MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84e004cb51a9e3ad3cd6356d5bc8bc4ee65b0483f9be33a169d95f3fb4e48295. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84e004cb51a9e3ad3cd6356d5bc8bc4ee65b0483f9be33a169d95f3fb4e48295
SHA3-384 hash: c1978b35f3197317ebd263240c13f2c24c96e1fc1abbf1081af56b4d4af64aea3452f7c3577c50b70b9d2c25b5ae7f59
SHA1 hash: e405bc0bd2936612218167af50f40aab72ba0d31
MD5 hash: 1fec5fb4798383259eff3b3310697c04
humanhash: butter-stairway-violet-nebraska
File name:PI0023013311_document_pdf.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:761'282 bytes
First seen:2026-06-22 15:16:50 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 12288:rzvDARLIxAxgn9NUKURZ7tH9Y/yH8VI5ebArDPTMyKEo+sni2t:8RLPg9W7tH93k0ebAfbeEo+sp
TLSH T130F45C20DE34067A0F471B99FCA50B62CABDC609462650F5F6DA070E61069FCE3FE769
Magika javascript
Reporter abuse_ch
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.GT.JS.Acsogenixx.3151.6D7A5F66.2187.28253.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a39280a1548daf709f8daca
Tags:
stration virus blic
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint masquerade repaired
Link:
https://www.filescan.io/uploads/6a3952ea90632a45f733405e/reports/98242903-760d-4209-ae1b-de6ca7ad1c6a/overview
Verdict:
Malicious
Labled as:
GT:JS.Acsogenixx.3151
Link:
https://www.hybrid-analysis.com/sample/84e004cb51a9e3ad3cd6356d5bc8bc4ee65b0483f9be33a169d95f3fb4e48295
Verdict:
Malicious
File Type:
js
First seen:
2026-06-22T09:26:00Z UTC
Last seen:
2026-06-22T09:52:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Script.SAgent.gen Trojan.JS.SAgent.sb
Link:
https://opentip.kaspersky.com/84e004cb51a9e3ad3cd6356d5bc8bc4ee65b0483f9be33a169d95f3fb4e48295/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1931987
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Contains functionality to steal Internet Explorer form passwords
Detected Remcos RAT
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
JavaScript file contains Antivirus product strings
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Remcos
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Suspicious WerFault Winsock library load
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1931987 Sample: PI0023013311_document_pdf.js Startdate: 22/06/2026 Architecture: WINDOWS Score: 100 54 pub-364c6b3011ca492cab2354176cfaf3f0.r2.dev 2->54 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for URL or domain 2->64 66 14 other signatures 2->66 8 powershell.exe 2->8         started        11 wscript.exe 1 2 2->11         started        14 explorer.exe 4 7 2->14         started        16 3 other processes 2->16 signatures3 process4 file5 92 Hides threads from debuggers 8->92 18 msedge_proxy.exe 7 12 8->18         started        23 conhost.exe 8->23         started        52 C:\Users\user\AppData\Local\Mytersbecr, ASCII 11->52 dropped 94 JScript performs obfuscated calls to suspicious functions 11->94 96 Injects code into the Windows Explorer (explorer.exe) 11->96 98 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->98 100 WScript reads language and country specific registry keys (likely country aware script) 11->100 25 explorer.exe 11->25         started        102 Obfuscated command line found 14->102 27 powershell.exe 14 16 14->27         started        29 powershell.exe 16->29         started        31 powershell.exe 16->31         started        33 conhost.exe 16->33         started        35 conhost.exe 16->35         started        signatures6 process7 dnsIp8 56 91.92.41.150, 2404, 49705, 49706 SINOWORLDWIDEHK Bulgaria 18->56 44 C:\Users\user\AppData\...\Login Data.tmp, SQLite 18->44 dropped 46 C:\Users\user\AppData\...\Login Data.tmp, SQLite 18->46 dropped 48 C:\Users\user\...\Login Data For Account.tmp, SQLite 18->48 dropped 50 C:\ProgramData\mecos\logs.dat, data 18->50 dropped 68 Detected Remcos RAT 18->68 70 Tries to harvest and steal browser information (history, passwords, etc) 18->70 72 Hides threads from debuggers 18->72 74 Tries to detect sandboxes / dynamic malware analysis system (Installed program check) 18->74 58 pub-364c6b3011ca492cab2354176cfaf3f0.r2.dev 104.18.54.45, 443, 49703, 49704 CLOUDFLARENET-CloudflareIncUS Canada 27->58 76 Obfuscated command line found 27->76 78 Found suspicious powershell code related to unpacking or dynamic code loading 27->78 80 Unusual module load detection (module proxying) 27->80 37 conhost.exe 27->37         started        40 msedge_proxy.exe 29->40         started        42 WerFault.exe 21 31->42         started        82 Installs a global keyboard hook 33->82 file9 signatures10 process11 signatures12 84 Installs a global keyboard hook 37->84 86 Detected Remcos RAT 40->86 88 Hides threads from debuggers 40->88 90 Suspicious WerFault Winsock library load 42->90
Score:
95%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/84e004cb51a9e3ad3cd6356d5bc8bc4ee65b0483f9be33a169d95f3fb4e48295
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84e004cb51a9e3ad3cd6356d5bc8bc4ee65b0483f9be33a169d95f3fb4e48295/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/84e004cb51a9e3ad3cd6356d5bc8bc4ee65b0483f9be33a169d95f3fb4e48295
Threat name:
Script-JS.Trojan.Acsogenixx
Create hunting rule
Status:
Malicious
First seen:
2026-06-22 12:16:53 UTC
File Type:
Text (JavaScript)
AV detection:
4 of 24 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qtqajs2rvhr22pgwgvwvxsf4j3tfwbed7g7dhilj3fpt7nheqkkq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:reboust adware collection execution persistence ransomware rat spyware
Link:
https://tria.ge/reports/260622-sqpzsady3l/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
outlook_office_path
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Checks computer location settings
Badlisted process makes network request
Boot or Logon Autostart Execution: Active Setup
Family: Remcos
Malware Config
C2 Extraction:
91.92.41.150:2404
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84e004cb51a9e3ad3cd6356d5bc8bc4ee65b0483f9be33a169d95f3fb4e48295

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:Guloader_Heuristic_VBS_A
Create hunting rule
Author:Ankit Anubhav - ankitanubhav.info
Description:Heuristic to detect 2023 Guloader variant
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:unknown_dropper
Create hunting rule
Author:#evilcel3ri
Description:Detects an unknown dropper
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments