Found Tor onion address 15->37 39 Found suspicious powershell code related to unpacking or dynamic code loading 15->39 19 cmd.exe 1 15->19         started        21 conhost.exe 15->21         started        signatures9 process10 process11 23 conhost.exe 19->23         started       
Score:
90%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0c60a7a985dc3e5dae7aedcccdd5370fc106959e12c59a1744744260a9cdb833
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0c60a7a985dc3e5dae7aedcccdd5370fc106959e12c59a1744744260a9cdb833/
Threat name:
Script-JS.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-08-05 09:48:41 UTC
File Type:
Text (JavaScript)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=brqkpkmf3q7f3lt25xgm3vjxb7aqnfm6clczuf2eorbgbkonxazq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
049812e47d5334275a82320a30608d9a8e3fb192c340980f67e31375c96eae70
RemcosRAT
11ea3046a5ea0ca54c9efee2b7a7f9da06d2a5bed1bb41447673d4ae0374c2d3
RemcosRAT
267d2243fe320cdb65604a5d385dc0b1405596e8874fe4262f687d9f413ebf4c
RemcosRAT
65c11f3f48285943334d96b4a9d8292b517020f40dcc3989648accdb7dfadc60
RemcosRAT
a7ea2f8cf65a2fc6368cbe91431080aa1269cc37de7095a15237d1b411f27d93
RemcosRAT
a8d6f66d16d98baefb54cba98117106ad64788310db9112d1980b4ec302b5310
RemcosRAT
b27ff5ca901be9f35f0a72a72ec97be60097a6b65829403583e98e7ccc4827b1
RemcosRAT
dcc5e50b7931f67538ba5a423ec6366db60c0ef297f7d93fd5bbeeb0542cc87c
RemcosRAT
df6eac509b37b2dfe3ced246b01167bf4c9d82a3ba0d20b3f3da90072dbd0d99
RemcosRAT
error
RemcosRAT
fd43d26f1db150f1ce6faa221521e0ac9d32ffc26fc835bdc564ce6d93a5ee84
RemcosRAT
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/250806-zhvcvss1et/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: JavaScript
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Malware Config
Dropper Extraction:
https://archive.org/download/msi_20250801/MSI.png
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments