MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89bfece0fa4499eb58fe0e112ef212e32fab31f1d14432eba8eb30dce89d1aba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89bfece0fa4499eb58fe0e112ef212e32fab31f1d14432eba8eb30dce89d1aba
SHA3-384 hash: ba9089c4896e8b7fd7f28a432fef658bc08e798706a126b48f1ee54c231771910a57985483e5ffea06a46ba425ffef59
SHA1 hash: 6aba89bc0391d1ae04a2479ebbaf12d9f1af3499
MD5 hash: e8eeac1d79057adf62f728876f0fb6e1
humanhash: winner-mountain-arizona-lion
File name:2981425613_AWB Shiping Docs.JS
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:4'806'106 bytes
First seen:2026-05-12 20:42:40 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 98304:xeLIbuCbEiwKthDtxYBcxjMcrf8efN9Qn40pY/C3mvGivQXs/i5lo91/qQSEjDn6:x33thZxSORFqn40pYK2LT1YEjzqFugae
TLSH T1E3268C2C236CD7D2B5E9D736C81EFAF09A2D98176D94FE0520698A5CC684F03339C59B
Magika javascript
Reporter Anonymous
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
US US
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.31320.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a0390e7aa2b27a55c89c878
Tags:
autoit cobalt emotet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug autoit dropper evasive fingerprint keylogger obfuscated reconnaissance repaired
Link:
https://www.filescan.io/uploads/6a0390ec2fcb905ec2926baa/reports/e67f99ae-6c19-4aae-8439-9b821849730b/overview
Verdict:
Suspicious
Labled as:
JS/Agent.ECX
Link:
https://www.hybrid-analysis.com/sample/89bfece0fa4499eb58fe0e112ef212e32fab31f1d14432eba8eb30dce89d1aba
Verdict:
Malicious
File Type:
js
First seen:
2026-05-12T04:57:00Z UTC
Last seen:
2026-05-13T04:53:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Script.Obfus.gen HEUR:Trojan.Script.Generic HEUR:Trojan-Dropper.Script.Generic HEUR:Trojan-Downloader.Script.Generic
Link:
https://opentip.kaspersky.com/89bfece0fa4499eb58fe0e112ef212e32fab31f1d14432eba8eb30dce89d1aba/results?tab=lookup
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/89bfece0fa4499eb58fe0e112ef212e32fab31f1d14432eba8eb30dce89d1aba/
Verdict:
Malicious
Threat:
Trojan.Script.Obfus
Link:
https://tip.neiki.dev/file/89bfece0fa4499eb58fe0e112ef212e32fab31f1d14432eba8eb30dce89d1aba
Threat name:
Script-JS.Backdoor.Remcos
Create hunting rule
Status:
Suspicious
First seen:
2026-05-12 20:02:58 UTC
File Type:
Binary
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rg76zyh2ism6wwh6byis54qs4mx2wmpr2fcdf25i5mynz2e5dk5a._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:remcos botnet:remotehost discovery execution loader rat
Link:
https://tria.ge/reports/260512-zhqpnsdx2q/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Checks computer location settings
Executes dropped EXE
Detects DonutLoader
Family: DonutLoader
Family: Remcos
Malware Config
C2 Extraction:
103.83.87.8:1515
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/89bfece0fa4499eb58fe0e112ef212e32fab31f1d14432eba8eb30dce89d1aba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments