MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e252cd399ca7d1102917946ea9cbd9cf4e9d03bf0180d26a43946cafc4b7acb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e252cd399ca7d1102917946ea9cbd9cf4e9d03bf0180d26a43946cafc4b7acb4
SHA3-384 hash: 5f0307b48818c3a0cd27bdbd2b869329bee71b290562bd30404cb7b36725e765bd4faea84a9870005b06ec9aefb3b3bf
SHA1 hash: f813a028e8d0cf0e5abb8b1ae9f288de667f7fb1
MD5 hash: efc619057693c50973f1948388a8d76a
humanhash: sad-pizza-green-magazine
File name:Quotation.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:15'732'988 bytes
First seen:2026-05-22 10:07:49 UTC
Last seen:2026-05-22 15:22:18 UTC
File type:Java Script (JS) js
MIME type:text/csv
ssdeep 192:doCJW5uKEsS1A+R44nT5D4GQnNqypMiri65KBxmI4G3+v+ndiJFX/TTlcqB763TN:drJW5qgXmYP7VW
Threatray 18 similar samples on MalwareBazaar
TLSH T191F6012245952B205673F7A8B3E48ADF80DB548274DE8BB885918FECC36CC62D1D537B
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika txt
Reporter lowmal3
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a102b3033e785de369cb1b2
Tags:
autorun xtreme shell sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
repaired
Link:
https://www.filescan.io/uploads/6a102b23efbd399b39c5d15d/reports/1b9b44e3-34e3-4b6b-9136-5acded966fe5/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e252cd399ca7d1102917946ea9cbd9cf4e9d03bf0180d26a43946cafc4b7acb4
Verdict:
Malicious
File Type:
js
First seen:
2026-05-22T03:45:00Z UTC
Last seen:
2026-05-24T07:16:00Z UTC
Hits:
~1000
Detections:
Trojan.MSIL.Crypt.sb Trojan-PSW.MSIL.Agent.sb HEUR:Trojan.Script.Startup.gen HEUR:Trojan-Downloader.Script.Generic Trojan.JS.SAgent.sb Trojan-Dropper.Win32.Injector.sb Trojan-Downloader.MSIL.Seraph.d Trojan-Downloader.MSIL.Agent.c PDM:Trojan.Win32.Generic PDM:Exploit.Win32.Generic Trojan.Win32.Inject.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Greedy.sb Trojan-Dropper.Win32.Injector HEUR:Trojan.VBS.Agent.gen Trojan.VBS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/e252cd399ca7d1102917946ea9cbd9cf4e9d03bf0180d26a43946cafc4b7acb4/results?tab=lookup
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1917595
Signature
.NET source code contains potential unpacker
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject threads in other processes
Contains functionality to steal Internet Explorer form passwords
Creates processes via WMI
Detected large data written to user environment variables, potentially indicating payload staging for fileless execution
Detected Remcos RAT
Drops script or batch files to the startup folder
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Suspicious Environment Variable Has Been Registered
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1917595 Sample: Quotation.js Startdate: 22/05/2026 Architecture: WINDOWS Score: 100 50 res.cloudinary.com 2->50 52 cloudinary.map.fastly.net 2->52 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Yara detected UAC Bypass using CMSTP 2->64 66 13 other signatures 2->66 9 powershell.exe 14 15 2->9         started        13 wscript.exe 14 3 2->13         started        16 wscript.exe 1 2->16         started        signatures3 process4 dnsIp5 58 cloudinary.map.fastly.net 151.101.193.137, 443, 49695, 49701 FASTLY-FastlyIncUS Canada 9->58 82 Writes to foreign memory regions 9->82 84 Modifies the context of a thread in another process (thread injection) 9->84 86 Injects a PE file into a foreign processes 9->86 88 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->88 18 appidtel.exe 5 10 9->18         started        23 conhost.exe 9->23         started        48 C:\Users\user\AppData\...\Quotation.js, CSV 13->48 dropped 90 Suspicious powershell command line found 13->90 92 Wscript starts Powershell (via cmd or directly) 13->92 94 Drops script or batch files to the startup folder 13->94 96 4 other signatures 13->96 25 powershell.exe 16->25         started        file6 signatures7 process8 dnsIp9 54 46.151.182.76, 49696, 49697, 49698 GHOSTYNETWORKSUS Ukraine 18->54 56 127.0.0.1 unknown unknown 18->56 40 C:\Users\user\AppData\...\cookies.sqlite-shm, data 18->40 dropped 42 C:\Users\user\AppData\...\Login Data.tmp, SQLite 18->42 dropped 44 C:\Users\user\AppData\...\Login Data.tmp, SQLite 18->44 dropped 46 2 other files (1 malicious) 18->46 dropped 68 Contains functionality to bypass UAC (CMSTPLUA) 18->68 70 Detected Remcos RAT 18->70 72 Attempt to bypass Chrome Application-Bound Encryption 18->72 80 10 other signatures 18->80 27 msedge.exe 7 18->27         started        29 chrome.exe 1 18->29         started        74 Writes to foreign memory regions 25->74 76 Modifies the context of a thread in another process (thread injection) 25->76 78 Injects a PE file into a foreign processes 25->78 31 appidtel.exe 25->31         started        34 conhost.exe 25->34         started        file10 signatures11 process12 signatures13 36 msedge.exe 27->36         started        38 conhost.exe 29->38         started        98 Detected Remcos RAT 31->98 process14
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e252cd399ca7d1102917946ea9cbd9cf4e9d03bf0180d26a43946cafc4b7acb4/
Verdict:
Malicious
Threat:
Trojan.Win32.Inject
Link:
https://tip.neiki.dev/file/e252cd399ca7d1102917946ea9cbd9cf4e9d03bf0180d26a43946cafc4b7acb4
Threat name:
Script-JS.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-05-22 10:08:41 UTC
File Type:
Text (JavaScript)
AV detection:
5 of 24 (20.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4jjm2om4u7irakixsrxkts6zz5hj2a57agane2sdsrwk7rfxvs2a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1345f21a54489d342367deff244634710e027677d73452dfa10e132ccf860137
RemcosRAT
2004144f6c630e44f975c24fa311c41edf228213a958b5cf4fca2140d0341a7f
RemcosRAT
2ba597e8fd9de1795468c73e40decc9845f834ce711e9c1362d9952fb388af6d
RemcosRAT
65006305946ecaa609fd73073d1f7bc332bbba4e4ac44e753ab05f6a946bb2d3
RemcosRAT
75ee575cc86a57e93d55b9be3e947352836fdf166feb227551e1c5c673e4fb60
RemcosRAT
8787ab12fed80258a88393a4fc4d364f0872273a3417dd31b6c33e00daa94bcc
RemcosRAT
8efda310e1548c396caa8fe3e31168c386215e880ac3000b57047643d2702f25
RemcosRAT
9bad04d6ae85c68c1c9aa2718fae8e1713e77b13e2b6c069c26491d72ae63b17
RemcosRAT
a94a77a31e66e7c54af6a47a0a2f2b1f6cb35f2232f466d92d2dc8546d4130ed
RemcosRAT
c08f8660869abf6cd065f4ff48ca284c76a715190e21d54226248cbf6be05709
RemcosRAT
error
RemcosRAT
+ 8 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remote collection credential_access discovery execution rat stealer
Link:
https://tria.ge/reports/260522-l6h3vagy7p/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Time Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Drops startup file
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Badlisted process makes network request
Family: Remcos
Process spawned unexpected child process
Malware Config
C2 Extraction:
46.151.182.76:8080
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/e252cd399ca7d1102917946ea9cbd9cf4e9d03bf0180d26a43946cafc4b7acb4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Java Script (JS) js e252cd399ca7d1102917946ea9cbd9cf4e9d03bf0180d26a43946cafc4b7acb4

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments