MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 daf2410a4e6da576f80df9cfd4b69eb8b2ee74c49948a501d6618063c7950437. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	daf2410a4e6da576f80df9cfd4b69eb8b2ee74c49948a501d6618063c7950437
SHA3-384 hash:	4cdc441c1f4b25299a0387adc4b072877cc303479e9d3fbda5ca3ad4d2ad356071f60274a5f646ec3bbd347d24f721f8
SHA1 hash:	d7bbb24c3a449bbdf9031fb92753b2d96a68a587
MD5 hash:	f749306e539eab248f698468a5ffc7f0
humanhash:	moon-may-network-double
File name:	givewegivingbestsolutionsforbetterplaces.js
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	40'906 bytes
First seen:	2026-06-21 09:42:19 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	768:rrX0uNzecLsfDirMWqrGURG39Lp92CvsO0xLErmTe6RvhQenPAZWlfccKK4OmeUd:rrkuNzecLsfDirMWqqURG39LpgCvsO0Y
TLSH	T159034C5F9F2B0D298EDCAE838C0E537368DD69B823636930B57A549F9E15203E1F54B0
Magika	javascript
Reporter	JAMESWT_WT
Tags:	46-183-223-7 js kelvin654-duckdns-org RemcosRAT Spam-ITA

Intelligence

File Origin

# of uploads :

# of downloads :

169

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.Other.Malware-gen.12599657.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a37b2031548daf709f85cae

Tags:

cryxos xtreme shell sage

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm fingerprint repaired

Link:

https://www.filescan.io/uploads/6a37b2029de4cf364c0f9ae9/reports/875ee9b4-c8f9-4534-a77a-5c4b471e7146/overview

Verdict:

Malicious

Labled as:

Trojan.Cryxos.JS

Link:

https://www.hybrid-analysis.com/sample/daf2410a4e6da576f80df9cfd4b69eb8b2ee74c49948a501d6618063c7950437

Verdict:

Malicious

File Type:

First seen:

2026-06-19T17:47:00Z UTC

Last seen:

2026-06-19T23:45:00Z UTC

Hits:

~10

Detections:

Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic

Link:

https://opentip.kaspersky.com/daf2410a4e6da576f80df9cfd4b69eb8b2ee74c49948a501d6618063c7950437/results?tab=lookup

Score:

98%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/daf2410a4e6da576f80df9cfd4b69eb8b2ee74c49948a501d6618063c7950437

Gathering data

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/daf2410a4e6da576f80df9cfd4b69eb8b2ee74c49948a501d6618063c7950437/

Verdict:

Malicious

Threat:

Family.REVERSELOADER

Link:

https://tip.neiki.dev/file/daf2410a4e6da576f80df9cfd4b69eb8b2ee74c49948a501d6618063c7950437

Threat name:

Script-JS.Trojan.Cryxos

Status:

Malicious

First seen:

2026-06-18 23:30:33 UTC

File Type:

Text (JavaScript)

AV detection:

12 of 36 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3lzeccsonwsxn6an7hh5jnu6xczo45getfekkaowmgaghr4vaq3q._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:zeecrypt discovery execution rat suricata

Link:

https://tria.ge/reports/260621-lpj9ksdv5w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Command and Scripting Interpreter: PowerShell

Badlisted process makes network request

Family: Remcos

Process spawned unexpected child process

Suricata alert: REMCOS RAT Malware Inbound C2 Communication

Suricata alert: REMCOS RAT Malware Outbound C2 Communication

Malware Config

C2 Extraction:

oyine.duckdns.org:4550
oyine.duckdns.org:4551
oyine.duckdns.org:4553

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/daf2410a4e6da576f80df9cfd4b69eb8b2ee74c49948a501d6618063c7950437

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample