MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d77f0c7f93f79c5884c8731ff55c8ebb23fdf112e927851abd8ef3b73d130d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d77f0c7f93f79c5884c8731ff55c8ebb23fdf112e927851abd8ef3b73d130d7
SHA3-384 hash: 741c57128b9f63c66f84dcef27a0d47dca298f826e5905d84b0dcf636c2e070bd9131ae9da5ccfc4d8fb67e449777dab
SHA1 hash: f9b13daf77414133e425afd47c9108f55bd2d0e3
MD5 hash: 18f6a95197e9b5a5de1c6092459afde4
humanhash: coffee-xray-summer-twelve
File name:CopilotDrivers.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'031'416 bytes
First seen:2025-08-17 08:09:53 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 12288:awt4c9W3mDO1GzTR2Fwt4c9W3mDO1GzTR2hwt4c9W3mDO1GzTR2m:Z4+W2KFy4+W2KFu4+W2KFm
Threatray 1'352 similar samples on MalwareBazaar
TLSH T1EB25CF5E352A457E6586B0BC22094162F08EC7E1C36EE3F2D460D868E095CBDD1BE7B7
Magika txt
Reporter abuse_ch
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a18e908fd55a79c52842d8
Tags:
ransomware obfuscate xtreme
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1d77f0c7f93f79c5884c8731ff55c8ebb23fdf112e927851abd8ef3b73d130d7
Result
Threat name:
Remcos, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1758765
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates processes via WMI
Detected Remcos RAT
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Installs a global keyboard hook
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected MSILDownloaderGeneric
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1758765 Sample: CopilotDrivers.js Startdate: 17/08/2025 Architecture: WINDOWS Score: 100 31 systemcopilotdriver.ydns.eu 2->31 33 ia800901.us.archive.org 2->33 35 4 other IPs or domains 2->35 61 Suricata IDS alerts for network traffic 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 13 other signatures 2->67 8 wscript.exe 1 2->8         started        11 svchost.exe 1 1 2->11         started        signatures3 process4 dnsIp5 69 Suspicious powershell command line found 8->69 71 Wscript starts Powershell (via cmd or directly) 8->71 73 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->73 75 2 other signatures 8->75 14 powershell.exe 14 16 8->14         started        41 127.0.0.1 unknown unknown 11->41 signatures6 process7 dnsIp8 43 ia800901.us.archive.org 207.241.233.61, 443, 49682 INTERNET-ARCHIVEUS United States 14->43 45 archive.org 207.241.224.2, 443, 49681 INTERNET-ARCHIVEUS United States 14->45 47 cdn.discordapp.com 162.159.133.233, 443, 49687 CLOUDFLARENETUS United States 14->47 77 Found Tor onion address 14->77 79 Writes to foreign memory regions 14->79 81 Injects a PE file into a foreign processes 14->81 18 MSBuild.exe 14->18         started        21 MSBuild.exe 4 15 14->21         started        25 conhost.exe 14->25         started        27 2 other processes 14->27 signatures9 process10 dnsIp11 49 Contains functionality to bypass UAC (CMSTPLUA) 18->49 51 Contains functionalty to change the wallpaper 18->51 53 Contains functionality to steal Chrome passwords or cookies 18->53 59 2 other signatures 18->59 37 systemcopilotdriver.ydns.eu 181.206.158.190, 3001, 49688 ColombiaMovilCO Colombia 21->37 39 geoplugin.net 178.237.33.50, 49689, 80 ATOM86-ASATOM86NL Netherlands 21->39 29 C:\ProgramData\remcos\registros.dat, data 21->29 dropped 55 Detected Remcos RAT 21->55 57 Installs a global keyboard hook 21->57 file12 signatures13
Score:
65%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/1d77f0c7f93f79c5884c8731ff55c8ebb23fdf112e927851abd8ef3b73d130d7
Verdict:
Malware
YARA:
2 match(es)
Tags:
Base64 Block Contains Base64 Block DeObfuscated PowerShell Powershell: Hidden Execution
Link:
https://app.malva.re/file/18f6a95197e9b5a5de1c6092459afde4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d77f0c7f93f79c5884c8731ff55c8ebb23fdf112e927851abd8ef3b73d130d7/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/1d77f0c7f93f79c5884c8731ff55c8ebb23fdf112e927851abd8ef3b73d130d7
Threat name:
Script-JS.Backdoor.Remcos
Create hunting rule
Status:
Suspicious
First seen:
2025-08-16 17:15:26 UTC
File Type:
Text
AV detection:
10 of 37 (27.03%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dv37br7zh544lccmq4y76voi5ozd7xyrf2jhqunl3dxtw46rgdlq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0780b511b4413c846adda72e7ede6afb0398a084112bf0399d2d4041f952cfa4
RemcosRAT
1eb765ddbcf4fc19d9f2d77ec340f635bb9bd57f7b9b5ed2f78b9a10d2882c32
RemcosRAT
29698045dbe2e9eaf2f0ff6830417cb112e5af234225b06242e27198c9321204
RemcosRAT
36f0e0b31d5b901268c65a2d5dd8b48a0e9c9b00a329c10be9a7be625fe5d84d
RemcosRAT
56b4683889bc8c9a8cbceb1b9d5a87d6eb6f6f801adb95770d44a7ffdc3f69bf
RemcosRAT
68ff3ce1de760e7c481902c645f21eb683c386df14cc29b4365931eed481e26b
RemcosRAT
9b37f9c137e7c8e068f6eb375ef9a32dec6b4021a35115958c2257935c26a412
RemcosRAT
a0c2c6d32c1fa057b2ee2d134990886f30fbb8354c32fc35d20016d5be0c7df4
RemcosRAT
a541c263938c611b0b22ad6c47524e879046091a802c9bcf7f985f893b9c31bd
RemcosRAT
error
RemcosRAT
+ 1'342 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos defense_evasion discovery execution rat
Link:
https://tria.ge/reports/250817-j229tacl2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Modifies trusted root certificate store through registry
Process spawned unexpected child process
Remcos
Remcos family
Malware Config
C2 Extraction:
systemcopilotdriver.ydns.eu:3001
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/1d77f0c7f93f79c5884c8731ff55c8ebb23fdf112e927851abd8ef3b73d130d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Java Script (JS) js 1d77f0c7f93f79c5884c8731ff55c8ebb23fdf112e927851abd8ef3b73d130d7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3597686/
  
Delivery method
Distributed via web download

Comments