MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7eab4d2fbc01c32c04781a9d2f88f911cce2e2de54920a0a9e8f5777300518c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	7eab4d2fbc01c32c04781a9d2f88f911cce2e2de54920a0a9e8f5777300518c3
SHA3-384 hash:	bece9dc943635b1a7070a0141fdd5eda7a239b1123634d1036fffc25b19513b3bf24df85c59ac52198254716b077b412
SHA1 hash:	2fdbce9f6d613dd44b1bc6ebc36fed081012d2e1
MD5 hash:	841a87b18d3f25d2d0a84cc0d5a7d818
humanhash:	uncle-purple-steak-three
File name:	Quotation-RFQ(967882026).vbs
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'266'026 bytes
First seen:	2026-01-16 16:35:47 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	192:RQW1olRggrlckHXMAwvuATCvc57OlYsbT:8z
Threatray	2'041 similar samples on MalwareBazaar
TLSH	T1724508A2CDB9B9453DD8EC6025BB8DF4DC6780BB799D0BE89BC008F24305A5B291E475
TrID	66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 33.3% (.MP3) MP3 audio (1000/1)
Magika	unknown
Reporter	abuse_ch
Tags:	RemcosRAT vbs

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

Vendor Threat Intelligence

No detections

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/49109/

Detection(s):

Sanesecurity.Malware.26618.JsHeur.UNOFFICIAL

Verdict:

Clean

Score:

N/A%

Link:

https://cyber-fortress.com/docs/result/index.php?id=696a694cef906a21abcdc853

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 evasive networm powershell ransomware

Link:

https://www.filescan.io/uploads/696a691e6694ad95ed501483/reports/6e5632d9-5b1d-418d-9e50-654dd5fb7161/overview

Verdict:

Malicious

Labled as:

GT:VB.Trojan.Ransomware.GN

Link:

https://www.hybrid-analysis.com/sample/7eab4d2fbc01c32c04781a9d2f88f911cce2e2de54920a0a9e8f5777300518c3

Verdict:

Malicious

File Type:

unknown

First seen:

2026-01-15T11:16:00Z UTC

Last seen:

2026-01-18T08:21:00Z UTC

Hits:

~100

Detections:

Trojan-Downloader.JS.Cryptoload.sb Trojan.VBS.SAgent.sb Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic

Link:

https://opentip.kaspersky.com/7eab4d2fbc01c32c04781a9d2f88f911cce2e2de54920a0a9e8f5777300518c3/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1852172

Signature

Bypasses PowerShell execution policy

Connects to a pastebin service (likely for C&C)

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: WScript or CScript Dropper

Sigma detected: WScript or CScript Dropper - File

Suspicious execution chain found

Suspicious powershell command line found

VBScript performs obfuscated calls to suspicious functions

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Windows Shell Script Host drops VBS files

Wscript starts Powershell (via cmd or directly)

Yara detected Generic Downloader

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/7eab4d2fbc01c32c04781a9d2f88f911cce2e2de54920a0a9e8f5777300518c3

Gathering data

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/7eab4d2fbc01c32c04781a9d2f88f911cce2e2de54920a0a9e8f5777300518c3/

Verdict:

Malicious

Threat:

Family.REMCOSRAT

Link:

https://tip.neiki.dev/file/7eab4d2fbc01c32c04781a9d2f88f911cce2e2de54920a0a9e8f5777300518c3

Threat name:

Win32.Worm.NetWorm

Status:

Suspicious

First seen:

2026-01-15 15:07:44 UTC

File Type:

Binary

AV detection:

7 of 24 (29.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p2vu2l54ahbsybdydkos7chzchgofyw6ksjaucu6r5lxomafddbq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

3d812dbcda54523e6aa3ab459ad7f2dd8fa29b777b8f51052fadfbcc016d4aba

RemcosRAT

4c188a5d3208a2a49002ba3bc5325980e6852130209280486fce7a02a82fbced

RemcosRAT

72be52fba2205242c1ce33347edf5f3e207188663300f522a6a6ec36c6a73237

RemcosRAT

8f03b29aa7892aeee0569b5b0104f290ecb33749bbf11eb406f8dbb069f21779

RemcosRAT

e7a7b1d0ebf9cbb2760f3795b42b1b39596ab0eabf1cb12417ba2e8e42494708

RemcosRAT

eecc7116c5730d44a829ee1e1d91cada1e9deb98122b358503e493aa5e60087a

RemcosRAT

error

RemcosRAT

f8091ce64c34368f353d967c79bb9ef16730552c22c06857be965bc50f06c98c

RemcosRAT

+ 2'031 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost discovery execution rat

Link:

https://tria.ge/reports/260116-t4dz4saw2g/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Command and Scripting Interpreter: PowerShell

Contacts third-party web service commonly abused for C2

Checks computer location settings

Badlisted process makes network request

Remcos

Remcos family

Malware Config

C2 Extraction:

caliboooooooooooooo.ydns.eu:2555

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7eab4d2fbc01c32c04781a9d2f88f911cce2e2de54920a0a9e8f5777300518c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/49109/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample