MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b74c6472957df96c56ddef5fbc4996f071ce281109a4bdace0ccc1162845648. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	9b74c6472957df96c56ddef5fbc4996f071ce281109a4bdace0ccc1162845648
SHA3-384 hash:	113b67dd44bb32d684bab561888b27717673e46dd4000cdca4d93693ab65f82cc33240b05e5cc6db3575fa9568eec383
SHA1 hash:	f9bdd26c496628a9310c3578e0a214bce4dceb39
MD5 hash:	624c9a73248ee6b0cb45d68809a86d53
humanhash:	happy-florida-india-uniform
File name:	Payment Confirmation – USD 45,300 TT Copy.js
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	229'145 bytes
First seen:	2025-09-02 08:22:33 UTC
Last seen:	2025-09-08 23:09:27 UTC
File type:	js
MIME type:	text/plain
ssdeep	6144:snG8I60UKZakULSqS0nUcHYRb22r5rIZ3dU:X8I60UKZLUWqS0dHYRK2r5rIk
Threatray	1'486 similar samples on MalwareBazaar
TLSH	T12424B8059A7D52632C76C2C56A740304F6B3239798F1E82E38FD921C5F3ED62D362DA9
Magika	javascript
Reporter	abuse_ch
Tags:	js RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68b6a984eb163e0ec1841ea0

Tags:

obfuscate xtreme spawn

Verdict:

Malicious

Labled as:

VBS/Agent.TKB trojan

Link:

https://www.hybrid-analysis.com/sample/9b74c6472957df96c56ddef5fbc4996f071ce281109a4bdace0ccc1162845648

Verdict:

Malicious

File Type:

First seen:

2025-09-01T21:35:00Z UTC

Last seen:

2025-09-01T21:35:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/9b74c6472957df96c56ddef5fbc4996f071ce281109a4bdace0ccc1162845648/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1769358

Signature

Creates processes via WMI

Found Tor onion address

Javascript file is likely language aware (will only work on specific systems)

JavaScript source code contains functionality to generate code involving a shell, file or stream

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample has a suspicious name (potential lure to open the executable)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Score:

88%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/9b74c6472957df96c56ddef5fbc4996f071ce281109a4bdace0ccc1162845648

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9b74c6472957df96c56ddef5fbc4996f071ce281109a4bdace0ccc1162845648/

Threat name:

Script-JS.Downloader.AgentTesla

Status:

Malicious

First seen:

2025-09-02 00:33:30 UTC

File Type:

Text (JavaScript)

AV detection:

15 of 38 (39.47%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tn2mmrzjk7pznrln3327xrezn4drzyubccnexwwobtgbcyuekzea._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

9219023b7da8a734c9d4063421680c5fd505adb36d2ba714118887df71ff4790

RemcosRAT

a0c3fa62661159a9eef10b604214afade57a535a405c359b827a3bbd4b0cc63e

RemcosRAT

c208d8d0493c60f14172acb4549dcb394d2b92d30bcae4880e66df3c3a7100e4

RemcosRAT

d58ef7f6352296a5f9052e5bb522a0556037f373b27dd1bf4c53a521f0f7a0a8

RemcosRAT

d84b28f6ce7bca728fdf5eea7ed6cc3d6bed66d189c9218484d62fda4d5a4c9c

RemcosRAT

dd526d6b1e6b225b484425cfce62bc318dae7ad5356e81587a511394a3e34aa0

RemcosRAT

e119c6c5485307075a1e5d0950a77f978f7f17e23c315ed8c38cc1259b8af26f

RemcosRAT

error

RemcosRAT

+ 1'476 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos collection defense_evasion discovery execution rat trojan

Link:

https://tria.ge/reports/250902-kb7maafm3z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Process spawned unexpected child process

Remcos

Remcos family

UAC bypass

Malware Config

Dropper Extraction:

https://archive.org/download/optimized_msi_20250821/optimized_MSI.png

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9b74c6472957df96c56ddef5fbc4996f071ce281109a4bdace0ccc1162845648

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample