MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 731b6649fe84198817a1009d4a7b18198d147e4948a34659bcc9d802bb996436. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 731b6649fe84198817a1009d4a7b18198d147e4948a34659bcc9d802bb996436
SHA3-384 hash: 6bfa441b1023632338713a3299fe07b0632ef1559c664be415893f9cf5faa81b88f6388646f1b5deb90cf68e25545d8d
SHA1 hash: f2b5aede29a5245dd7a3f9578e1706e4a55b0a3d
MD5 hash: 7670a59d8de13ab08c2846bc7180f6c0
humanhash: paris-bulldog-harry-three
File name:Purchase OrderPO#0200200.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'335'144 bytes
First seen:2026-02-04 10:35:27 UTC
Last seen:2026-02-04 14:16:14 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 384:ZNiUitaft/cprfqGf3fMdw6LJ5sBVK1K0I5Kamt4Z+wnnV6PCpHfO:cBG
TLSH T1675503905AC3BB881A8DD76583397414BD2B059035AB2105B3FAC1EFCF9984ED6CE7B1
Magika javascript
Reporter lowmal3
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
100
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698321206b1af47db72cbc0f
Tags:
ransomware obfuscate xtreme lien
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 base64 evasive fingerprint masquerade obfuscated obfuscated overlay powershell repaired
Link:
https://www.filescan.io/uploads/6983211c981ff1d38a47e97b/reports/af0769cf-c387-4113-9259-5c5513e07eac/overview
Verdict:
Malicious
Labled as:
Trojan/Runner.ac
Link:
https://www.hybrid-analysis.com/sample/731b6649fe84198817a1009d4a7b18198d147e4948a34659bcc9d802bb996436
Result
Gathering data
Verdict:
Malicious
File Type:
text
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/731b6649fe84198817a1009d4a7b18198d147e4948a34659bcc9d802bb996436/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1863179
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries the IP of a very long domain name
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MSIL Crypter
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1863179 Sample: Purchase OrderPO#0200200.js Startdate: 04/02/2026 Architecture: WINDOWS Score: 100 49 bafybeieq7tctzxkqidqpq4fjvtznbupqrpo2w4n4lfmzksehei4dinilii.ipfs.w3s.link 2->49 51 bafybeias4uzwo3l336d5ewygv2dd3oqbnlvrer5ndf5wyhjcwkm4igaafa.ipfs.w3s.link 2->51 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 63 21 other signatures 2->63 8 powershell.exe 14 15 2->8         started        12 wscript.exe 1 2 2->12         started        15 wscript.exe 2->15         started        signatures3 61 Queries the IP of a very long domain name 51->61 process4 dnsIp5 53 bafybeieq7tctzxkqidqpq4fjvtznbupqrpo2w4n4lfmzksehei4dinilii.ipfs.w3s.link 104.18.41.169, 443, 49722, 49724 CLOUDFLARENETUS United States 8->53 81 Writes to foreign memory regions 8->81 83 Injects a PE file into a foreign processes 8->83 17 wscript.exe 8->17         started        22 wscript.exe 8->22         started        24 conhost.exe 8->24         started        45 C:\Users\Public\Downloads45ame_File.js, ASCII 12->45 dropped 85 Suspicious powershell command line found 12->85 87 Wscript starts Powershell (via cmd or directly) 12->87 89 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->89 91 2 other signatures 12->91 26 powershell.exe 15->26         started        file6 signatures7 process8 dnsIp9 47 107.172.238.19, 2404, 49727, 49728 AS-COLOCROSSINGUS United States 17->47 39 C:\Users\user\AppData\Local\Temp\TH7732.tmp, MS-DOS 17->39 dropped 41 C:\Users\user\AppData\Local\Temp\TH7702.tmp, MS-DOS 17->41 dropped 43 C:\Users\user\AppData\Local\Temp\TH76D2.tmp, MS-DOS 17->43 dropped 65 System process connects to network (likely due to code injection or exploit) 17->65 67 Detected Remcos RAT 17->67 69 Maps a DLL or memory area into another process 17->69 28 RmClient.exe 2 17->28         started        31 RmClient.exe 1 17->31         started        33 RmClient.exe 1 17->33         started        71 Found hidden mapped module (file has been removed from disk) 22->71 73 Unusual module load detection (module proxying) 22->73 75 Switches to a custom stack to bypass stack traces 22->75 77 Writes to foreign memory regions 26->77 79 Injects a PE file into a foreign processes 26->79 35 wscript.exe 26->35         started        37 conhost.exe 26->37         started        file10 signatures11 process12 signatures13 93 Tries to steal Mail credentials (via file registry) 28->93 95 Tries to harvest and steal browser information (history, passwords, etc) 28->95 97 Unusual module load detection (module proxying) 28->97 99 Tries to steal Instant Messenger accounts or passwords 31->99 101 Tries to steal Mail credentials (via file / registry access) 31->101 103 Detected Remcos RAT 35->103
Score:
22%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/731b6649fe84198817a1009d4a7b18198d147e4948a34659bcc9d802bb996436
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/7670a59d8de13ab08c2846bc7180f6c0
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/731b6649fe84198817a1009d4a7b18198d147e4948a34659bcc9d802bb996436/
Verdict:
Malicious
Threat:
Family.REVERSELOADER
Link:
https://tip.neiki.dev/file/731b6649fe84198817a1009d4a7b18198d147e4948a34659bcc9d802bb996436
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=omnwmsp6qqmyqf5bacouu6yydggri7sjjcrumwn4zhmafo4zmq3a._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection discovery execution persistence rat
Link:
https://tria.ge/reports/260204-mnb29aet2d/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
Process spawned unexpected child process
Remcos
Remcos family
Malware Config
C2 Extraction:
107.172.238.19:2404
Dropper Extraction:
https://bafybeieq7tctzxkqidqpq4fjvtznbupqrpo2w4n4lfmzksehei4dinilii.ipfs.w3s.link/optimized_MSI.png
Malware family:
MailPassView
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/731b6649fe84/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Java Script (JS) js 731b6649fe84198817a1009d4a7b18198d147e4948a34659bcc9d802bb996436

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments