MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81e751866842193531d97c41db2569fffd954ebf710564897145a3439e95397b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81e751866842193531d97c41db2569fffd954ebf710564897145a3439e95397b
SHA3-384 hash: 7c9b5df6f8dff3274822c11fb2b920585f417164db55308d88ff880af7b93951b30cfaf1cbc5dcfe11e351d59cef2d51
SHA1 hash: 4900f9b61721b6bc1e69913d2b0ac1b5d613b4f3
MD5 hash: 8a0749d43826bcef94214b2c553abb52
humanhash: quiet-rugby-ack-nitrogen
File name:IMG_223735666.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:18'222 bytes
First seen:2025-07-01 07:23:48 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 192:YtJA1IlP9m22BWAK/MbQ2B6BnTWlxj4eO4aVGK+gruEWDnl:WJHlPcfM+b5YNU7mv+gKEWp
Threatray 1'305 similar samples on MalwareBazaar
TLSH T16682618064598BA6DE7B0259D77AB820F39AC053653CE170B0DF9B467F25890907BFCB
Magika javascript
Reporter abuse_ch
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
394
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68638d770fceda814b478ff0
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm fingerprint fingerprint obfuscated
Link:
https://www.filescan.io/uploads/68638d107423ff017c38d20e/reports/c328380a-2529-4e85-b5ea-00691adac604/overview
Verdict:
Suspicious
Labled as:
Trojan.Script.Heuristic
Link:
https://www.hybrid-analysis.com/sample/81e751866842193531d97c41db2569fffd954ebf710564897145a3439e95397b
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1726156
Signature
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Found Tor onion address
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Process Parents
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1726156 Sample: IMG_223735666.js Startdate: 01/07/2025 Architecture: WINDOWS Score: 100 70 paste.ee 2->70 72 cestfinidns.vip 2->72 74 2 other IPs or domains 2->74 86 Suricata IDS alerts for network traffic 2->86 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 94 20 other signatures 2->94 11 wscript.exe 1 1 2->11         started        15 wscript.exe 1 2->15         started        17 svchost.exe 1 1 2->17         started        signatures3 92 Connects to a pastebin service (likely for C&C) 70->92 process4 dnsIp5 82 paste.ee 23.186.113.60, 443, 49681, 49682 KLAYER-GLOBALNL Reserved 11->82 126 JScript performs obfuscated calls to suspicious functions 11->126 128 Suspicious powershell command line found 11->128 130 Wscript starts Powershell (via cmd or directly) 11->130 134 3 other signatures 11->134 19 powershell.exe 14 17 11->19         started        132 System process connects to network (likely due to code injection or exploit) 15->132 23 powershell.exe 15->23         started        84 127.0.0.1 unknown unknown 17->84 signatures6 process7 dnsIp8 76 archive.org 207.241.224.2, 443, 49683, 49702 INTERNET-ARCHIVEUS United States 19->76 102 Found Tor onion address 19->102 104 Writes to foreign memory regions 19->104 106 Found suspicious powershell code related to unpacking or dynamic code loading 19->106 108 Injects a PE file into a foreign processes 19->108 25 calc.exe 7 19 19->25         started        30 calc.exe 19->30         started        32 cmd.exe 2 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 23->36         started        signatures9 process10 dnsIp11 78 cestfinidns.vip 66.63.187.166, 2404, 49695, 49698 ASN-QUADRANET-GLOBALUS United States 25->78 80 geoplugin.net 178.237.33.50, 49700, 80 ATOM86-ASATOM86NL Netherlands 25->80 60 C:\Users\user\AppData\Local\Temp\TH2340.tmp, MS-DOS 25->60 dropped 62 C:\Users\user\AppData\Local\Temp\TH22A3.tmp, MS-DOS 25->62 dropped 64 C:\Users\user\AppData\Local\Temp\TH2263.tmp, PE32 25->64 dropped 66 C:\Users\user\AppData\...ddikernes.exe, PE32 25->66 dropped 118 System process connects to network (likely due to code injection or exploit) 25->118 120 Detected Remcos RAT 25->120 122 Maps a DLL or memory area into another process 25->122 38 Eddikernes.exe 35 25->38         started        40 svchost.exe 2 25->40         started        44 svchost.exe 1 25->44         started        48 3 other processes 25->48 124 Found hidden mapped module (file has been removed from disk) 30->124 68 C:\Users\Public\Downloads\Carlow.js, data 32->68 dropped 46 conhost.exe 32->46         started        file12 signatures13 process14 file15 50 powershell.exe 26 38->50         started        58 C:\Users\user\...\fflqilhikxjogwopguetbuqvjp, Unicode 40->58 dropped 110 Tries to steal Mail credentials (via file registry) 40->110 112 Tries to harvest and steal browser information (history, passwords, etc) 40->112 114 Tries to steal Instant Messenger accounts or passwords 44->114 116 Tries to steal Mail credentials (via file / registry access) 44->116 signatures16 process17 file18 56 C:\Users\user\AppData\...ddikernes.exe, PE32 50->56 dropped 96 Found suspicious powershell code related to unpacking or dynamic code loading 50->96 98 Loading BitLocker PowerShell Module 50->98 100 Powershell drops PE file 50->100 54 conhost.exe 50->54         started        signatures19 process20
Score:
9%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/81e751866842193531d97c41db2569fffd954ebf710564897145a3439e95397b
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/8a0749d43826bcef94214b2c553abb52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81e751866842193531d97c41db2569fffd954ebf710564897145a3439e95397b/
Threat name:
Script-JS.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-07-01 06:01:09 UTC
File Type:
Text (JavaScript)
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qhtvdbtiiimtkmozpra5wjlj776zktv7oecwjclriwruhhuvhf5q._file
Verdict:
malicious
Label(s):
admintool_mailpassview
Create hunting rule
nirsoft
Create hunting rule
remcos
Create hunting rule
Similar samples:
0cadd7a2a02cdd71156621f83fa1164c3ef1659710b8aadca2af0740c6541059
RemcosRAT
5da646edf1eed3abc74e49e1a9daf4e4e5bedb7a1652ca3311cd7f8bce650bab
RemcosRAT
9e706da7b14851b9af90653cd6d55bd08988eb449726300d0e1775668d71490f
RemcosRAT
9f146cf7dbef2543742cf970ce79bf792211b2ffec0426600bab4e556874125b
RemcosRAT
a7ea2f8cf65a2fc6368cbe91431080aa1269cc37de7095a15237d1b411f27d93
RemcosRAT
aaab431dab3880838f6be9e7eec86c82b0631029d4f804e91a39cd46596ca983
RemcosRAT
c890802b9bd6319c752eeea4a97e6050483ac466ea553c6c83689f86c9614743
RemcosRAT
e462d1a4674d1c46ee7c3eba187353dc4c6c40863493e67b3d1ab379714f97bb
RemcosRAT
error
RemcosRAT
fd43d26f1db150f1ce6faa221521e0ac9d32ffc26fc835bdc564ce6d93a5ee84
RemcosRAT
+ 1'295 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection defense_evasion discovery execution persistence rat trojan
Link:
https://tria.ge/reports/250701-h79emsgr3v/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
UAC bypass
Malware Config
C2 Extraction:
cestfinidns.vip:2404
mdnsserver.com:2404
Dropper Extraction:
https://archive.org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/81e751866842193531d97c41db2569fffd954ebf710564897145a3439e95397b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments