MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 372f205233f7231b1615e6abef474063333a391bfaa5e3381659b96492607553. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 372f205233f7231b1615e6abef474063333a391bfaa5e3381659b96492607553
SHA3-384 hash: c1a52e5387be764300353e64164079e1017fcf62c333cc840dbc959cade4b27b06994b21beb3846cf9a3a0b497a2d26e
SHA1 hash: 1e8e7abc662091d4f7804acc6660285b384bcb45
MD5 hash: a965725e1f229d3007e7af8069ad7e1a
humanhash: music-sierra-pip-fish
File name:CopilotDrivers.js
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:5'475'961 bytes
First seen:2026-01-16 16:17:23 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 96:ngxDR7VjYLhjcQwBx77hvJVdivkWyGOqAjVjbGdCNulm1kHgBMyWiNKmyg5QApGe:wskvJsIbGCNTfuQ
Threatray 2'072 similar samples on MalwareBazaar
TLSH T15946FEA73A2151F400AA8507F319CDE4DE873029CD57DFAFEB0555EBBF85204828A6EC
Magika javascript
Reporter abuse_ch
Tags:js RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696a64a157243ef151cd9751
Tags:
obfuscate xtreme shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated repaired
Link:
https://www.filescan.io/uploads/696a649b584f1963ad575add/reports/6e32d3ad-e176-42d3-a2e7-ddfae0e45d01/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/372f205233f7231b1615e6abef474063333a391bfaa5e3381659b96492607553
Verdict:
Malicious
File Type:
js
First seen:
2026-01-16T04:00:00Z UTC
Last seen:
2026-01-16T04:52:00Z UTC
Hits:
~10
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/372f205233f7231b1615e6abef474063333a391bfaa5e3381659b96492607553/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1852132
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates processes via WMI
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Reflective Assembly Load
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Score:
10%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/372f205233f7231b1615e6abef474063333a391bfaa5e3381659b96492607553
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/372f205233f7231b1615e6abef474063333a391bfaa5e3381659b96492607553/
Verdict:
Malicious
Threat:
Family.REMCOSRAT
Link:
https://tip.neiki.dev/file/372f205233f7231b1615e6abef474063333a391bfaa5e3381659b96492607553
Threat name:
Script-JS.Trojan.ObfPadding
Create hunting rule
Status:
Malicious
First seen:
2026-01-16 16:18:27 UTC
File Type:
Binary
AV detection:
4 of 24 (16.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g4xsaurt64rrwfqv42v66r2ammztuoi37ks6goawlg4wjetaovjq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0661369bcc84ed31ddf3effe5165105748fa42b9d0bbfef276ed606a3093c417
RemcosRAT
0780b511b4413c846adda72e7ede6afb0398a084112bf0399d2d4041f952cfa4
RemcosRAT
4127a4079f7e6e5eea6b7af83bf549afc542618cddae8d8b1003fe2baf9f7126
RemcosRAT
61eeefdc2978f29228bb31d1f2531593389c7c810abc3d43a380ba523f2d3fb2
RemcosRAT
9e54fdaa81f24b388c0b4e7defc9fb0f2d1bcaf2bab5b806e879e1ac9d19deaf
RemcosRAT
a65762b80a0786fc118a3ac10cc3d3cad0b3772694e85945ef03d8adf8fefc8b
RemcosRAT
b7bb8b7264e4deecc1009400a76c2b8aa1e6c7d972f7908d9b0ab79cb6d788a1
RemcosRAT
+ 2'062 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/260116-trmfqahy4f/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: JavaScript
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/372f205233f7231b1615e6abef474063333a391bfaa5e3381659b96492607553

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Java Script (JS) js 372f205233f7231b1615e6abef474063333a391bfaa5e3381659b96492607553

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3597686/
  
Delivery method
Distributed via web download

Comments