MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5e8581ffa0b54efbb78db8401641213521a319a46b0570f4079a73b345fd1de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5e8581ffa0b54efbb78db8401641213521a319a46b0570f4079a73b345fd1de
SHA3-384 hash: 93a10bc6c6f25aa5271cfa52b4b9fab7e2bdae994a230ccd513ff56189d70606be790a0d3f19fea76427e88adcaccc0a
SHA1 hash: c4f322aae1ac8a5912a8c40dfd7b2305105636cd
MD5 hash: 835bc9d8d84117c6730aa7334678f293
humanhash: equal-wisconsin-fourteen-september
File name:835bc9d8d84117c6730aa7334678f293.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'142'465 bytes
First seen:2026-03-11 08:32:34 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 192:333333333333333333333333333333333333333333333333333333333333333n:wjS3PQUv
Threatray 2'223 similar samples on MalwareBazaar
TLSH T1F335137CD20891AA5EA9DB0D065CF2D9CC2C4C83DCB71EE98912CDEBEE551F932B5124
Magika javascript
Reporter abuse_ch
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.VBS.Starter.519.16721.25174.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b128d9e5dc8e2b2c3267c0
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 evasive fingerprint obfuscated powershell repaired
Link:
https://www.filescan.io/uploads/69b128d991ad9169e538ff8a/reports/5698222f-a808-4348-b021-8b5586bcdfa2/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a5e8581ffa0b54efbb78db8401641213521a319a46b0570f4079a73b345fd1de
Verdict:
Malicious
File Type:
js
Link:
https://opentip.kaspersky.com/a5e8581ffa0b54efbb78db8401641213521a319a46b0570f4079a73b345fd1de/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1881831
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionalty to change the wallpaper
Creates processes via WMI
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Remcos
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MSIL Injector
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1881831 Sample: QBaAnpxDEz.js Startdate: 11/03/2026 Architecture: WINDOWS Score: 100 47 officedesk2026.4nmn.com 2->47 49 pub-e6f64f05a00d4309aec9508777bc43bc.r2.dev 2->49 51 6 other IPs or domains 2->51 65 Suricata IDS alerts for network traffic 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 14 other signatures 2->71 10 wscript.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 signatures5 87 Suspicious powershell command line found 10->87 89 Wscript starts Powershell (via cmd or directly) 10->89 91 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->91 93 2 other signatures 10->93 15 powershell.exe 14 15 10->15         started        process6 dnsIp7 57 ia601609.us.archive.org 207.241.227.89, 443, 49683 INTERNET-ARCHIVEUS United States 15->57 59 pub-e6f64f05a00d4309aec9508777bc43bc.r2.dev 104.18.50.34, 443, 49684 CLOUDFLARENETUS United States 15->59 61 Writes to foreign memory regions 15->61 63 Injects a PE file into a foreign processes 15->63 19 MSBuild.exe 4 9 15->19         started        24 MSBuild.exe 15->24         started        26 conhost.exe 15->26         started        signatures8 process9 dnsIp10 53 officedesk2026.4nmn.com 172.245.209.144, 1709, 49689, 49691 AS-COLOCROSSINGUS United States 19->53 55 127.0.0.1 unknown unknown 19->55 39 C:\Users\user\AppData\Local\Temp\TH219B.tmp, MS-DOS 19->39 dropped 41 C:\Users\user\AppData\Local\Temp\TH210D.tmp, MS-DOS 19->41 dropped 43 C:\Users\user\AppData\Local\Temp\TH2060.tmp, MS-DOS 19->43 dropped 45 C:\Users\user\AppData\...\cookies.sqlite-shm, data 19->45 dropped 73 Detected Remcos RAT 19->73 75 Tries to harvest and steal browser information (history, passwords, etc) 19->75 77 Maps a DLL or memory area into another process 19->77 28 userinit.exe 2 19->28         started        31 userinit.exe 1 19->31         started        33 userinit.exe 1 19->33         started        35 2 other processes 19->35 79 Contains functionality to bypass UAC (CMSTPLUA) 24->79 81 Attempt to bypass Chrome Application-Bound Encryption 24->81 83 Contains functionalty to change the wallpaper 24->83 85 5 other signatures 24->85 file11 signatures12 process13 signatures14 95 Tries to steal Mail credentials (via file registry) 28->95 97 Tries to harvest and steal browser information (history, passwords, etc) 28->97 99 Unusual module load detection (module proxying) 28->99 101 Tries to steal Instant Messenger accounts or passwords 31->101 103 Tries to steal Mail credentials (via file / registry access) 31->103 37 msedge.exe 35->37         started        process15
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a5e8581ffa0b54efbb78db8401641213521a319a46b0570f4079a73b345fd1de/
Threat name:
Script-JS.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2026-03-10 11:24:24 UTC
File Type:
Binary
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uxufqh72bnko7o3y3ocaczascnjbumm2i2yfod2apgttwnc72hpa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
07ca3c1f8d2a424f1873cf6eda6df16e69569aa98c5d152734668ea9d1f4c374
RemcosRAT
0e6a0dda6d54291452adeb1d7515cc8edad2705807d5a0343340ce7122cef8b1
RemcosRAT
19d1507a08193e55ebb5b873e23fa0fd1d54a29e413ccd51903d6f084556c1d3
RemcosRAT
1dd20400a7bb38e2bc807c8bbe15fb719b3466be957bbd9b71f620f876916287
RemcosRAT
4f5d1c5ad71e3be6754c31542735633c0be9224feae128e2bb4cec533e85c33e
RemcosRAT
61c61e5c4d5caa801b3d6ee7ba915ce19793274d659fc6e2bb14076fc5fdcb59
RemcosRAT
a1145ae7bbc7d896876d9bdd49c8186a6ced9103c847d5e86eeb7782057277a7
RemcosRAT
b2f7cd8a8984266ccf8060b18823cdbe01a88f62b809b083b681028c0c11d793
RemcosRAT
b65da47cf6dc6bc5ae6db9041f67c97a04f28672cea65e7ad9a0359391cdde48
RemcosRAT
e83039c747aa9f67494b6685cf5b53ce9afd955d6f4b0355c85a224c5c2e3ce8
RemcosRAT
error
RemcosRAT
+ 2'213 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/260311-kf5ngshv4z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/a5e8581ffa0b54efbb78db8401641213521a319a46b0570f4079a73b345fd1de

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments