MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e7b45cff195d3b5234ecb0d64022233bb382524960fee75316ffeb3c87ad102. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e7b45cff195d3b5234ecb0d64022233bb382524960fee75316ffeb3c87ad102
SHA3-384 hash: b2d175fc5eb84666cf20443c82da93e6e85b45bb405a45e1ce83464fd7e1098fe34ac1bdd2d6856b13b08eef7e1c1075
SHA1 hash: 7df617d49c70a11288eff6e554c6e4dbba195618
MD5 hash: 0c162148d45ece4aac629b44b5d275a4
humanhash: nitrogen-tennis-magnesium-king
File name:transferencia_pdf.JS
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'626'589 bytes
First seen:2025-05-21 07:56:10 UTC
Last seen:2025-05-27 06:38:47 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 768:HnY1xARqxSPNxQl8x1kZkM13xdGsxLkDxOuJKxyHvWP8xOl5b4/x5lzxNwGxniDz:HVkZk4/USCrzVlscNIf9
Threatray 957 similar samples on MalwareBazaar
TLSH T1F2C5E9D5EA028BC0D2130EDE2D21BF1A189BF866DBD7334D1359BCD64976495EBE0C22
Magika javascript
Reporter abuse_ch
Tags:js RemcosRAT webmail-aruba-it--ajaxfile

Intelligence

File Origin
# of uploads :
2
# of downloads :
446
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PUA.JS.Obfus-2525.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.JS.Obfus-2179.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.31320.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682d8730c28c67d666437d41
Tags:
obfuscate xtreme shell
Verdict:
Suspicious
Labled as:
SVM:TrojanDownloader/JS.Nemucod
Link:
https://www.hybrid-analysis.com/sample/6e7b45cff195d3b5234ecb0d64022233bb382524960fee75316ffeb3c87ad102
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1695699
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1695699 Sample: transferencia_pdf.JS.js Startdate: 21/05/2025 Architecture: WINDOWS Score: 100 23 webmail.aruba.it 2->23 25 pki-goog.l.google.com 2->25 27 3 other IPs or domains 2->27 37 Suricata IDS alerts for network traffic 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 12 other signatures 2->43 8 wscript.exe 1 1 2->8         started        signatures3 process4 signatures5 45 JScript performs obfuscated calls to suspicious functions 8->45 47 Suspicious powershell command line found 8->47 49 Wscript starts Powershell (via cmd or directly) 8->49 51 2 other signatures 8->51 11 powershell.exe 14 15 8->11         started        process6 dnsIp7 33 huadongrubbercable.com 198.54.114.164, 443, 49692 NAMECHEAP-NETUS United States 11->33 35 webmail.aruba.it 62.149.158.90, 443, 49691 ARUBA-ASNIT Italy 11->35 53 Writes to foreign memory regions 11->53 55 Injects a PE file into a foreign processes 11->55 15 MSBuild.exe 11->15         started        18 MSBuild.exe 4 13 11->18         started        21 conhost.exe 11->21         started        signatures8 process9 dnsIp10 57 Contains functionality to bypass UAC (CMSTPLUA) 15->57 59 Contains functionalty to change the wallpaper 15->59 61 Contains functionality to steal Chrome passwords or cookies 15->61 65 2 other signatures 15->65 29 196.251.115.153, 3431, 49696, 49698 xneeloZA Seychelles 18->29 31 geoplugin.net 178.237.33.50, 49700, 80 ATOM86-ASATOM86NL Netherlands 18->31 63 Detected Remcos RAT 18->63 signatures11
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/6e7b45cff195d3b5234ecb0d64022233bb382524960fee75316ffeb3c87ad102
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e7b45cff195d3b5234ecb0d64022233bb382524960fee75316ffeb3c87ad102/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-20 23:29:43 UTC
File Type:
Text (JavaScript)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nz5ult7rsxj3ki2ozmgwiarcgo5tqjjesyh645jrn77lhsd22eba._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
nirsoft
Create hunting rule
admintool_mailpassview
Create hunting rule
Similar samples:
059bcc0024f1533c5d63e3dde7ef187be956b855fd3f8792673cd575e053050a
RemcosRAT
13cbede450e1c06e03ef174fd85e1007d4a8bc0b039fb37c99176a8aa73c229e
RemcosRAT
18c96dbde931aa37ed3e519ce700da01c5d47cb5e1b50116e6d6ba1109d22566
RemcosRAT
6c35af60300422f68dc16bbc443fc6a63190bc71a5ff1cce2e985056efad754b
RemcosRAT
903ee65f5cca5ef223d0a0f3f40fca223e5f07318826b68f7ab14d7dc1ec2f1d
RemcosRAT
9f146cf7dbef2543742cf970ce79bf792211b2ffec0426600bab4e556874125b
RemcosRAT
cf1f146ffa6951e45c24eada8fcef9fae06e8c7613ea0a5438d7bb6b868cadc9
RemcosRAT
error
RemcosRAT
+ 947 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection discovery execution rat
Link:
https://tria.ge/reports/250521-jyl4esgj9v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
196.251.115.153:3431
Dropper Extraction:
https://webmail.aruba.it/smart/cgi-bin/ajaxfile?ACT_FIL_DL=1&PUBLICUID=@1.VFMxM0RLUmlpak5VUCt4RkdEU3luR3VzRmxneHAzUStkTzBJZythWmhBYXR2Rng3R2dCNVl5V3djYTBnV0luVA==
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6e7b45cff195/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e7b45cff195d3b5234ecb0d64022233bb382524960fee75316ffeb3c87ad102

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments