MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c1c70aded6d744c75062b3fe5fdd6054d966540425b424bb01aff84c81ecb31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	6c1c70aded6d744c75062b3fe5fdd6054d966540425b424bb01aff84c81ecb31
SHA3-384 hash:	8eedc887793b36b62158597a4b7ca7b2c6245d8c954029dce98526daf791135fdd8ffc710551953d2d5a7dd8c8a34213
SHA1 hash:	ab411f1367a555c1ef254e06f7a0badcf746ee1f
MD5 hash:	24c55f0ae0cc7d3aa52e504d3d2c2a95
humanhash:	beryllium-paris-video-yellow
File name:	Telex_Release_BL_Invoice_Packing_List.JS
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	6'774'930 bytes
First seen:	2026-01-27 16:27:04 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	98304:oO+hvKGzoL4I+OdeLGPM92LTbVTcqEoIY7FzDC7k8iqzN4zi+bN6dOOcGALWnMfa:5ozokIv8mTcqjpDthaN4oBOLWniA
Threatray	3'021 similar samples on MalwareBazaar
TLSH	T1656629015E94F155F6763EBB9C37F2A50A20B42F3CD0BB0936E98E8B3609E1567D4932
Magika	javascript
Reporter	smica83
Tags:	js RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6978e7776fa3eed1652f93f6

Tags:

autoit emotet lien

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug autoit dropper evasive expired-cert fingerprint keylogger masquerade obfuscated repaired

Link:

https://www.filescan.io/uploads/6978e770a57b6af70d0eff18/reports/f30fd7cd-8d4b-40e4-bd61-5bb9ee7256cd/overview

Verdict:

Suspicious

Labled as:

HEUR_Trojan_Script_Generic

Link:

https://www.hybrid-analysis.com/sample/6c1c70aded6d744c75062b3fe5fdd6054d966540425b424bb01aff84c81ecb31

Verdict:

Malicious

File Type:

First seen:

2026-01-26T10:05:00Z UTC

Last seen:

2026-01-28T05:29:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Dropper.Script.Generic HEUR:Trojan.Script.Generic

Link:

https://opentip.kaspersky.com/6c1c70aded6d744c75062b3fe5fdd6054d966540425b424bb01aff84c81ecb31/results?tab=lookup

Result

Threat name:

Remcos, DonutLoader

Detection:

malicious

Classification:

phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1858474

Signature

Allocates memory in foreign processes

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Detected Remcos RAT

Found hidden mapped module (file has been removed from disk)

Found malware configuration

JavaScript source code contains functionality to generate code involving a shell, file or stream

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Execution from Suspicious Folder

Sigma detected: Remcos

Sigma detected: Suspicious Creation with Colorcpl

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Unusual module load detection (module proxying)

Uses dynamic DNS services

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected DonutLoader

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Gathering data

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/6c1c70aded6d744c75062b3fe5fdd6054d966540425b424bb01aff84c81ecb31/

Verdict:

Malicious

Threat:

Trojan.Script

Link:

https://tip.neiki.dev/file/6c1c70aded6d744c75062b3fe5fdd6054d966540425b424bb01aff84c81ecb31

Threat name:

Script-JS.Trojan.Generic

Status:

Suspicious

First seen:

2026-01-26 18:56:15 UTC

File Type:

Binary

AV detection:

6 of 24 (25.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nqohblpnnv2ey5igfm76l7owavgzmzkaijnues5qdl7yjsa6zmyq._file

Verdict:

malicious

Label(s):

nirsoft

remcos

admintool_mailpassview

Result

Malware family:

donutloader

Score:

10/10

Tags:

family:donutloader collection discovery execution loader

Link:

https://tria.ge/reports/260127-tydgdsf14a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Launches sc.exe

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Checks computer location settings

Executes dropped EXE

Detected Nirsoft tools

NirSoft MailPassView

Detects DonutLoader

DonutLoader

Donutloader family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.60

Link:

https://yomi.yoroi.company/submissions/6c1c70aded6d744c75062b3fe5fdd6054d966540425b424bb01aff84c81ecb31

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample