MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65e7c6cd6f17c560238f263be7d4efec7f817c1eb992c10e139688ae43a132f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65e7c6cd6f17c560238f263be7d4efec7f817c1eb992c10e139688ae43a132f6
SHA3-384 hash: 39efda9d3b7ea35a8f314dd287473ee17ea5c1fbd2c4941093c9b5601b544e95aa93a86a234d5018f3358d7afafc00e5
SHA1 hash: 2bece9fc07d07f35b102f8c67c51187133b4d8f7
MD5 hash: 8794b85b411a7e2b701ba6011bb48daa
humanhash: glucose-maine-leopard-maryland
File name:24_07_2025_Dönemi_MEVDUAT Ekstre Bilgiler.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:808'041 bytes
First seen:2025-07-24 13:50:16 UTC
Last seen:2025-07-29 07:50:47 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 12288:h17ON94ADwYGTo1dUS9Mrfkd3EKKzjUbemJnnox62DpBcoduVOn2SMaPDV5yeT2U:To1Lofk7imBoxzdBcodIkPD6eTXi94
Threatray 1'183 similar samples on MalwareBazaar
TLSH T10C05E03CC8A4BDCC077A74C2529F3B09029CBF73A971AB6CF9A22CA5291C14D9B7545D
Magika javascript
Reporter smica83
Tags:bigbelly042-duckdns-org js RemcosRAT Spam-ITA

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68823a2e84b37dd61ef1529f
Tags:
virus lien sage remo
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1743420
Signature
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Found malware configuration
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Remcos
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1743420 Sample: 24_07_2025_D#U00f6nemi_MEVD... Startdate: 24/07/2025 Architecture: WINDOWS Score: 100 53 bigbelly042.duckdns.org 2->53 55 geoplugin.net 2->55 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 75 13 other signatures 2->75 12 wscript.exe 1 2 2->12         started        signatures3 73 Uses dynamic DNS services 53->73 process4 file5 51 C:\Users\user\...\Las_VegasBoulevard.bat, ASCII 12->51 dropped 87 JScript performs obfuscated calls to suspicious functions 12->87 89 Wscript starts Powershell (via cmd or directly) 12->89 91 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->91 93 Suspicious execution chain found 12->93 16 cmd.exe 1 12->16         started        signatures6 process7 signatures8 61 Suspicious powershell command line found 16->61 63 Wscript starts Powershell (via cmd or directly) 16->63 19 cmd.exe 1 16->19         started        21 conhost.exe 16->21         started        process9 process10 23 cmd.exe 2 19->23         started        signatures11 77 Suspicious powershell command line found 23->77 79 Wscript starts Powershell (via cmd or directly) 23->79 26 powershell.exe 2 37 23->26         started        31 conhost.exe 23->31         started        process12 dnsIp13 57 bigbelly042.duckdns.org 45.74.10.249, 4477, 49714, 49715 HOSTROYALERO United States 26->57 59 geoplugin.net 178.237.33.50, 49716, 80 ATOM86-ASATOM86NL Netherlands 26->59 49 C:\Users\user\AppData\...\kspuq5wk.cmdline, Unicode 26->49 dropped 81 Detected Remcos RAT 26->81 83 Tries to steal Mail credentials (via file registry) 26->83 85 Maps a DLL or memory area into another process 26->85 33 powershell.exe 2 26->33         started        37 powershell.exe 1 26->37         started        39 csc.exe 3 26->39         started        41 2 other processes 26->41 file14 signatures15 process16 file17 45 C:\Users\user\AppData\Local\Temp\hrlo, Unicode 33->45 dropped 65 Tries to harvest and steal browser information (history, passwords, etc) 33->65 47 C:\Users\user\AppData\Local\...\kspuq5wk.dll, PE32 39->47 dropped 43 cvtres.exe 1 39->43         started        signatures18 process19
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/65e7c6cd6f17c560238f263be7d4efec7f817c1eb992c10e139688ae43a132f6
Verdict:
inconclusive
YARA:
2 match(es)
Link:
https://app.malva.re/file/8794b85b411a7e2b701ba6011bb48daa
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/65e7c6cd6f17c560238f263be7d4efec7f817c1eb992c10e139688ae43a132f6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-24 12:18:04 UTC
File Type:
Text (HTML)
AV detection:
6 of 22 (27.27%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mxt4ntlpc7cwai4pey56pvhp5r7yc7a6xgjmcdqts2ek4q5bgl3a._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
nirsoft
Create hunting rule
remcos
Create hunting rule
admintool_mailpassview
Create hunting rule
Similar samples:
01e64e728e9cb3b71936e9e728a60bd347a9255a39b925534f3b6c730626b533
RemcosRAT
150adfe834b0509c5fa6f96048215cb69a9810d5ab2157aea11f72c6d9221e68
RemcosRAT
21224cc236d63c5d3d7d3f80be375d3c2408f7a91b08eb6a16d70c7db21106d9
RemcosRAT
49c04ebf5b502cf960b7808dbe53a7e28d2c9302da88c26873149d12b16b3560
RemcosRAT
6981d8702172dc39f302bdeb4917c0eb49f7c37b2a90bee41f64ccecc7e9497d
RemcosRAT
754da186c4e37abfd6f3a1c6108f567f4c05dd1082a8b139ec7745b108c377b8
RemcosRAT
a35234d3e33acbb7e53abaec38ced3a45f6df0ad5ee17ba52b49478d0418f1da
RemcosRAT
error
RemcosRAT
+ 1'173 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
collection discovery execution
Link:
https://tria.ge/reports/250724-q5g7dazks5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Blocklisted process makes network request
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65e7c6cd6f17c560238f263be7d4efec7f817c1eb992c10e139688ae43a132f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked remcos malware samples.
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments