MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2860229869ba19a3f5c9f2071c39dfa08aeeb45c6681b588346e78b433ab1d00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2860229869ba19a3f5c9f2071c39dfa08aeeb45c6681b588346e78b433ab1d00
SHA3-384 hash: 5213e100924aeb4c570cb83761a09b742915e14bb9c6ddb44372caebe3ea77700e0fd3fc124da698deee51393d01eb35
SHA1 hash: 15a00f525ccec1b672d695372abacfef7c9c7946
MD5 hash: 6bd79530635f13fb16630d19d125aeea
humanhash: nine-moon-green-beer
File name:CopilotDrivers.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:4'034'229 bytes
First seen:2025-12-11 06:29:09 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 96:qZHvxGZzgwzY/0GZuGwzZ/SPmT4XwujSyogxw/sGJksNjzIKYTNXwuRN0o0pRoOq:3RPwOKsY/UFwWTtCPF
Threatray 1'080 similar samples on MalwareBazaar
TLSH T165163360962F1017C6D4DBB7AF707AE4FA18A1559BE32B5C394889CC87F283174B64AC
Magika javascript
Reporter abuse_ch
Tags:js RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693a64bfbde6a3e597102639
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 base64 fingerprint obfuscated obfuscated overlay powershell repaired
Link:
https://www.filescan.io/uploads/693a64bd900ee247e841d366/reports/b9f564b9-2818-4e0d-9191-49f5b0fced0a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2860229869ba19a3f5c9f2071c39dfa08aeeb45c6681b588346e78b433ab1d00
Verdict:
Malicious
File Type:
js
First seen:
2025-12-11T03:47:00Z UTC
Last seen:
2025-12-11T04:15:00Z UTC
Hits:
~10
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/2860229869ba19a3f5c9f2071c39dfa08aeeb45c6681b588346e78b433ab1d00/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1830781
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates processes via WMI
Detected Remcos RAT
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Installs a global keyboard hook
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Unusual module load detection (module proxying)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1830781 Sample: CopilotDrivers.js Startdate: 11/12/2025 Architecture: WINDOWS Score: 100 23 hostphpwindowsdriversappssapo.duckdns.org 2->23 25 systemcopilotdriver.ydns.eu 2->25 27 6 other IPs or domains 2->27 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 51 12 other signatures 2->51 8 wscript.exe 1 2->8         started        signatures3 49 Uses dynamic DNS services 23->49 process4 signatures5 53 Suspicious powershell command line found 8->53 55 Wscript starts Powershell (via cmd or directly) 8->55 57 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->57 59 2 other signatures 8->59 11 powershell.exe 14 15 8->11         started        process6 dnsIp7 29 archive.org 207.241.224.2, 49689, 80 INTERNET-ARCHIVEUS United States 11->29 31 systemcopilotdriver.ydns.eu 181.206.158.190, 3001, 49695, 49696 ColombiaMovilCO Colombia 11->31 33 dn721808.ca.archive.org 204.62.247.90, 443, 49690, 49691 COGENT-174US United States 11->33 61 Found Tor onion address 11->61 63 Writes to foreign memory regions 11->63 65 Injects a PE file into a foreign processes 11->65 15 MSBuild.exe 4 2 11->15         started        19 conhost.exe 11->19         started        signatures8 process9 file10 21 C:\ProgramData\remcos\registros.dat, data 15->21 dropped 35 Contains functionality to bypass UAC (CMSTPLUA) 15->35 37 Detected Remcos RAT 15->37 39 Contains functionalty to change the wallpaper 15->39 41 5 other signatures 15->41 signatures11
Score:
17%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/2860229869ba19a3f5c9f2071c39dfa08aeeb45c6681b588346e78b433ab1d00
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/6bd79530635f13fb16630d19d125aeea
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2860229869ba19a3f5c9f2071c39dfa08aeeb45c6681b588346e78b433ab1d00/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/2860229869ba19a3f5c9f2071c39dfa08aeeb45c6681b588346e78b433ab1d00
Threat name:
Script-JS.Backdoor.Remcos
Create hunting rule
Status:
Suspicious
First seen:
2025-12-11 00:54:22 UTC
File Type:
Binary
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fbqcfgdjxim2h5oj6idryoo7ucfo5nc4m2a3lcbunz4lim5lduaa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
13cfe3fd5a544dbed0b3293db0303a4ecbd81eecad53b511f28dfbbf25f156cf
RemcosRAT
52c54f72fc81d56c90fefc4cc4ef9a99f92a481953ac377b3a87c510a9ef89ba
RemcosRAT
56f8a2584a0438ff19f7ca253aa8555173c1e3ddf0d29259400bfcd0f69b9bbd
RemcosRAT
58a2e12b712f7f15735e76be17a67c723e50f45f270f23fff2e2d3bd4bab9dcb
RemcosRAT
98bbf0bbcd56c0562ac9a22eb0573b0f83aac0f9f5415db43bf33ef28581e5f4
RemcosRAT
a7a565a4a611b7fd96d361e5b7f229a4a84388d15619dbf844e1e23ade31e3e6
RemcosRAT
b801bcc02f26c3756b929cbe8ae210cd56dca87527c4091f94d27a04f092f9b8
RemcosRAT
e0e7f7fec05c3d612a7840cd55c14eccfa71ae615462334f4e09251a91429ffe
RemcosRAT
e66b8fb1b3d9be2489bc14e3c80b694c633ccc074ae851689826bc55cee3619b
RemcosRAT
f74d263c8384f7ab6440f5639aa49ca86172132d0bfe734fe6e0e2be086edda7
RemcosRAT
+ 1'070 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos discovery execution rat
Link:
https://tria.ge/reports/251211-g82krahy9a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Remcos
Remcos family
Malware Config
C2 Extraction:
systemcopilotdriver.ydns.eu:3001
Dropper Extraction:
http://archive.org/download/optimized_msi_20251205_1631/optimized_MSI.png
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/2860229869ba19a3f5c9f2071c39dfa08aeeb45c6681b588346e78b433ab1d00

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Java Script (JS) js 2860229869ba19a3f5c9f2071c39dfa08aeeb45c6681b588346e78b433ab1d00

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3597686/
  
Delivery method
Distributed via web download

Comments