MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba6af76e2db508b15fa6ed7e81558ff0c42fea03f18f1595988ea983689bd83d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 23 File information Comments

SHA256 hash:	ba6af76e2db508b15fa6ed7e81558ff0c42fea03f18f1595988ea983689bd83d
SHA3-384 hash:	77c6dffd9ecaec5ed4b3773e4eabc1ff9341ed23bdfaffe64a993decdda7d70fdb64855618490cb2e825ecffd4977768
SHA1 hash:	aeb9d26d215cd2e8cbc49d3074872d0467bf4ffd
MD5 hash:	11e4a51fc0184bda22d3bd106c2e7625
humanhash:	item-september-yankee-colorado
File name:	FedEx Tax_Certificate.pdf.JS
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	4'944'346 bytes
First seen:	2026-06-04 09:19:24 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	98304:aa+WJpbD2PBX5OWY10+ccHhX6GluabKoOI2nbT0GPa3iJVufWH7GcpaX+baJoaju:aa+QR4XeqDcHHbKoOISTJPySiufaX+bL
Threatray	381 similar samples on MalwareBazaar
TLSH	T1B0365C4418E173C79494DB1F8F2E67EB3B0EE6FF9460DA022259C9FE6649E823113356
Magika	javascript
Reporter	abuse_ch
Tags:	FedEx js RAT RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.31320.UNOFFICIAL

Sanesecurity.Malware.32567.UNOFFICIAL

Verdict:

Clean

Score:

N/A%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a21435e57b7bf261d60c8a0

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug base64 dropper evasive masquerade obfuscated obfuscated packed repaired

Link:

https://www.filescan.io/uploads/6a21435c12da0d249c642337/reports/5f451a72-3fc9-4f81-963a-74ebcf1c5f7d/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/ba6af76e2db508b15fa6ed7e81558ff0c42fea03f18f1595988ea983689bd83d

Verdict:

Malicious

File Type:

First seen:

2026-06-03T10:00:00Z UTC

Last seen:

2026-06-06T05:49:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Dropper.Script.Generic HEUR:Trojan-Downloader.Script.Generic PDM:Trojan.Win32.Generic HEUR:Trojan.Script.Generic

Link:

https://opentip.kaspersky.com/ba6af76e2db508b15fa6ed7e81558ff0c42fea03f18f1595988ea983689bd83d/results?tab=lookup

Result

Threat name:

Remcos, DonutLoader

Detection:

malicious

Classification:

evad.troj.expl

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1922783

Signature

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Detected Remcos RAT

Found API chain indicative of debugger detection

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Execution from Suspicious Folder

Sigma detected: Remcos

Sigma detected: Suspicious Parent Double Extension File Execution

Sigma detected: Suspicious Program Location with Network Connections

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Sigma detected: WScript or CScript Dropper

Unusual module load detection (module proxying)

Uses an obfuscated file name to hide its real file extension (double extension)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

WScript reads language and country specific registry keys (likely country aware script)

Yara detected DonutLoader

Yara detected Lua decrypt and execute

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Gathering data

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/ba6af76e2db508b15fa6ed7e81558ff0c42fea03f18f1595988ea983689bd83d/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/ba6af76e2db508b15fa6ed7e81558ff0c42fea03f18f1595988ea983689bd83d

Threat name:

Script-JS.Trojan.Generic

Status:

Suspicious

First seen:

2026-06-03 20:59:59 UTC

File Type:

Binary

AV detection:

11 of 24 (45.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xjvpo3rnwuelcx5g5v7icvmp6dcc72qd6ghrlfmyr2uyg2e33a6q._file

Verdict:

malicious

Label(s):

donutloader

RemcosRAT

288e9320f7582f388ffdd93f00efebf60bf95e672804dc703da00eac890cb661

RemcosRAT

2b6459d295e4969b852efc19a223a2b71f74d9725f7856fa77de74b8df1b27a5

RemcosRAT

30ded8132af61b659fed8f7cb246ac33ae92821241d14a427a53521b331df877

RemcosRAT

404356dbc85ca00d7d25974a4b7d6bab219b166c060b4d51dd0a34c0cf2b0eeb

RemcosRAT

7e99f5e3d4efc4aece3e91b7cbbbcf2ffcb21072a8f14bd874047383e77fe5ab

RemcosRAT

9ec6a5d1bcb85ba852a1dbbbaf3f04a3ea2cc3bfa188f782fefda1a2c47288c0

RemcosRAT

ea84300a2c8500206df527ef2d2559a328e9b3efd41717c1a4d3e865d602c316

RemcosRAT

+ 371 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:donutloader family:remcos botnet:remcosagentnoautostart execution loader rat

Link:

https://tria.ge/reports/260604-la1ysacy3m/

Behaviour

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Checks computer location settings

Executes dropped EXE

Detects DonutLoader

Family: DonutLoader

Family: Remcos

Malware Config

C2 Extraction:

209.54.101.187:2404

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.70

Link:

https://yomi.yoroi.company/submissions/ba6af76e2db508b15fa6ed7e81558ff0c42fea03f18f1595988ea983689bd83d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Remcos_unpacked_PulseIntel Create hunting rule
Author:	PulseIntel
Description:	Remcos Payload

Rule name:	Sus_All_Windows_PE_Malware Create hunting rule
Author:	DiegoAnalytics
Description:	Detects Windows PE malware of all types, avoids non-executables like .html

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	Windows_Trojan_Remcos_921ef449 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

Rule name:	win_remcos_rat_unpacked Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	win_remcos_w0 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	yarahub_win_remcos_rat_unpacked_aug_2023 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample