MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b48b4d74ec2b1cfbd9e732c2b4d1c58c82882007ab5624c74b15657feb9641d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	2b48b4d74ec2b1cfbd9e732c2b4d1c58c82882007ab5624c74b15657feb9641d
SHA3-384 hash:	69685789093aef0c0d0756e967183ee4382785796f6640cb7b20e07d434ca755936088ee09cba554a942218b37494958
SHA1 hash:	82569fcb91410f416ce12b966b91519d5ea89608
MD5 hash:	645b21ae90237079c4ff8d1c93442071
humanhash:	west-hot-march-wyoming
File name:	sweetnessgivenmebestthingsforever.hta
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	48'509 bytes
First seen:	2026-06-21 09:41:27 UTC
Last seen:	Never
File type:	hta
MIME type:	text/html
ssdeep	192:X+lyG58UMd+8+ccQPd21282w2Q2+m242b2ff+2u2bGBf+SD7igrMxs3+++lF:XNqHs7PvW3af9Fbw17imMCvG
TLSH	T14523D97DC7C195AE994FA7500E6E27C5332C63F542A96618FCDD81339EFD52B2316014
Magika	txt
Reporter	JAMESWT_WT
Tags:	46-183-223-7 hta kelvin654-duckdns-org RemcosRAT Spam-ITA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.VBS.Starter.518.9486.24630.UNOFFICIAL

SecuriteInfo.com.VBS.Starter.518.22154.9068.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a37b1d51548daf709f85c93

Tags:

cryxos xtreme shell sage

Result

Verdict:

Malicious

File Type:

HTA File - Malicious

Link:

https://app.docguard.net/2b48b4d74ec2b1cfbd9e732c2b4d1c58c82882007ab5624c74b15657feb9641d/results/dashboard

Payload URLs

URL

File name

http://46.183.223.7/90/wegivingbestsolutionsforbetterplaces.js

HTA File

Behaviour

BlacklistAPI detected

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

powershell

Link:

https://www.filescan.io/uploads/6a37b1cb90632a45f72f83c3/reports/9b5aabbc-61aa-4f92-a073-99e1b95212ec/overview

Verdict:

Malicious

Labled as:

Runner

Link:

https://www.hybrid-analysis.com/sample/2b48b4d74ec2b1cfbd9e732c2b4d1c58c82882007ab5624c74b15657feb9641d

Verdict:

Malicious

File Type:

html

First seen:

2026-06-21T06:48:00Z UTC

Last seen:

2026-06-21T06:48:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan.HTA.SAgent.gen HEUR:Trojan-Downloader.Script.Generic

Link:

https://opentip.kaspersky.com/2b48b4d74ec2b1cfbd9e732c2b4d1c58c82882007ab5624c74b15657feb9641d/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/2b48b4d74ec2b1cfbd9e732c2b4d1c58c82882007ab5624c74b15657feb9641d

Verdict:

Malware

YARA:

3 match(es)

Tags:

Base64 Block Contains Base64 Block DeObfuscated Html PowerShell

Link:

https://app.malva.re/file/645b21ae90237079c4ff8d1c93442071

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/2b48b4d74ec2b1cfbd9e732c2b4d1c58c82882007ab5624c74b15657feb9641d/

Verdict:

Malicious

Threat:

Trojan-Downloader.Script.SAgent

Link:

https://tip.neiki.dev/file/2b48b4d74ec2b1cfbd9e732c2b4d1c58c82882007ab5624c74b15657feb9641d

Threat name:

Script-WScript.Trojan.Runner

Status:

Malicious

First seen:

2026-06-18 23:03:37 UTC

File Type:

Text (HTML)

Extracted files:

AV detection:

12 of 36 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fneljv2oyky47pm6omwcwti4ldecraqapk2wetduwflfp7vzmqoq._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:zeecrypt discovery execution rat suricata

Link:

https://tria.ge/reports/260621-ln2r8scw5l/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Badlisted process makes network request

Family: Remcos

Process spawned unexpected child process

Suricata alert: REMCOS RAT Malware Inbound C2 Communication

Suricata alert: REMCOS RAT Malware Outbound C2 Communication

Malware Config

C2 Extraction:

oyine.duckdns.org:4550
oyine.duckdns.org:4551
oyine.duckdns.org:4553

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/2b48b4d74ec2b1cfbd9e732c2b4d1c58c82882007ab5624c74b15657feb9641d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample