MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87418c53ff6349b9dafe355cac6a53e58688062df7f9eb00d8769e942f4d4743. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87418c53ff6349b9dafe355cac6a53e58688062df7f9eb00d8769e942f4d4743
SHA3-384 hash: 6dec6afca8d1e8d75a07ed64fea475818e4e4097d7569d7245bca681346ff8986e8eb2b7db41946605028e7c289f4311
SHA1 hash: 620d3a7a7b42e59bf3cba92fefe582c6fd7a8d64
MD5 hash: 6be54ee5872ac2b4ae13b3906f105396
humanhash: lake-eleven-saturn-seven
File name:PO_4200000482.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'609 bytes
First seen:2025-05-09 14:55:53 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 24:TLvXBH/zzPZGGPoqzstssGDGkHrl4LlPDlzWsGXgH+xnnUqjmxci:HvNCZdHbqjoci
Threatray 4'199 similar samples on MalwareBazaar
TLSH T17931C2748AB16242DBCE9A0A4B4895424410F7EC3F64DF472DBEF6A9133B620707093F
Magika javascript
Reporter abuse_ch
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
404
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.4694.25166.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681e1a1ce16384d6a7035368
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/681e17d80b64e174c41fd272/reports/7f43700b-5ca3-4197-a9d8-710d9de0d535/overview
Verdict:
Malicious
Labled as:
Trojan.Script.Heuristic
Link:
https://www.hybrid-analysis.com/sample/87418c53ff6349b9dafe355cac6a53e58688062df7f9eb00d8769e942f4d4743
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1685641
Signature
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1685641 Sample: PO_4200000482.js Startdate: 09/05/2025 Architecture: WINDOWS Score: 100 27 paste.ee 2->27 29 dn721207.ca.archive.org 2->29 31 2 other IPs or domains 2->31 45 Suricata IDS alerts for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 53 12 other signatures 2->53 8 wscript.exe 1 1 2->8         started        12 svchost.exe 1 1 2->12         started        signatures3 51 Connects to a pastebin service (likely for C&C) 27->51 process4 dnsIp5 37 paste.ee 23.186.113.60, 443, 49681, 49682 KLAYER-GLOBALNL Reserved 8->37 63 System process connects to network (likely due to code injection or exploit) 8->63 65 JScript performs obfuscated calls to suspicious functions 8->65 67 Suspicious powershell command line found 8->67 69 3 other signatures 8->69 14 powershell.exe 14 15 8->14         started        39 127.0.0.1 unknown unknown 12->39 signatures6 process7 dnsIp8 41 dn721207.ca.archive.org 204.62.246.198, 443, 49691 COGENT-174US United States 14->41 43 archive.org 207.241.224.2, 443, 49690 INTERNET-ARCHIVEUS United States 14->43 71 Found Tor onion address 14->71 73 Writes to foreign memory regions 14->73 75 Injects a PE file into a foreign processes 14->75 18 AddInProcess32.exe 2 2 14->18         started        23 conhost.exe 14->23         started        signatures9 process10 dnsIp11 33 198.54.129.52, 6623 ST-BGPUS United States 18->33 35 myhost001.myddns.me 89.40.31.57, 9373 TELEMEDIA-ASRO Romania 18->35 25 C:\ProgramData\remcos\logs.dat, data 18->25 dropped 55 Detected Remcos RAT 18->55 57 Contains functionalty to change the wallpaper 18->57 59 Contains functionality to steal Chrome passwords or cookies 18->59 61 4 other signatures 18->61 file12 signatures13
Score:
79%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/87418c53ff6349b9dafe355cac6a53e58688062df7f9eb00d8769e942f4d4743
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87418c53ff6349b9dafe355cac6a53e58688062df7f9eb00d8769e942f4d4743/
Threat name:
Script-JS.Backdoor.Remcos
Create hunting rule
Status:
Suspicious
First seen:
2025-05-08 21:52:44 UTC
File Type:
Binary
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q5ayyu77mne3twx6gvoky2st4wdiqbrn6746wagyo2pjil2ni5bq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1b9ffe88ec292067ef1eafeffa284d8fb12a02b0d52f38fbe6834ab7a5c05009
RemcosRAT
3799fefd99f0042be2e286b28b2902fd3a7ec31d812694ff7a96f266b11b8003
RemcosRAT
a35234d3e33acbb7e53abaec38ced3a45f6df0ad5ee17ba52b49478d0418f1da
RemcosRAT
baa92cdc50fba4cec0928b6b1f7d1b89611dedfb9ddb2f1bef9236bc0422c460
RemcosRAT
bb71cf4146f24cefdc0944a3e36f14a628e781e0fa4ab228eff61dac89e7cff9
RemcosRAT
ca08bc376eae87f6c4b964e127f97ff16b1790632c6339dde3c7300481026ad0
RemcosRAT
d230d1ff355d413eb746d55e8a5fb167383c23c4e8a38631f05744da176c0cc1
RemcosRAT
d65c7d2e8c2336f34fc84f6f61a9e1e55c58e0fef0bafbd8b45348d16bb8b591
RemcosRAT
ead9358ac4ae2ac44f312810c49410e20efc7244655ed5a71e9526efb450567f
RemcosRAT
error
RemcosRAT
f747415080430ab9ae667ba1d2c6079c64d4566eaaf446e3b3ec764ad7144286
RemcosRAT
+ 4'189 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:may 7 den discovery execution rat
Link:
https://tria.ge/reports/250509-sbvxgsxkw8/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Remcos
Remcos family
Malware Config
C2 Extraction:
myhost001.myddns.me:9373
89.40.31.57:9373
198.54.129.52:6623
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87418c53ff6349b9dafe355cac6a53e58688062df7f9eb00d8769e942f4d4743

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments