MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f65b1271deedcbcbcdd750047f8eb3a5548145546fc2b7847b263a5e52570b33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash: f65b1271deedcbcbcdd750047f8eb3a5548145546fc2b7847b263a5e52570b33
SHA3-384 hash: 5e0e4f948dfec5a87498af800e6fc9187be0412f36c678dbcd1a55f4f2c997f38ed52b790e37a6e1111c44c8e5b4bcd6
SHA1 hash: 26b6ea64d1a559bfbde180e9a41f0576e923f777
MD5 hash: 99b392b4d4d898bcc9cc9b982ad723c0
humanhash: yellow-oven-harry-alpha
File name:RFQ FOR ITEMSMATERIALS ORDER - QME2675079.js
Download: download sample
Signature RemcosRAT
File size:84'266 bytes
First seen:2026-06-15 20:31:03 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 1536:NBHrEXTi6Gxh/Ymo/MbrxgKAW2sa/da67D47izrrS2eKskU3vfsz:+TgdzbYW2sa/vs7i3eKVjz
TLSH T1F28329E0CD232D764F537B897CE586A1C77C8315662608A0E5CAC70D8409EECEB7D66B
Magika javascript
Reporter abuse_ch
Tags:js RemcosRAT

Intelligence


File Origin
# of uploads :
1
# of downloads :
160
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
92.5%
Tags:
uloader virus agent
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint masquerade repaired
Verdict:
Malicious
File Type:
js
First seen:
2026-06-15T05:14:00Z UTC
Last seen:
2026-06-17T18:16:00Z UTC
Hits:
~1000
Detections:
PDM:Trojan.Win32.Generic Trojan.VBS.SAgent.sb HEUR:Trojan.Script.SAgent.gen HEUR:Trojan.Script.Generic Trojan.PowerShell.Strion.sb
Result
Threat name:
Remcos, GuLoader
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
JavaScript source code contains functionality to generate code involving a shell, file or stream
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Remcos
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Unusual module load detection (module proxying)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1928389 Sample: RFQ FOR ITEMSMATERIALS ORDE... Startdate: 15/06/2026 Architecture: WINDOWS Score: 100 68 animal342.duckdns.org 2->68 70 cembusconfort.ro 2->70 76 Suricata IDS alerts for network traffic 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 84 13 other signatures 2->84 9 powershell.exe 17 2->9         started        12 wscript.exe 1 1 2->12         started        14 powershell.exe 16 2->14         started        16 powershell.exe 2->16         started        signatures3 82 Uses dynamic DNS services 68->82 process4 signatures5 116 Obfuscated command line found 9->116 118 Writes to foreign memory regions 9->118 120 Found suspicious powershell code related to unpacking or dynamic code loading 9->120 130 2 other signatures 9->130 18 backgroundTaskHost.exe 6 28 9->18         started        23 backgroundTaskHost.exe 9->23         started        25 conhost.exe 9->25         started        122 Wscript starts Powershell (via cmd or directly) 12->122 124 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->124 126 Suspicious execution chain found 12->126 128 Creates processes via WMI 12->128 27 powershell.exe 14 16 12->27         started        29 powershell.exe 14->29         started        31 conhost.exe 14->31         started        33 powershell.exe 16->33         started        35 conhost.exe 16->35         started        process6 dnsIp7 72 animal342.duckdns.org 138.199.59.5, 49701, 49702, 53522 CDNEXTGB Poland 18->72 60 C:\Users\user\AppData\Local\Temp\THFF98.tmp, MS-DOS 18->60 dropped 62 C:\Users\user\AppData\Local\Temp\THE98F.tmp, MS-DOS 18->62 dropped 64 C:\Users\user\AppData\Local\Temp\THE930.tmp, MS-DOS 18->64 dropped 66 18 other malicious files 18->66 dropped 86 Detected Remcos RAT 18->86 88 Writes to foreign memory regions 18->88 90 Maps a DLL or memory area into another process 18->90 37 userinit.exe 2 18->37         started        40 userinit.exe 1 18->40         started        42 userinit.exe 18->42         started        52 28 other processes 18->52 92 Found hidden mapped module (file has been removed from disk) 23->92 94 Unusual module load detection (module proxying) 23->94 96 Switches to a custom stack to bypass stack traces 23->96 74 cembusconfort.ro 37.251.154.11, 443, 49693, 49700 CYBER_FOLKS-RO-DC_FLORO Romania 27->74 98 Found suspicious powershell code related to unpacking or dynamic code loading 27->98 44 conhost.exe 27->44         started        100 Hides threads from debuggers 29->100 46 backgroundTaskHost.exe 29->46         started        48 backgroundTaskHost.exe 29->48         started        50 backgroundTaskHost.exe 33->50         started        file8 signatures9 process10 signatures11 102 Tries to steal Mail credentials (via file registry) 37->102 104 Unusual module load detection (module proxying) 37->104 106 Tries to steal Instant Messenger accounts or passwords 40->106 108 Tries to steal Mail credentials (via file / registry access) 40->108 110 Detected Remcos RAT 46->110 112 Hides threads from debuggers 46->112 54 backgroundTaskHost.exe 46->54         started        114 Tries to harvest and steal browser information (history, passwords, etc) 52->114 56 conhost.exe 52->56         started        58 reg.exe 1 1 52->58         started        process12
Gathering data
Threat name:
Win32.Trojan.Malgent
Status:
Malicious
First seen:
2026-06-15 08:04:49 UTC
File Type:
Text (JavaScript)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: JavaScript
Badlisted process makes network request
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Author:vietdx.mb

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments