MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb069ae21ea35f433754f782cc0b4d2e8334e2e2ea435c2a5de49b6efe7a371e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb069ae21ea35f433754f782cc0b4d2e8334e2e2ea435c2a5de49b6efe7a371e
SHA3-384 hash: d2d8dcd2105f771d41b4b35729e1e7fbcca4a5f17d3774cc31ac9ac9111a221b61451b2c9eb5b921e37b903e64633251
SHA1 hash: e56e50baf126498a7fb312d0c4eb24a65b6ad8ec
MD5 hash: 3e2d917929fdf6bb434ef6ef548557ce
humanhash: indigo-potato-item-triple
File name:CopilotDriver.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:9'024'191 bytes
First seen:2026-02-22 15:50:35 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 3072:lh2tjJryxEZAjM3LbQbawLbNAaL/FRZAZr:lh2/bbQhbNAaRZAZr
Threatray 2'153 similar samples on MalwareBazaar
TLSH T13E96125045B35BC788324E9FCAFCA1C5BA31477FD84B8559B4BDC7DB8A8629E31A0708
Magika javascript
Reporter abuse_ch
Tags:js RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699b25f6c950ab5d9ab07461
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 base64 fingerprint obfuscated obfuscated overlay powershell repaired
Link:
https://www.filescan.io/uploads/699b25f3cd25bfe1dfd75927/reports/eb6147bc-154f-4f76-bb60-18cf5d3573fb/overview
Verdict:
Malicious
Labled as:
GT:JS.ObfPadding.1
Link:
https://www.hybrid-analysis.com/sample/bb069ae21ea35f433754f782cc0b4d2e8334e2e2ea435c2a5de49b6efe7a371e
Result
Gathering data
Verdict:
Malicious
File Type:
js
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/bb069ae21ea35f433754f782cc0b4d2e8334e2e2ea435c2a5de49b6efe7a371e/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1873094
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates processes via WMI
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Unusual module load detection (module proxying)
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1873094 Sample: CopilotDriver.js Startdate: 22/02/2026 Architecture: WINDOWS Score: 100 23 msidownloads.duckdns.org 2->23 25 systemcopilotdrivers.ydns.eu 2->25 27 6 other IPs or domains 2->27 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 49 15 other signatures 2->49 8 wscript.exe 1 2->8         started        signatures3 47 Uses dynamic DNS services 23->47 process4 signatures5 51 Suspicious powershell command line found 8->51 53 Wscript starts Powershell (via cmd or directly) 8->53 55 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->55 57 2 other signatures 8->57 11 powershell.exe 14 15 8->11         started        process6 dnsIp7 29 systemcopilotdrivers.ydns.eu 181.206.158.190, 3001, 49699, 49700 ColombiaMovilCO Colombia 11->29 31 hostphpwindowsapps.ydns.eu 178.73.192.6, 49693, 8011 PORTLANEwwwportlanecomSE Sweden 11->31 59 Writes to foreign memory regions 11->59 61 Injects a PE file into a foreign processes 11->61 15 MSBuild.exe 4 2 11->15         started        19 conhost.exe 11->19         started        signatures8 process9 file10 21 C:\ProgramData\Copilotdrivers\logs.dat, data 15->21 dropped 33 Contains functionality to bypass UAC (CMSTPLUA) 15->33 35 Detected Remcos RAT 15->35 37 Contains functionalty to change the wallpaper 15->37 39 5 other signatures 15->39 signatures11
Score:
3%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/bb069ae21ea35f433754f782cc0b4d2e8334e2e2ea435c2a5de49b6efe7a371e
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/3e2d917929fdf6bb434ef6ef548557ce
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bb069ae21ea35f433754f782cc0b4d2e8334e2e2ea435c2a5de49b6efe7a371e/
Verdict:
Malicious
Threat:
Family.REVERSELOADER
Link:
https://tip.neiki.dev/file/bb069ae21ea35f433754f782cc0b4d2e8334e2e2ea435c2a5de49b6efe7a371e
Threat name:
Script-JS.Trojan.ObfPadding
Create hunting rule
Status:
Malicious
First seen:
2026-02-22 13:09:29 UTC
File Type:
Text (JavaScript)
AV detection:
5 of 36 (13.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xmdjvyq6unpugn2u66bmyc2nf2btjyxc5jbvyks54snw57t2g4pa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
27f2ce01a8057e9f84bb1a47449683dcc0273cf90b747029dec88713d327b325
RemcosRAT
4255a3456f09dafb40c612cc439d2e729280565f68c3a3f380d6c5838b8e6ec7
RemcosRAT
691a1adb4046eb79e2ce90e73aad82ae817aeed98139a0a852ebb9aa2aed8541
RemcosRAT
7e820f2a3cdf17787913010cb6c3b5ca8155c957642d7493ba9af3e6671ebf9c
RemcosRAT
86bd0fb523c233fe4e82fbb0f614482c65736dea768816f6d0b44cecbdb07535
RemcosRAT
96ae2a820c2f9c200c8555d95af7673db00e5588f0e90c31a15cfe080ef1c1d2
RemcosRAT
b5736a59dfdb009c5a92592f367a939aae689097eb1ecff6c02f2cacc09da66d
RemcosRAT
cc58a2f6c8b64dc4bb15bfa34a569a533810c62877a731d6467d8b79e56b16bc
RemcosRAT
error
RemcosRAT
f911a5130f9608781db253c2686e1a133c01cd76295ec55404517062e5fde5a9
RemcosRAT
+ 2'143 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:tar1 discovery execution rat
Link:
https://tria.ge/reports/260222-tak7bset8e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Remcos
Remcos family
Malware Config
C2 Extraction:
systemcopilotdrivers.ydns.eu:3001
Dropper Extraction:
http://hostphpwindowsapps.ydns.eu:8011/data/optimized_MSI.png
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/bb069ae21ea35f433754f782cc0b4d2e8334e2e2ea435c2a5de49b6efe7a371e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Java Script (JS) js bb069ae21ea35f433754f782cc0b4d2e8334e2e2ea435c2a5de49b6efe7a371e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3597687/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3597686/

Comments