MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 627f5346aa66a5a7ba2dde766dab57dee2f1d08ede71a06f5c47373c97c11414. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 627f5346aa66a5a7ba2dde766dab57dee2f1d08ede71a06f5c47373c97c11414
SHA3-384 hash: ec88cd88c048a55f201ba1de82549713ecf99ad3c16a22bda292448ee6d952d920ee8eabc70d347072c4c8e301a3cad6
SHA1 hash: dff01205726493e683970024eb237399850cd912
MD5 hash: 91c126220cf77d51f69fe9a4ab9b9767
humanhash: single-kentucky-crazy-fish
File name:ET2675_Sepat_PantheraMTO_EODD.JS
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:6'861'004 bytes
First seen:2025-06-24 05:25:42 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:KqgwHhheb3V+DBXwjeczwg1Lky6qy2awcYgft4vd43urGlzrtE+0yKGPrAp9yaVJ:yohhPomVi8yQIOOd74x41
Threatray 343 similar samples on MalwareBazaar
TLSH T17A668D8E8D0FF7433092DFA06A88B99AE03B668317113B7074DC5D0AB74DE9A1DDD658
Magika javascript
Reporter abuse_ch
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
427
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685a377732ed47a3a8d6aa66
Tags:
cobalt delphi emotet lien
Verdict:
Malicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/627f5346aa66a5a7ba2dde766dab57dee2f1d08ede71a06f5c47373c97c11414
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1721532
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Suspicious Creation with Colorcpl
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1721532 Sample: ET2675_Sepat_PantheraMTO_EO... Startdate: 24/06/2025 Architecture: WINDOWS Score: 100 33 geoplugin.net 2->33 47 Suricata IDS alerts for network traffic 2->47 49 Antivirus detection for dropped file 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 9 other signatures 2->53 9 wscript.exe 1 4 2->9         started        signatures3 process4 signatures5 63 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->63 12 HEO.PIF 9->12         started        process6 signatures7 65 Writes to foreign memory regions 12->65 67 Allocates memory in foreign processes 12->67 69 Allocates many large memory junks 12->69 71 3 other signatures 12->71 15 colorcpl.exe 6 16 12->15         started        process8 dnsIp9 35 164.68.116.238, 2404, 49690, 49693 CONTABODE Germany 15->35 37 geoplugin.net 178.237.33.50, 49692, 80 ATOM86-ASATOM86NL Netherlands 15->37 27 C:\Users\user\AppData\Local\Temp\THF5EF.tmp, MS-DOS 15->27 dropped 29 C:\Users\user\AppData\Local\Temp\THA2E.tmp, MS-DOS 15->29 dropped 31 C:\Users\user\AppData\Local\Temp\TH8856.tmp, PE32 15->31 dropped 39 Detected Remcos RAT 15->39 41 Writes to foreign memory regions 15->41 43 Found hidden mapped module (file has been removed from disk) 15->43 45 Maps a DLL or memory area into another process 15->45 20 svchost.exe 2 15->20         started        23 svchost.exe 1 15->23         started        25 svchost.exe 1 15->25         started        file10 signatures11 process12 signatures13 55 Tries to steal Mail credentials (via file registry) 20->55 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 59 Tries to steal Instant Messenger accounts or passwords 23->59 61 Tries to steal Mail credentials (via file / registry access) 23->61
Score:
90%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/627f5346aa66a5a7ba2dde766dab57dee2f1d08ede71a06f5c47373c97c11414
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/627f5346aa66a5a7ba2dde766dab57dee2f1d08ede71a06f5c47373c97c11414/
Threat name:
Script-JS.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-06-23 10:34:37 UTC
File Type:
Text (JavaScript)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mj7vgrvkm2s2porn3z3g3k2x33rpdueo3zy2a324i43tzf6bcqka._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
210487ffeafb67e2857c11ec72476e09a4a9eb901760719b76c484b9666dafa2
RemcosRAT
2567bb2ba292ab96811afc9a327e2e5cdccbc021c3d4aad732a5703c0b4dfd07
RemcosRAT
2cd854191967af9ed91f754e88853c195473540a5234a598b8e9dcf69242e48f
RemcosRAT
409b531641718cc8dc421f51d208a7c907df426986bff09f01b4cfadf2d3b763
RemcosRAT
540ecfddd158625e0e15030a6bb23a5a8e2f5b33c453a1b6e3915ed724983896
RemcosRAT
54a140cc4bf82200a421426e644790f34d3870c3adcace1f19d3196f0da7b01d
RemcosRAT
581839491509f10044d68d1c5695a489a317a332517d7b4d640fea83096bad81
RemcosRAT
66bc91399d2182893517c0d7aecdcabb23925c6b01ee0bd73c957ac4a2b46760
RemcosRAT
80fcb7e90f7fbbdbcbb8524fce1ac46a674e250f03e215dd9918654db60dd9bb
RemcosRAT
error
RemcosRAT
+ 333 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection defense_evasion discovery execution trojan
Link:
https://tria.ge/reports/250624-f5w1escr2z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detected Nirsoft tools
NirSoft MailPassView
UAC bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/627f5346aa66a5a7ba2dde766dab57dee2f1d08ede71a06f5c47373c97c11414

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments