MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9005281634752b821c282d0ccdffd99bf744b0272513fcb1e26013d7f367eff4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	9005281634752b821c282d0ccdffd99bf744b0272513fcb1e26013d7f367eff4
SHA3-384 hash:	a8afda93cf064103c4ea95a18566ef326ef03cb4e9cd4b81f773e16a36111930a8dfe73429d018ac2bbeeb57d879f126
SHA1 hash:	da45bb347bb0acf8da85423a111db2a76ae0bb23
MD5 hash:	a2636916472736ded7aab028466e10e5
humanhash:	fifteen-ink-hotel-sixteen
File name:	Request_for_Quotation_15100053_QSOLAR.JS
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	7'104'395 bytes
First seen:	2026-02-23 06:49:50 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	98304:nSOpJQv6gF6d322/UTDoRqG24lqZAYFMmOOuU3PEa076kWodb9ezl1kM5lw5INUi:n0lm22U4YPEa0O6d0zlvO5CzH
Threatray	1 similar samples on MalwareBazaar
TLSH	T1AE6609023653F6D737AE800E4959DFE25960897FEA01A707BC7285CB781AC4A72C5B7C
Magika	javascript
Reporter	JoulK
Tags:	js RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=699bf8c9c950ab5d9ab0b338

Tags:

autoit emotet lien

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug autoit dropper evasive expired-cert fingerprint keylogger obfuscated repaired

Link:

https://www.filescan.io/uploads/699bf8bc10e80629d4ede599/reports/444cf953-e0bb-4626-b0f5-4acb16772288/overview

Verdict:

Suspicious

Labled as:

JS/Agent.DLR

Link:

https://www.hybrid-analysis.com/sample/9005281634752b821c282d0ccdffd99bf744b0272513fcb1e26013d7f367eff4

Verdict:

Malicious

File Type:

Detections:

HEUR:Trojan-Dropper.Script.Generic HEUR:Trojan.Script.Generic

Link:

https://opentip.kaspersky.com/9005281634752b821c282d0ccdffd99bf744b0272513fcb1e26013d7f367eff4/results?tab=lookup

Score:

96%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/9005281634752b821c282d0ccdffd99bf744b0272513fcb1e26013d7f367eff4

Gathering data

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/9005281634752b821c282d0ccdffd99bf744b0272513fcb1e26013d7f367eff4/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2026-02-23 06:50:29 UTC

File Type:

Binary

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sacsqfruouvyehbifugm376ztp3ujmbheuj7zmpcmaj5p43h572a._file

Verdict:

malicious

Label(s):

remcos

Similar samples:

error

RemcosRAT

Result

Malware family:

remcos

Score:

10/10

Tags:

family:donutloader family:remcos botnet:feb - 22 collection discovery execution loader rat

Link:

https://tria.ge/reports/260223-hl63dsft7a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Checks computer location settings

Executes dropped EXE

Detected Nirsoft tools

Detects DonutLoader

DonutLoader

Donutloader family

Remcos

Remcos family

Malware Config

C2 Extraction:

greatmindworkingunison.duckdns.org:8772
godisgreatmygood.duckdns.org:8772
revlonducussdmg.duckdns.org:8772

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/900528163475/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.60

Link:

https://yomi.yoroi.company/submissions/9005281634752b821c282d0ccdffd99bf744b0272513fcb1e26013d7f367eff4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample