MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b9a611f5ca531f0794cf9601360e1414c72079689ce107c2ebf4c5bb6fc5f8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b9a611f5ca531f0794cf9601360e1414c72079689ce107c2ebf4c5bb6fc5f8d
SHA3-384 hash: c1099ad74885d2997e2eaa1f826872ee2f2f7eb9cb9766e6ae9562e7f0da095a8eeb5f383136882909c9f2945116a080
SHA1 hash: 33fb84a1518915b113aaec9506122d76f80b6108
MD5 hash: 8e13d536db884141396b72340b97860a
humanhash: may-magazine-mars-california
File name:PURCHASE ORDER - PI.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'557 bytes
First seen:2025-04-07 10:48:01 UTC
Last seen:2025-04-07 11:29:17 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 24:ipfzptxjFChJAA2p/yzz2p5/A7hO7h7hzqpzuzPrpPrupupkx8qHK:inpX94I9QY6M
Threatray 759 similar samples on MalwareBazaar
TLSH T11231C7537790FDAC0DD0662CD14B806A40C1C9D7706A176FEB8426D0AF2F717C02A1BC
Magika javascript
Reporter cocaman
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
499
Origin country :
CH CH
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f3ad6be011fe619fabe8c1
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Labled as:
JS/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/5b9a611f5ca531f0794cf9601360e1414c72079689ce107c2ebf4c5bb6fc5f8d
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1658202
Signature
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1658202 Sample: PURCHASE ORDER - PI.js Startdate: 07/04/2025 Architecture: WINDOWS Score: 100 32 paste.ee 2->32 34 roonye.ydns.eu 2->34 36 3 other IPs or domains 2->36 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 58 12 other signatures 2->58 9 wscript.exe 1 14 2->9         started        13 wscript.exe 2->13         started        signatures3 56 Connects to a pastebin service (likely for C&C) 32->56 process4 dnsIp5 40 paste.ee 23.186.113.60, 443, 49689 KLAYER-GLOBALNL Reserved 9->40 68 System process connects to network (likely due to code injection or exploit) 9->68 70 JScript performs obfuscated calls to suspicious functions 9->70 72 Suspicious powershell command line found 9->72 74 3 other signatures 9->74 15 powershell.exe 14 17 9->15         started        signatures6 process7 dnsIp8 42 roonye.ydns.eu 89.34.230.74, 24680, 49696, 49697 TENNET-ASRO Romania 15->42 44 ia600705.us.archive.org 207.241.227.165, 443, 49694 INTERNET-ARCHIVEUS United States 15->44 46 Writes to foreign memory regions 15->46 48 Injects a PE file into a foreign processes 15->48 19 InstallUtil.exe 4 16 15->19         started        24 cmd.exe 1 15->24         started        26 conhost.exe 15->26         started        signatures9 process10 dnsIp11 38 geoplugin.net 178.237.33.50, 49698, 80 ATOM86-ASATOM86NL Netherlands 19->38 30 C:\ProgramData\remcos\logs.dat, data 19->30 dropped 60 Contains functionality to bypass UAC (CMSTPLUA) 19->60 62 Contains functionalty to change the wallpaper 19->62 64 Contains functionality to steal Chrome passwords or cookies 19->64 66 3 other signatures 19->66 28 conhost.exe 24->28         started        file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b9a611f5ca531f0794cf9601360e1414c72079689ce107c2ebf4c5bb6fc5f8d/
Threat name:
Script-JS.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-04-07 10:12:39 UTC
File Type:
Binary
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=longch24uuy7a6km7fqbgyhbifgheb4wrhhba7box5gfxnx4l6gq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
06128d5af134f6222df0415499faea2d3750869b2965d22a9cb566b7f17fe7ad
RemcosRAT
0c25fdd6e72006a4896e82aef58f05e9177a07d75aeff4eeb85dd7138ffb52f6
RemcosRAT
4cfc84d46074142fa3204777ac1a0cbd7ea155fcaf0739388df5d098abf8d7f4
RemcosRAT
7c0946cd8a228f35db68a9bd702e283a3ab9f41113bede7ed206e9af5f824c9e
RemcosRAT
cbb80b28d18b74f2e7c7cc25613250d84aa207b0b717262477584b5619a5ca12
RemcosRAT
d3f2fca06a2c1fa4292808c0531ed438b774ce0a0e77071af7a739325c448e2b
RemcosRAT
de9dcf9f6ee4f1dd3a6ce3793a6da1e2393535e2ffb9dc8ad46972272a0b4ab1
RemcosRAT
e7e78105c3946eb6ec2297a39ece3865c41f918d75d2a428ef53ef98ba0ad300
RemcosRAT
error
RemcosRAT
+ 749 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:new discovery execution rat
Link:
https://tria.ge/reports/250407-mv6kfazjw5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Blocklisted process makes network request
Remcos
Remcos family
Malware Config
C2 Extraction:
roonye.ydns.eu:24680
tamar.ydns.eu:24680
shukurov.ydns.eu:24680
rasuljon.ydns.eu:24680
tevzadze.ydns.eu:24680
dodon.ydns.eu:24680
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5b9a611f5ca5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b9a611f5ca531f0794cf9601360e1414c72079689ce107c2ebf4c5bb6fc5f8d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

tar 2175a8a31bc7732642d46db8f07a092125347baa44a6624062eeee52d68e521c

RemcosRAT

Java Script (JS) js 5b9a611f5ca531f0794cf9601360e1414c72079689ce107c2ebf4c5bb6fc5f8d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 2175a8a31bc7732642d46db8f07a092125347baa44a6624062eeee52d68e521c
  
Dropped by
MD5 031d51f5351f1770833f12825874cd81

Comments