MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b1bc81d05d8ac98a96d1618f7490df26c510d92ec634d053383e709a7a63f40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b1bc81d05d8ac98a96d1618f7490df26c510d92ec634d053383e709a7a63f40
SHA3-384 hash: c786e3eceb9d3b475ce45d70992ede0ee6333cc546967fa6aff87d15e3539014d2f83a916e87c9bdd59e66926ad54454
SHA1 hash: f476aded1b163a0f469ac66c9ef59c6dded46e3b
MD5 hash: febc7ae6375b6c45e66c96139c706d0e
humanhash: london-minnesota-ink-cardinal
File name:Output.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'717'645 bytes
First seen:2025-02-07 21:24:54 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 24576:Gv0NIoV5OAYtNM3CNlqcxWUQfV1Sw2uRv49EVk+Er793pIbGF+I4IXz+VRxAUY6W:aFvEUQfchSO3+TRx/Q
TLSH T1B28502374517FDAF3B1D2D8D44082D451CA82E97876896A8EA49A4F3B6CC614CF2E4FC
Magika txt
Reporter Anonymous
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
508
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a67b7bdbfc8aaee8cd9386
Tags:
vmdetect extens keylog sage
Verdict:
Malicious
Labled as:
GT:JS.Divergent.3
Link:
https://www.hybrid-analysis.com/sample/5b1bc81d05d8ac98a96d1618f7490df26c510d92ec634d053383e709a7a63f40
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1609789
Signature
Allocates memory in foreign processes
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Remcos
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses ipconfig to lookup or modify the Windows network settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected Autoit Injector
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1609789 Sample: Output.js Startdate: 07/02/2025 Architecture: WINDOWS Score: 100 76 novermber12.duckdns.org 2->76 78 Novermber12.freeddns.org 2->78 84 Suricata IDS alerts for network traffic 2->84 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 92 13 other signatures 2->92 11 wscript.exe 1 2 2->11         started        15 ftaei.icm.exe 1 2->15         started        17 ftaei.icm.exe 2->17         started        signatures3 90 Uses dynamic DNS services 76->90 process4 file5 72 C:\Users\user\...\jOznfGmiVFjhuhjR.scr, PE32 11->72 dropped 118 Benign windows process drops PE files 11->118 120 JScript performs obfuscated calls to suspicious functions 11->120 122 Drops PE files with a suspicious file extension 11->122 124 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->124 19 jOznfGmiVFjhuhjR.scr 3 43 11->19         started        74 C:\Users\user\sifp\ftaei.icm.exe.exe, PE32 15->74 dropped 126 Found API chain indicative of sandbox detection 15->126 128 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->128 130 Writes to foreign memory regions 15->130 23 RegSvcs.exe 15->23         started        132 Allocates memory in foreign processes 17->132 134 Injects a PE file into a foreign processes 17->134 25 RegSvcs.exe 17->25         started        signatures6 process7 file8 56 C:\Users\user\AppData\Local\...\ftaei.icm, PE32 19->56 dropped 58 C:\Users\user\AppData\Local\Temp\...\pumn.vbe, Unicode 19->58 dropped 60 C:\Users\user\AppData\Local\...\plmqijkh.exe, data 19->60 dropped 94 Multi AV Scanner detection for dropped file 19->94 96 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->96 27 wscript.exe 1 19->27         started        98 Detected Remcos RAT 23->98 signatures9 process10 signatures11 116 Windows Scripting host queries suspicious COM object (likely to drop second stage) 27->116 30 cmd.exe 1 27->30         started        32 cmd.exe 1 27->32         started        35 cmd.exe 1 27->35         started        process12 signatures13 37 ftaei.icm 1 41 30->37         started        41 conhost.exe 30->41         started        82 Uses ipconfig to lookup or modify the Windows network settings 32->82 43 conhost.exe 32->43         started        45 ipconfig.exe 1 32->45         started        47 conhost.exe 35->47         started        49 ipconfig.exe 1 35->49         started        process14 file15 64 C:\Users\user\sifp\ftaei.icm.exe, PE32 37->64 dropped 66 C:\Users\user\sifp\ftaei.icm, PE32 37->66 dropped 68 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 37->68 dropped 70 2 other malicious files 37->70 dropped 108 Found API chain indicative of sandbox detection 37->108 110 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->110 112 Writes to foreign memory regions 37->112 114 2 other signatures 37->114 51 RegSvcs.exe 3 3 37->51         started        signatures16 process17 dnsIp18 80 Novermber12.freeddns.org 206.217.216.28, 49737, 49738, 49819 UK2NET-ASGB United States 51->80 62 C:\ProgramData\remcos\logs.dat, data 51->62 dropped 100 Contains functionality to bypass UAC (CMSTPLUA) 51->100 102 Detected Remcos RAT 51->102 104 Contains functionalty to change the wallpaper 51->104 106 5 other signatures 51->106 file19 signatures20
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/5b1bc81d05d8ac98a96d1618f7490df26c510d92ec634d053383e709a7a63f40
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5b1bc81d05d8ac98a96d1618f7490df26c510d92ec634d053383e709a7a63f40/
Threat name:
Script-JS.Trojan.Divergent
Create hunting rule
Status:
Malicious
First seen:
2025-02-07 17:29:01 UTC
File Type:
Text
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lmn4qhif3cwjrklncymposin6jwfcdms5rru2bjtqptqtj5gh5aa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
error
RemcosRAT
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b1bc81d05d8ac98a96d1618f7490df26c510d92ec634d053383e709a7a63f40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

RemcosRAT

Java Script (JS) js 5b1bc81d05d8ac98a96d1618f7490df26c510d92ec634d053383e709a7a63f40

(this sample)

RemcosRAT

Executable exe a625ecad0006b950b07194830e7f33e7e820ac29ab8d8d90305f7bf441c0803e

  
Dropping
SHA256 a625ecad0006b950b07194830e7f33e7e820ac29ab8d8d90305f7bf441c0803e
  
Dropping
MD5 c70ee775124aa53da36e09d2cedc4c47

Comments