MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c460c335f07c534e5e5632d1730c2add83be67d6d31e882002c4aeb4bca2c7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c460c335f07c534e5e5632d1730c2add83be67d6d31e882002c4aeb4bca2c7c
SHA3-384 hash: fd05657aafc4a6c4c4427b539a87aeff877a140a5657c2f03ea8b1b2fc94c62be2bf64bb5e77d07c77b07c3febae1ae6
SHA1 hash: 612745ec86726361059cdd475541094fd979404c
MD5 hash: ea826af3bfdcce7563a2740e6131141e
humanhash: helium-apart-foxtrot-helium
File name:Quotation.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'029'909 bytes
First seen:2025-11-06 00:35:07 UTC
Last seen:2025-11-06 10:29:47 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 12288:Il0pytTaKrNSBSSRKLDvtjVLdsJ+5vPcgy+DqF4L2ugYhyVKq1j6XvuO+3msvKLH:Il3nSRKLTLxklHI/nzI1jFpsYV9SJj
Threatray 690 similar samples on MalwareBazaar
TLSH T1D1256CBC2B8CE09CDE6E91174156AB27C63EF22577035399005A2FF80A465CCDACF9B5
Magika javascript
Reporter abuse_ch
Tags:js RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
91.92.243.7:1155

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.92.243.7:1155 https://threatfox.abuse.ch/ioc/1634296/

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690bed55ea0f3e915c23568e
Tags:
obfuscate xtreme lien sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 evasive fingerprint obfuscated powershell powershell repaired
Link:
https://www.filescan.io/uploads/690bed5085b61a93a739994a/reports/3137b4f6-4ad6-412d-8ccc-8dbdd7dab942/overview
Verdict:
Malicious
Labled as:
Trojan.Cryxos.JS
Link:
https://www.hybrid-analysis.com/sample/8c460c335f07c534e5e5632d1730c2add83be67d6d31e882002c4aeb4bca2c7c
Verdict:
Malicious
File Type:
js
First seen:
2025-11-05T20:10:00Z UTC
Last seen:
2025-11-07T22:15:00Z UTC
Hits:
~1000
Detections:
Trojan-Downloader.JS.Cryptoload.sb Trojan.VBS.SAgent.sb Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic HEUR:Trojan.PowerShell.Tesre.sb Trojan.PowerShell.AmsiBypass.sb
Link:
https://opentip.kaspersky.com/8c460c335f07c534e5e5632d1730c2add83be67d6d31e882002c4aeb4bca2c7c/results?tab=lookup
Result
Threat name:
Remcos, DonutLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1808958
Signature
.NET source code contains a sample name check
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Remcos
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected DonutLoader
Yara detected Powershell decode and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1808958 Sample: Quotation.js Startdate: 06/11/2025 Architecture: WINDOWS Score: 100 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 19 other signatures 2->56 10 wscript.exe 1 1 2->10         started        process3 file4 46 C:\Users\user\AppData\...\Fritillary.bat, ASCII 10->46 dropped 70 Wscript starts Powershell (via cmd or directly) 10->70 72 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->72 74 Suspicious execution chain found 10->74 76 Creates processes via WMI 10->76 14 cmd.exe 1 10->14         started        signatures5 process6 signatures7 78 Suspicious powershell command line found 14->78 80 Wscript starts Powershell (via cmd or directly) 14->80 82 Bypasses PowerShell execution policy 14->82 17 cmd.exe 1 14->17         started        19 conhost.exe 14->19         started        process8 process9 21 cmd.exe 2 17->21         started        signatures10 58 Suspicious powershell command line found 21->58 60 Wscript starts Powershell (via cmd or directly) 21->60 24 powershell.exe 5 31 21->24         started        29 conhost.exe 21->29         started        process11 dnsIp12 48 91.92.243.7, 1155, 49721, 49722 THEZONEBG Bulgaria 24->48 40 C:\Users\user\AppData\Local\Temp\THE988.tmp, MS-DOS 24->40 dropped 42 C:\Users\user\AppData\Local\Temp\THE939.tmp, MS-DOS 24->42 dropped 44 C:\Users\user\AppData\Local\Temp\THE919.tmp, PE32 24->44 dropped 62 Detected Remcos RAT 24->62 64 Writes to foreign memory regions 24->64 66 Found hidden mapped module (file has been removed from disk) 24->66 68 5 other signatures 24->68 31 RmClient.exe 2 24->31         started        34 RmClient.exe 1 24->34         started        36 RmClient.exe 1 24->36         started        38 RmClient.exe 24->38         started        file13 signatures14 process15 signatures16 84 Tries to steal Mail credentials (via file registry) 31->84 86 Tries to harvest and steal browser information (history, passwords, etc) 31->86 88 Tries to steal Instant Messenger accounts or passwords 34->88 90 Tries to steal Mail credentials (via file / registry access) 34->90
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/8c460c335f07c534e5e5632d1730c2add83be67d6d31e882002c4aeb4bca2c7c
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8c460c335f07c534e5e5632d1730c2add83be67d6d31e882002c4aeb4bca2c7c/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/8c460c335f07c534e5e5632d1730c2add83be67d6d31e882002c4aeb4bca2c7c
Threat name:
Script-JS.Trojan.Cryxos
Create hunting rule
Status:
Malicious
First seen:
2025-11-06 00:35:31 UTC
File Type:
Text (HTML)
AV detection:
4 of 36 (11.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rrdaym27a7ctjzpfmmwromgcvxmdxzt5nuy6raqafrfows6kfr6a._file
Verdict:
malicious
Label(s):
nirsoft
Create hunting rule
donutloader
Create hunting rule
admintool_mailpassview
Create hunting rule
remcos
Create hunting rule
Similar samples:
3c4850bad9e48453996875f76725ab4caf188613ec4621fef7fbca2fd19c2147
RemcosRAT
4ffb945bc637b8c2e1d287c1f6127121d967e1366f0a437f2b7f505fac391f5d
RemcosRAT
6fe0d90ee6b5cdf3e1f8847dba78459deecc3b975a990240e2b9d52a561d695e
RemcosRAT
9c7bccc9beab63a3ebf8995eb4ad568c15e7b65421e11fadbac663d4bc8ef792
RemcosRAT
ba155a5175493aa4e350cc470165e37632573b06c353db839f02c9eecc06a8a9
RemcosRAT
ceaa19c2955fc7b208d9480844510cbe51ab054d54332c60f6cb8aff902da04c
RemcosRAT
d1cfc53e81fdcf625be8284ee7ed47fa1256de5222d2b1d4064524e90724df4e
RemcosRAT
error
RemcosRAT
+ 680 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader collection discovery execution loader
Link:
https://tria.ge/reports/251106-axla3awjez/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Command and Scripting Interpreter: PowerShell
Badlisted process makes network request
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Detects DonutLoader
DonutLoader
Donutloader family
Process spawned unexpected child process
Malware family:
WebBrowserPassView
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8c460c335f07/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c460c335f07c534e5e5632d1730c2add83be67d6d31e882002c4aeb4bca2c7c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Remcos_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Remcos Payload
Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments