MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf9d1a8422d1afdfb643cfdc4a284ffeeebeded5981aaf35a367476341efde65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	cf9d1a8422d1afdfb643cfdc4a284ffeeebeded5981aaf35a367476341efde65
SHA3-384 hash:	9dd9ed4a0f26343e7c0a5fe0a94faff5879b16833f7a0f622eaa6704304d93f0e48b7d7d621c5f66cc1b273381d55349
SHA1 hash:	74233cff719dd4f8af2e1a7577587646bb37141b
MD5 hash:	f2034e675f42d6afe08dd4238044ce70
humanhash:	freddie-double-fifteen-william
File name:	CopilotDrivers.js
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	5'910'135 bytes
First seen:	2026-01-30 09:47:35 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	192:xqDRirig3C9MC3v31Y2xCRjiiL0W7Bo35QNpu7eG5lvOK4GN40QgK1CD0jg1GYDP:mjr
TLSH	T1085612F1BEB09A5593045227A35D3BC2CEE74208B682517D72686BDC9B2754F600E3FB
Magika	javascript
Reporter	abuse_ch
Tags:	js RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.VBS.Obfus-152.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=697c7e719a17da7683b49079

Tags:

obfuscate xtreme shell

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm base64 fingerprint obfuscated powershell repaired

Link:

https://www.filescan.io/uploads/697c7e6c16ebb08a946628e9/reports/372eac99-334a-41a6-8315-b4509f542392/overview

Verdict:

Malicious

Labled as:

GT:JS.ObfPadding.1

Link:

https://www.hybrid-analysis.com/sample/cf9d1a8422d1afdfb643cfdc4a284ffeeebeded5981aaf35a367476341efde65

Verdict:

Malicious

File Type:

First seen:

2026-01-29T14:57:00Z UTC

Last seen:

2026-01-29T15:17:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/cf9d1a8422d1afdfb643cfdc4a284ffeeebeded5981aaf35a367476341efde65/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1860333

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Creates processes via WMI

JavaScript source code contains functionality to generate code involving a shell, file or stream

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Uses known network protocols on non-standard ports

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected Powershell decode and execute

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Score:

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/cf9d1a8422d1afdfb643cfdc4a284ffeeebeded5981aaf35a367476341efde65

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cf9d1a8422d1afdfb643cfdc4a284ffeeebeded5981aaf35a367476341efde65/

Verdict:

Malicious

Threat:

Family.REVERSELOADER

Link:

https://tip.neiki.dev/file/cf9d1a8422d1afdfb643cfdc4a284ffeeebeded5981aaf35a367476341efde65

Threat name:

Script-JS.Trojan.ObfPadding

Status:

Malicious

First seen:

2026-01-30 00:59:39 UTC

File Type:

Binary

AV detection:

6 of 37 (16.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z6orvbbc2gx57nsdz7oeukcp73xl5xwvtank6nndm5dwgqpp3zsq._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos defense_evasion discovery execution rat trojan

Link:

https://tria.ge/reports/260130-ls3kbsgt2c/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

Drops file in Windows directory

Suspicious use of SetThreadContext

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Process spawned unexpected child process

Remcos

Remcos family

UAC bypass

Malware Config

C2 Extraction:

systemcopilotdriver.ydns.eu:3001

Dropper Extraction:

http://hostphpwindowsapps.ydns.eu:8011/data/optimized_MSI.png

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/cf9d1a8422d1afdfb643cfdc4a284ffeeebeded5981aaf35a367476341efde65

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

js cf9d1a8422d1afdfb643cfdc4a284ffeeebeded5981aaf35a367476341efde65

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3597686/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample