MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62da0e40b7ea9304ca48d767fd6ddd0ad1305489622edebde730d0ab942a1271. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	62da0e40b7ea9304ca48d767fd6ddd0ad1305489622edebde730d0ab942a1271
SHA3-384 hash:	d01a5082fa54e5d4c54a9bb454c96d70ced4056d2d237b218df44080c4c8c4ef560cc98eba816873fc21076f2b421f87
SHA1 hash:	cab7836b388a7ede80f4db92718d9822d3df442f
MD5 hash:	4845e5b5907373b1fb56d0abb6423596
humanhash:	eighteen-lake-beer-kilo
File name:	fsdf98932898gf9g987dsfhfkjhsdf8098sfd0808gdf8g90880d8fgd0fg8098fdg09.hta
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	70'405 bytes
First seen:	2025-11-14 09:58:05 UTC
Last seen:	Never
File type:	hta
MIME type:	application/octet-stream
ssdeep	192:obe2D/QzJnzpuyZBIfcDvml2WcWuBg9e6abzZEniZuBbaEbQFunFI2bzHGVupF22:ty
Threatray	1'773 similar samples on MalwareBazaar
TLSH	T18863FF350424497E53253BAE0B1C52164BC1C76F7E58CEA2B69659E3EBC37A23D278C3
Magika	html
Reporter	pr0xylife
Tags:	hta RemcosRAT

Intelligence

File Origin

# of uploads :

1

# of downloads :

70

Origin country :

NL

Vendor Threat Intelligence

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6916fd3e434cd67b17c1305c

Tags:

obfuscate xtreme spawn

Result

Verdict:

Malicious

File Type:

HTA File - Malicious

Link:

https://app.docguard.net/62da0e40b7ea9304ca48d767fd6ddd0ad1305489622edebde730d0ab942a1271/results/dashboard

Behaviour

BlacklistAPI detected

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 base64 nemucod obfuscated obfuscated overlay powershell xloader

Link:

https://www.filescan.io/uploads/6916fd391e1140d68c915e90/reports/cc4e5a87-215e-4778-8384-8502c10af341/overview

Verdict:

Malicious

Labled as:

GT:JS.Xloader.1

Link:

https://www.hybrid-analysis.com/sample/62da0e40b7ea9304ca48d767fd6ddd0ad1305489622edebde730d0ab942a1271

Verdict:

Malicious

File Type:

hta

First seen:

2025-11-14T07:06:00Z UTC

Last seen:

2025-11-14T20:04:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan.Script.Generic Trojan-Downloader.JS.SLoad.sb Trojan.JS.SAgent.sb Trojan.Agentb.TCP.C&C PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/62da0e40b7ea9304ca48d767fd6ddd0ad1305489622edebde730d0ab942a1271/results?tab=lookup

Verdict:

inconclusive

YARA:

2 match(es)

Tags:

Html

Link:

https://app.malva.re/file/4845e5b5907373b1fb56d0abb6423596

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/62da0e40b7ea9304ca48d767fd6ddd0ad1305489622edebde730d0ab942a1271/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/62da0e40b7ea9304ca48d767fd6ddd0ad1305489622edebde730d0ab942a1271

Threat name:

Script-JS.Backdoor.Xloader

Status:

Malicious

First seen:

2025-11-14 07:39:54 UTC

File Type:

Binary

AV detection:

7 of 24 (29.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mlna4qfx5kjqjssi25t723o5blitavejmixn5pphgdikxfbkcjyq._file

Verdict:

malicious

Label(s):

remcos

Similar samples:

1ce00aa5cb26d657ce7face5bbb2d9aa72f5e2a65e7bcfa966e4eb1a424e1a94

588f35133f3b40ab2b2388337f4350ef394133a743110b48b1a7a065c17ed40d

5e28547345b1ded1040b2fefc75d0b633a4c8ef0dce4f9e76d9d22238832063e

b54ff52b3729fd79f32b7ea4644a8d85380658ce987ac1eea45ca6f76cc6f8ab

b72ad9f5170c18afe5788fff799541fa6e034702ebde25f35279ea39e5385a67

dea3a31d0985b5e4b2d88ea39229608a5e062255dd10cdd694ce39cfa14dfd4b

ecadbf33cbf7f7fdbc0021820c72850288f3a4b7bb411d76885f89aa1a3612b3

fe955f2d186ba5e8077fc25ddee450bf0b8bcc998df7adf67038a776b93569cb

+ 1'763 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost discovery execution rat

Link:

https://tria.ge/reports/251114-lzndzsvkfq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Remcos

Remcos family

Malware Config

C2 Extraction:

198.23.177.196:1977

Dropper Extraction:

https://archive.org/download/optimized_msi_20251114/optimized_MSI.png

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/62da0e40b7ea/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/62da0e40b7ea9304ca48d767fd6ddd0ad1305489622edebde730d0ab942a1271

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample