MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a67c2c0d2344b1524cbe1d6a68d04590769ac64471338411b185547d08c38cbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a67c2c0d2344b1524cbe1d6a68d04590769ac64471338411b185547d08c38cbf
SHA3-384 hash: d57ae1060cdedfb348c32a8a01c647e60032dcc3ad32e7de81a964929a3e3e8eb232832aeda4cb99cc02dfa8461ce241
SHA1 hash: 1021b4e9648bb19973f952eae1464e8a12e5cac2
MD5 hash: fcb7fe07b85eef85fc5c4afcadef65df
humanhash: magazine-uranus-river-uncle
File name:ES-GS-20250807-A.JS
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:5'085'359 bytes
First seen:2025-08-19 05:19:12 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 98304:F68x7Bm4fLaXuXRotHiScKPFcjLxcZoDwV/BzrMiUuIhn34c/YN:p7XfLaeRoVixKP2LxcZoDwVpzQ1uIhnW
TLSH T18F36C7672B80D4723B656B5CBB3BE5B4840A114368CADB2130ECD9153AFD907A74CBF6
Magika javascript
Reporter abuse_ch
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
SE SE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PUA.JS.Obfus-2183.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.JS.Obfus-2525.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.JS.Obfus-2179.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.31320.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a40975c2f5296a1a283ff0
Tags:
delphi emotet
Verdict:
Malicious
Labled as:
Trojan/Script.Agent
Link:
https://www.hybrid-analysis.com/sample/a67c2c0d2344b1524cbe1d6a68d04590769ac64471338411b185547d08c38cbf
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1759887
Signature
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Installs a global keyboard hook
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Remcos
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1759887 Sample: ES-GS-20250807-A.JS.js Startdate: 19/08/2025 Architecture: WINDOWS Score: 100 47 nordiska.cc 2->47 49 geoplugin.net 2->49 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 11 other signatures 2->73 10 wscript.exe 1 5 2->10         started        13 rundll32.exe 3 2->13         started        signatures3 process4 signatures5 91 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->91 15 ScriptRunner.exe 3 10->15         started        17 Swmckmzd.exe 13->17         started        process6 signatures7 20 sCMeaZloh.exe 2 15->20         started        23 conhost.exe 15->23         started        55 Early bird code injection technique detected 17->55 57 Allocates memory in foreign processes 17->57 59 Allocates many large memory junks 17->59 25 colorcpl.exe 17->25         started        process8 signatures9 75 Early bird code injection technique detected 20->75 77 Uses schtasks.exe or at.exe to add and modify task schedules 20->77 79 Allocates memory in foreign processes 20->79 87 3 other signatures 20->87 27 SndVol.exe 2 15 20->27         started        32 schtasks.exe 1 20->32         started        81 Detected Remcos RAT 25->81 83 Contains functionalty to change the wallpaper 25->83 85 Contains functionality to steal Chrome passwords or cookies 25->85 89 2 other signatures 25->89 process10 dnsIp11 51 nordiska.cc 94.154.35.191, 2114, 49684, 49688 SELECTELRU Ukraine 27->51 53 geoplugin.net 178.237.33.50, 49690, 80 ATOM86-ASATOM86NL Netherlands 27->53 45 C:\ProgramData\remcos\logs.dat, data 27->45 dropped 93 Detected Remcos RAT 27->93 95 Contains functionalty to change the wallpaper 27->95 97 Contains functionality to steal Chrome passwords or cookies 27->97 99 7 other signatures 27->99 34 SndVol.exe 1 27->34         started        37 SndVol.exe 1 27->37         started        39 SndVol.exe 2 27->39         started        41 SndVol.exe 27->41         started        43 conhost.exe 32->43         started        file12 signatures13 process14 signatures15 61 Tries to steal Instant Messenger accounts or passwords 34->61 63 Tries to steal Mail credentials (via file / registry access) 34->63 65 Tries to harvest and steal browser information (history, passwords, etc) 37->65
Score:
89%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/a67c2c0d2344b1524cbe1d6a68d04590769ac64471338411b185547d08c38cbf
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a67c2c0d2344b1524cbe1d6a68d04590769ac64471338411b185547d08c38cbf/
Threat name:
Script-JS.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-08-19 02:26:33 UTC
File Type:
Text (JavaScript)
AV detection:
8 of 24 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uz6cydjdisyvetf6dvvgrucfsb3jvrseoezyienrqvkh2cgdrs7q._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos collection defense_evasion discovery execution persistence rat trojan
Link:
https://tria.ge/reports/250819-fz6bxaz1by/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
System Binary Proxy Execution: ScriptRunner
Accesses Microsoft Outlook accounts
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Remcos
Remcos family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/a67c2c0d2344b1524cbe1d6a68d04590769ac64471338411b185547d08c38cbf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments