MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f87e78b58711e82bf08aa3bec131f33f53fd5fcb9dfb3be847634e21ace80a54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f87e78b58711e82bf08aa3bec131f33f53fd5fcb9dfb3be847634e21ace80a54
SHA3-384 hash: a960c688a7f6c51645e7757f7d8f4415116ca530f6bf4e1b7c9f601d26306b03cb46678866a81d736a643fe2952ee022
SHA1 hash: f655346d5988c1582f20425a058f7d661ebbc7d5
MD5 hash: 573fcf46a8a5d7f6ce6c846a0b25af1f
humanhash: california-hawaii-mobile-fruit
File name:SW-036012291pdf.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'093'763 bytes
First seen:2026-03-11 17:33:41 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:q077777777777777777777777777777777777777777777777777777777777777:JH
Threatray 2'231 similar samples on MalwareBazaar
TLSH T1B03519ED87C3F96DCAD5E753524A942224B4705279A0127E3FC0C5D7E7B182E8EBA10E
Magika toml
Reporter ShadowOpCode
Tags:officedesk2026-4nmn-com RemcosRAT Spam-ITA vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
IT IT
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57128/
Detection(s):
SecuriteInfo.com.VBS.Starter.505.14347.5261.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b1a72f5a439615ccbf7227
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 evasive fingerprint obfuscated obfuscated opendir overlay packed powershell
Link:
https://www.filescan.io/uploads/69b1a799493cb7d62df7c218/reports/21e56f4d-6a72-4faa-bfa4-ed897e0c58d3/overview
Verdict:
Malicious
Labled as:
PSH/Agent.ACY
Link:
https://www.hybrid-analysis.com/sample/f87e78b58711e82bf08aa3bec131f33f53fd5fcb9dfb3be847634e21ace80a54
Verdict:
Malicious
File Type:
vbs
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.VBS.SAgent.gen HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/f87e78b58711e82bf08aa3bec131f33f53fd5fcb9dfb3be847634e21ace80a54/results?tab=lookup
Score:
30%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/f87e78b58711e82bf08aa3bec131f33f53fd5fcb9dfb3be847634e21ace80a54
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f87e78b58711e82bf08aa3bec131f33f53fd5fcb9dfb3be847634e21ace80a54/
Verdict:
Malicious
Threat:
Trojan.JS.SAgent
Link:
https://tip.neiki.dev/file/f87e78b58711e82bf08aa3bec131f33f53fd5fcb9dfb3be847634e21ace80a54
Threat name:
Script-WScript.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2026-03-10 14:06:37 UTC
File Type:
Binary
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7b7hrnmhchucx4ekuo7mcmpth5j72x6ltx5tx2chmnhcdlhibjka._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
07ca3c1f8d2a424f1873cf6eda6df16e69569aa98c5d152734668ea9d1f4c374
RemcosRAT
0e6a0dda6d54291452adeb1d7515cc8edad2705807d5a0343340ce7122cef8b1
RemcosRAT
19d1507a08193e55ebb5b873e23fa0fd1d54a29e413ccd51903d6f084556c1d3
RemcosRAT
1dd20400a7bb38e2bc807c8bbe15fb719b3466be957bbd9b71f620f876916287
RemcosRAT
4f5d1c5ad71e3be6754c31542735633c0be9224feae128e2bb4cec533e85c33e
RemcosRAT
61c61e5c4d5caa801b3d6ee7ba915ce19793274d659fc6e2bb14076fc5fdcb59
RemcosRAT
a1145ae7bbc7d896876d9bdd49c8186a6ced9103c847d5e86eeb7782057277a7
RemcosRAT
b2f7cd8a8984266ccf8060b18823cdbe01a88f62b809b083b681028c0c11d793
RemcosRAT
b65da47cf6dc6bc5ae6db9041f67c97a04f28672cea65e7ad9a0359391cdde48
RemcosRAT
e83039c747aa9f67494b6685cf5b53ce9afd955d6f4b0355c85a224c5c2e3ce8
RemcosRAT
error
RemcosRAT
+ 2'221 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:march collection credential_access discovery execution rat stealer
Link:
https://tria.ge/reports/260311-v5jgnaht6l/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Loads dropped DLL
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Detected Nirsoft tools
Process spawned unexpected child process
Remcos
Remcos family
Malware Config
C2 Extraction:
officedesk2026.4nmn.com:1709
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/f87e78b58711e82bf08aa3bec131f33f53fd5fcb9dfb3be847634e21ace80a54

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/57128/

Comments