MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9fff657717fc3bcfb1033ee50bc3d13e2dda381e90440f01b2f15b988ec0613. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9fff657717fc3bcfb1033ee50bc3d13e2dda381e90440f01b2f15b988ec0613
SHA3-384 hash: e1e62fc533608921c113ad5c52c09f6490d84bf616a4127d34fdf3095af0895f1f4f0065a73d1eb0dd262a707eb21ef5
SHA1 hash: e31d61e5eb44054a847b5eb531831116c5853058
MD5 hash: f8b4e7e53d6312481a7a55a061bcd518
humanhash: massachusetts-white-equal-utah
File name:Purchase Order 1015117914.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:588'608 bytes
First seen:2026-04-13 07:40:00 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 192:kE+yUBbID+JzF0C2Fu5rxvdK0PvfrOxf4YIQBeFU4lQV1yUBbID+JzF0C2Fu5rx2:ng
Threatray 82 similar samples on MalwareBazaar
TLSH T1D3C41C6D5B56D458725ED8E947EF812F44E322EB7B8CACA3A036DF000A5C5C3D692F24
Magika javascript
Reporter lowmal3
Tags:FXassistant-4nmn-com js RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.JS.Starter.155.2031.32455.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69dc90cb45787c53e5393936
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook masquerade repaired
Link:
https://www.filescan.io/uploads/69dc9dee799d5bf325facf9b/reports/62ef8850-2d3c-47bb-b5cd-4c748941b3be/overview
Verdict:
Malicious
Labled as:
JS/Agent.UIN trojan
Link:
https://www.hybrid-analysis.com/sample/a9fff657717fc3bcfb1033ee50bc3d13e2dda381e90440f01b2f15b988ec0613
Verdict:
Malicious
File Type:
js
First seen:
2026-04-13T02:35:00Z UTC
Last seen:
2026-04-15T04:13:00Z UTC
Hits:
~100
Detections:
Trojan.VBS.SAgent.sb Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic HEUR:Trojan-Downloader.Script.Generic
Link:
https://opentip.kaspersky.com/a9fff657717fc3bcfb1033ee50bc3d13e2dda381e90440f01b2f15b988ec0613/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1897207
Signature
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates processes via WMI
Detected Remcos RAT
Found evasive API chain checking for user administrative privileges
Found malware configuration
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: Remcos
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Uses the Windows Restart Manager Abuse for Browser Credential File unlocking
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1897207 Sample: Purchase Order 1015117914.js Startdate: 13/04/2026 Architecture: WINDOWS Score: 100 40 FXassistant.4nmn.com 2->40 42 pub-bcefb9e553ee4137a6d296b7c71a767e.r2.dev 2->42 44 grandvegasbet.com.br 2->44 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 9 other signatures 2->56 10 wscript.exe 2 2->10         started        signatures3 process4 signatures5 66 Suspicious powershell command line found 10->66 68 Wscript starts Powershell (via cmd or directly) 10->68 70 Bypasses PowerShell execution policy 10->70 72 3 other signatures 10->72 13 powershell.exe 14 15 10->13         started        process6 dnsIp7 46 grandvegasbet.com.br 217.21.77.24, 443, 49718 IPPLANET-ASIL United Kingdom 13->46 48 pub-bcefb9e553ee4137a6d296b7c71a767e.r2.dev 104.18.54.45, 443, 49719 CLOUDFLARENETUS United States 13->48 74 Writes to foreign memory regions 13->74 76 Injects a PE file into a foreign processes 13->76 78 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 13->78 17 CasPol.exe 9 9 13->17         started        22 conhost.exe 13->22         started        signatures8 process9 dnsIp10 36 FXassistant.4nmn.com 104.168.56.119, 2452, 49722, 49723 AS-COLOCROSSINGUS United States 17->36 38 127.0.0.1 unknown unknown 17->38 28 C:\Users\user\AppData\...\cookies.sqlite-shm, data 17->28 dropped 30 C:\Users\user\AppData\...\Login Data.tmp, SQLite 17->30 dropped 32 C:\Users\user\AppData\...\Login Data.tmp, SQLite 17->32 dropped 34 C:\Users\user\...\Login Data For Account.tmp, SQLite 17->34 dropped 58 Contains functionality to bypass UAC (CMSTPLUA) 17->58 60 Detected Remcos RAT 17->60 62 Attempt to bypass Chrome Application-Bound Encryption 17->62 64 9 other signatures 17->64 24 msedge.exe 6 17->24         started        file11 signatures12 process13 process14 26 msedge.exe 24->26         started       
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/a9fff657717fc3bcfb1033ee50bc3d13e2dda381e90440f01b2f15b988ec0613
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a9fff657717fc3bcfb1033ee50bc3d13e2dda381e90440f01b2f15b988ec0613/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vh77mv3rp7b3z6yqgpxfbpb5cprn3i4b5eceb4a3f4k3tchmayjq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
505b686537a646709ea054f37fe5e53973dd3778ffc66f36b93b75389d3ef42d
RemcosRAT
7a2cb732e58e653ebc09553930861bc08d76875cb8d2d1b0c87565282e74eaa5
RemcosRAT
7ba23262eb087a6d515ae54a3d2cfa0339d102fbc6a52520289d81c6d595b502
RemcosRAT
7c38cc94a0efee1a682c862b9162e20a5d1690dc6c9c347b4b7e6d542d44abd3
RemcosRAT
9cc5419f02b532abc4c33f28b88c98614170039075ddaca52137e81496b3021c
RemcosRAT
b92b8b4764cbdf01490bb59321ceb65260d88bcb468c132ce6ac159931953f8d
RemcosRAT
c0422a6f05507edaca77fc6bfcbf2edc1acc82e82877d281382aaa829f7013d7
RemcosRAT
efe6346818215be94536f5826a7b5bfd5798dcf3f2fa463fa5b82c1e2d78a98d
RemcosRAT
error
RemcosRAT
+ 72 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:logsman credential_access defense_evasion discovery execution rat stealer trojan
Link:
https://tria.ge/reports/260413-jhvevsez6j/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Process spawned unexpected child process
Remcos
Remcos family
UAC bypass
Malware Config
C2 Extraction:
FXassistant.4nmn.com:2452
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a9fff657717f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9fff657717fc3bcfb1033ee50bc3d13e2dda381e90440f01b2f15b988ec0613

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Java Script (JS) js a9fff657717fc3bcfb1033ee50bc3d13e2dda381e90440f01b2f15b988ec0613

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments