MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 863ebc5c327b6598f24309490e5241793d119f36704abccc2d28dd1fd76735a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 863ebc5c327b6598f24309490e5241793d119f36704abccc2d28dd1fd76735a8
SHA3-384 hash: c7097dc479fcbc987bf46047d7fc99cb3bb9311893d0b4f5888531dad7c026ead2a379be122f58476a45d6fea4b57334
SHA1 hash: 42d6ef5d0f7317d2d85478af46ba3bc6ac80be6b
MD5 hash: e6d40230f82bf6ef3d234065126b8819
humanhash: vermont-muppet-south-vegan
File name:purchase order Purchase Order PO004460.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'237'969 bytes
First seen:2026-02-09 09:10:36 UTC
Last seen:2026-02-09 10:36:08 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 96:jjW8q575REW3fxgqFuPmvMQGxgqF+WKzxqqj08xgqF+s6cewnKin2eSkblol5n5B:jiY0foctJA
Threatray 2'068 similar samples on MalwareBazaar
TLSH T1464500244D9FE6899FACC1311A42A645DFC76482F376276AB1F7C9CEE006418BFB4172
Magika javascript
Reporter lowmal3
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
120
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Other.Malware-gen.12249639.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6989a4b642fd65534ccdcec9
Tags:
obfuscate xtreme blic
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 evasive fingerprint masquerade obfuscated powershell repaired
Link:
https://www.filescan.io/uploads/6989a4b1981ff1d38a4df7c0/reports/66adfed4-7512-431a-86a5-da909bc46cde/overview
Verdict:
Suspicious
Labled as:
Trojan/Runner.ac
Link:
https://www.hybrid-analysis.com/sample/863ebc5c327b6598f24309490e5241793d119f36704abccc2d28dd1fd76735a8
Verdict:
Malicious
File Type:
js
First seen:
2026-02-09T05:16:00Z UTC
Last seen:
2026-02-11T06:52:00Z UTC
Hits:
~1000
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/863ebc5c327b6598f24309490e5241793d119f36704abccc2d28dd1fd76735a8/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1865957
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Found malware configuration
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1865957 Sample: purchase order Purchase Ord... Startdate: 09/02/2026 Architecture: WINDOWS Score: 100 39 107.172.238.19 AS-COLOCROSSINGUS United States 2->39 41 gateway.lighthouse.storage 2->41 43 d1zwe7rg2uojh7.cloudfront.net 2->43 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 17 other signatures 2->55 8 wscript.exe 1 2 2->8         started        12 powershell.exe 14 15 2->12         started        15 wscript.exe 2->15         started        17 svchost.exe 1 1 2->17         started        signatures3 process4 dnsIp5 37 C:\Users\Public\Downloads37ame_File.js, ASCII 8->37 dropped 57 Suspicious powershell command line found 8->57 59 Wscript starts Powershell (via cmd or directly) 8->59 61 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->61 63 2 other signatures 8->63 45 d1zwe7rg2uojh7.cloudfront.net 18.172.170.119, 443, 49682, 49690 MIT-GATEWAYSUS United States 12->45 19 conhost.exe 12->19         started        21 cmd.exe 12->21         started        23 cmd.exe 12->23         started        27 3 other processes 12->27 25 powershell.exe 15->25         started        47 127.0.0.1 unknown unknown 17->47 file6 signatures7 process8 process9 29 conhost.exe 25->29         started        31 cmd.exe 25->31         started        33 cmd.exe 25->33         started        35 3 other processes 25->35
Score:
9%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/863ebc5c327b6598f24309490e5241793d119f36704abccc2d28dd1fd76735a8
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/e6d40230f82bf6ef3d234065126b8819
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/863ebc5c327b6598f24309490e5241793d119f36704abccc2d28dd1fd76735a8/
Verdict:
Malicious
Threat:
Family.REVERSELOADER
Link:
https://tip.neiki.dev/file/863ebc5c327b6598f24309490e5241793d119f36704abccc2d28dd1fd76735a8
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qy7lyxbspnszr4sdbfeq4usbpe6rdhzwobflztbnfdor7v3hgwua._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
admintool_mailpassview
Create hunting rule
nirsoft
Create hunting rule
Similar samples:
1922697d087e317f6324f8bf2d43d8ac8754e2d02a78f0679f7aeba2c95821f6
RemcosRAT
253e8082a7dc04456718a612a293e458949bdc561127fef7673216db2b22b1bc
RemcosRAT
4a4d4e50959a6853fbf3ba58b9bb8c89d9e8b0ed0a52ee48d0496a233cb1572d
RemcosRAT
4f33d435a7f7be68655e42e6c49e09e79d86f568b07696002e8390dac1a6ae45
RemcosRAT
4f4faefccd62720a0f4febe5da5b1bdba3c6a27325bccfc42d1b5642f10b7c6e
RemcosRAT
69a8fdb371c0db74309af631c4a8c5844db6afd759d3fbf5f4fea8afc6f13656
RemcosRAT
7e820f2a3cdf17787913010cb6c3b5ca8155c957642d7493ba9af3e6671ebf9c
RemcosRAT
8848e239974fd64817049eb47c0fe8075b14a54e02cd5c83362589648c9b2c09
RemcosRAT
error
RemcosRAT
f6f4ebaad107ea8d7ca36820f2ce6dd40b40e004b70c7656ce0ebfe66200fca3
RemcosRAT
f911a5130f9608781db253c2686e1a133c01cd76295ec55404517062e5fde5a9
RemcosRAT
+ 2'058 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection discovery execution persistence rat
Link:
https://tria.ge/reports/260209-k5p94ahv9c/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
Process spawned unexpected child process
Remcos
Remcos family
Malware Config
C2 Extraction:
107.172.238.19:2404
Dropper Extraction:
https://gateway.lighthouse.storage/ipfs/bafybeiccsnjvdjz3psqgwmeu6gj3weuc7tqpfb376kt3xu5tendi5qvtce
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/863ebc5c327b6598f24309490e5241793d119f36704abccc2d28dd1fd76735a8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Java Script (JS) js 863ebc5c327b6598f24309490e5241793d119f36704abccc2d28dd1fd76735a8

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments