MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d0f39d696f56871af658067664d2bd79b77928ba7b289393b9f7e75ac85e321. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	2d0f39d696f56871af658067664d2bd79b77928ba7b289393b9f7e75ac85e321
SHA3-384 hash:	d67af9ba7053f83f5ef5d3cfa013815125fb40d367c22b9f639542d5e3c7ea63e893e5203321c0cd5b818c6eea9c1d66
SHA1 hash:	ef46aec6284ef680b43e97d9f1f4220ce5e07624
MD5 hash:	7db223ab173c1ae0803c1dd7816ff857
humanhash:	quiet-wyoming-friend-fillet
File name:	SOA BEFORE JULY.js
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	47'882 bytes
First seen:	2025-08-25 06:42:42 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	192:5PPVg9pcx895jo1nNNxV4ERKvmHXz7+zclNIbZZg7Fk:5PPVg9pcx89whEGXzocl57G
Threatray	1'385 similar samples on MalwareBazaar
TLSH	T11F23291568DF84EFEFD9DC81024911F6A6C24F2F66384B0BBC9B03D699D0E39752E894
Magika	javascript
Reporter	abuse_ch
Tags:	js RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ac060a6eed937d746da57d

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm base64 evasive fingerprint obfuscated obfuscated powershell

Link:

https://www.filescan.io/uploads/68ac0619253799db621b6406/reports/7653ccc8-137c-40de-8c3f-0e0294eb9bc4/overview

Verdict:

Malicious

Labled as:

Trojan.Cryxos.JS

Link:

https://www.hybrid-analysis.com/sample/2d0f39d696f56871af658067664d2bd79b77928ba7b289393b9f7e75ac85e321

Verdict:

Unknown

File Type:

Link:

https://opentip.kaspersky.com/2d0f39d696f56871af658067664d2bd79b77928ba7b289393b9f7e75ac85e321/results?tab=lookup

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1764260

Signature

C2 URLs / IPs found in malware configuration

Creates processes via WMI

Found malware configuration

Found Tor onion address

JavaScript source code contains functionality to generate code involving a shell, file or stream

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected Powershell download and execute

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

26%

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/2d0f39d696f56871af658067664d2bd79b77928ba7b289393b9f7e75ac85e321

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2d0f39d696f56871af658067664d2bd79b77928ba7b289393b9f7e75ac85e321/

Threat name:

Script-JS.Trojan.PureLogsStealer

Status:

Malicious

First seen:

2025-08-25 00:40:26 UTC

File Type:

Binary

AV detection:

10 of 24 (41.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fuhttvuw6vuhdl3fqbtwmtjl26nxpeulu6zisoj3t57hllef4mqq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

567f768cff1b5969e082271fd31ed9bd6d1b264ba2f2525937e12006a5569977

RemcosRAT

6bc677ac4c36cb99e3170edb2b29b8e8b47399a2896f8f0c6fa998b4337bcf35

RemcosRAT

b913d0ba4c81312099d6776c0c0806486254be12e7b0cb0ce19b9fa9203397f3

RemcosRAT

c208d8d0493c60f14172acb4549dcb394d2b92d30bcae4880e66df3c3a7100e4

RemcosRAT

d58ef7f6352296a5f9052e5bb522a0556037f373b27dd1bf4c53a521f0f7a0a8

RemcosRAT

dacfee8b1805f6536369bf401c7104946429f2e68c4e7143b60d9153b23c7c76

RemcosRAT

e119c6c5485307075a1e5d0950a77f978f7f17e23c315ed8c38cc1259b8af26f

RemcosRAT

error

RemcosRAT

+ 1'375 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos collection defense_evasion discovery execution rat

Link:

https://tria.ge/reports/250825-hg6wtssxet/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

Launches sc.exe

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Modifies trusted root certificate store through registry

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Process spawned unexpected child process

Remcos

Remcos family

Malware Config

C2 Extraction:

blackyywire.ddns.net:2404

Dropper Extraction:

https://archive.org/download/optimized_msi_20250821/optimized_MSI.png

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2d0f39d696f56871af658067664d2bd79b77928ba7b289393b9f7e75ac85e321

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample