MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ccc6e02a9571b7e04dd21f1571e3db4f5af3c61d6fbb17c691014621a4b4eb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ccc6e02a9571b7e04dd21f1571e3db4f5af3c61d6fbb17c691014621a4b4eb7
SHA3-384 hash: db7e0487208ec2879034347c6071ab313954011b6cec98d072dc4dd313b054ff9ab29856b44c939940a3b2639b4f78ba
SHA1 hash: 9512b8292a007482b8c9a6effc6a6cb7b1dc0756
MD5 hash: 71248e7a988f6c33a15217f84126d476
humanhash: five-sixteen-uniform-oregon
File name:Quotation.JS
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:6'887'919 bytes
First seen:2025-06-30 14:00:12 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:GfHofoVqiiAeUyZ+TRNYPUJISd3Zy1nYAF8gVXVFRfjvnx3BhIz/VmhCoqEuOhHu:Gf5
Threatray 1'073 similar samples on MalwareBazaar
TLSH T1CE669D8E8D0FF7433092DFE06A88B99AE03B668317116B3074DC5D0AB74DE9A1DDD658
Magika javascript
Reporter abuse_ch
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
343
Origin country :
SE SE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PUA.JS.Obfus-2525.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.JS.Obfus-2179.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686298d537c343677947cc2a
Tags:
autorun emotet delphi
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context dropper evasive fingerprint keylogger obfuscated packed remcos
Link:
https://www.filescan.io/uploads/686298a4714e106cecb7ceb2/reports/98eee2c3-a61b-46d0-92fa-e43ae72002b9/overview
Verdict:
Malicious
Labled as:
Trojan/JS.Obfuscator
Link:
https://www.hybrid-analysis.com/sample/7ccc6e02a9571b7e04dd21f1571e3db4f5af3c61d6fbb17c691014621a4b4eb7
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1725621
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with a suspicious file extension
Found hidden mapped module (file has been removed from disk)
Found malware configuration
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1725621 Sample: Quotation.JS.js Startdate: 30/06/2025 Architecture: WINDOWS Score: 100 56 chukwunweikefrankokiteamaekeibeku.ydns.eu 2->56 58 geoplugin.net 2->58 72 Suricata IDS alerts for network traffic 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 16 other signatures 2->78 9 wscript.exe 1 5 2->9         started        12 rundll32.exe 3 2->12         started        signatures3 process4 signatures5 90 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->90 14 Quotation.JS.js.pif 8 9->14         started        18 Skcywudi.PIF 12->18         started        process6 file7 54 C:\Users\Public\Libraries\iduwyckS.pif, PE32 14->54 dropped 92 Drops PE files with a suspicious file extension 14->92 94 Writes to foreign memory regions 14->94 96 Allocates memory in foreign processes 14->96 98 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 14->98 20 iduwyckS.pif 4 16 14->20         started        25 cmd.exe 1 14->25         started        27 cmd.exe 1 14->27         started        29 cmd.exe 1 14->29         started        100 Sample uses process hollowing technique 18->100 102 Allocates many large memory junks 18->102 31 iduwyckS.pif 18->31         started        signatures8 process9 dnsIp10 60 chukwunweikefrankokiteamaekeibeku.ydns.eu 31.57.38.195, 20909, 49686, 49687 RASANAIR Iran (ISLAMIC Republic Of) 20->60 62 geoplugin.net 178.237.33.50, 49688, 80 ATOM86-ASATOM86NL Netherlands 20->62 48 C:\Users\user\AppData\Local\Temp\TH9B45.tmp, MS-DOS 20->48 dropped 50 C:\Users\user\AppData\Local\Temp\TH9B24.tmp, MS-DOS 20->50 dropped 52 C:\Users\user\AppData\Local\Temp\TH9B04.tmp, PE32 20->52 dropped 80 Contains functionality to bypass UAC (CMSTPLUA) 20->80 82 Detected unpacking (changes PE section rights) 20->82 84 Detected unpacking (overwrites its own PE header) 20->84 88 6 other signatures 20->88 33 svchost.exe 2 20->33         started        36 svchost.exe 1 20->36         started        38 svchost.exe 1 20->38         started        86 Uses schtasks.exe or at.exe to add and modify task schedules 25->86 40 conhost.exe 25->40         started        42 conhost.exe 27->42         started        44 schtasks.exe 1 27->44         started        46 conhost.exe 29->46         started        file11 signatures12 process13 signatures14 64 Tries to steal Mail credentials (via file registry) 33->64 66 Tries to harvest and steal browser information (history, passwords, etc) 33->66 68 Tries to steal Instant Messenger accounts or passwords 36->68 70 Tries to steal Mail credentials (via file / registry access) 36->70
Score:
95%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7ccc6e02a9571b7e04dd21f1571e3db4f5af3c61d6fbb17c691014621a4b4eb7
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ccc6e02a9571b7e04dd21f1571e3db4f5af3c61d6fbb17c691014621a4b4eb7/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ptgg4avjk4nx4bg5ehyvohr5wt226pdb2353c7djcakgegslj23q._file
Verdict:
malicious
Label(s):
admintool_mailpassview
Create hunting rule
remcos
Create hunting rule
nirsoft
Create hunting rule
dbatloader
Create hunting rule
Similar samples:
2567bb2ba292ab96811afc9a327e2e5cdccbc021c3d4aad732a5703c0b4dfd07
RemcosRAT
55fe10713916a9cdac684c3a3fa263d625152a878ad98284d441b38355b57825
RemcosRAT
5f8469ff520ad563203f02d05f56eb5733cac27fb4361dc15ff3bc80aa78745d
RemcosRAT
6e7b45cff195d3b5234ecb0d64022233bb382524960fee75316ffeb3c87ad102
RemcosRAT
7ccc6e02a9571b7e04dd21f1571e3db4f5af3c61d6fbb17c691014621a4b4eb7
RemcosRAT
8ea1191cb0262d9bc190a308cbd4482ad6f03d789606086a5abf08e14eaaea42
RemcosRAT
b47945f5a8a0405201cbc297352c11accfcec2f958af608ca2781fc39e98c33d
RemcosRAT
b90f8129ec55162b7b71f43cfad32c11666a07b22afca589e6ddeacac317a56a
RemcosRAT
d2936c4c9e37a7fb9f49ac6079956ae936288815716868d578ebdffa0723dbdc
RemcosRAT
error
RemcosRAT
+ 1'063 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader collection discovery execution trojan
Link:
https://tria.ge/reports/250630-rbd4assjy9/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detected Nirsoft tools
ModiLoader Second Stage
NirSoft MailPassView
ModiLoader, DBatLoader
Modiloader family
Malware family:
DBatLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ccc6e02a957/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ccc6e02a9571b7e04dd21f1571e3db4f5af3c61d6fbb17c691014621a4b4eb7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments