MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5db217d0e51f8314d13845973949dd917e6c6dda1fd7b65fe6676dd92525c3fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5db217d0e51f8314d13845973949dd917e6c6dda1fd7b65fe6676dd92525c3fa
SHA3-384 hash: e05da17253cbd784047a5c1b842e1cc8ff6ed2bb766a9d8a96734417bbb84bc94b11340a10cef5806d6a507088cc686e
SHA1 hash: 837d8b262fc572053f75a2564b9ce6c9146976aa
MD5 hash: e5072c7612ace7dd2883a6dfc2f64c39
humanhash: finch-april-mars-aspen
File name:INQ-ESP.1285.JS
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:18'506'129 bytes
First seen:2025-06-18 08:06:32 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 1536:jTCh2ZNqQ1NQAP8asx6B2YZN5fBb0PuadhuQu:TZNqQ1NQ9abB2+b0PuchuQu
Threatray 357 similar samples on MalwareBazaar
TLSH T15D17789F2DF1605811942DD0AF238EFD1F35EAB5DCAE1C8DFA95D20C282C7719482DA9
Magika javascript
Reporter abuse_ch
Tags:js RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
NL NL
Vendor Threat Intelligence
Gathering data
Verdict:
Malicious
Labled as:
PowerShell/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/5db217d0e51f8314d13845973949dd917e6c6dda1fd7b65fe6676dd92525c3fa
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1717252
Signature
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Suspicious Creation with Colorcpl
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1717252 Sample: INQ-ESP.1285.JS.js Startdate: 18/06/2025 Architecture: WINDOWS Score: 100 36 geoplugin.net 2->36 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 10 other signatures 2->48 9 rundll32.exe 3 2->9         started        11 wscript.exe 1 2 2->11         started        signatures3 process4 signatures5 14 Bzkoeqqa.PIF 7 9->14         started        60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->60 17 HEO.PIF 8 3 11->17         started        process6 file7 62 Writes to foreign memory regions 14->62 64 Allocates memory in foreign processes 14->64 66 Allocates many large memory junks 14->66 20 colorcpl.exe 6 13 14->20         started        34 C:\Users\user\Links\Bzkoeqqa.PIF, PE32 17->34 dropped 68 Drops PE files with a suspicious file extension 17->68 70 Creates a thread in another existing process (thread injection) 17->70 72 Injects a PE file into a foreign processes 17->72 74 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 17->74 24 cmd.exe 1 17->24         started        26 SndVol.exe 17->26         started        signatures8 process9 dnsIp10 38 198.55.98.242, 49688, 7647 ASN-QUADRANET-GLOBALUS United States 20->38 40 geoplugin.net 178.237.33.50, 49696, 80 ATOM86-ASATOM86NL Netherlands 20->40 50 Contains functionality to bypass UAC (CMSTPLUA) 20->50 52 Detected Remcos RAT 20->52 54 Contains functionalty to change the wallpaper 20->54 58 3 other signatures 20->58 56 Uses schtasks.exe or at.exe to add and modify task schedules 24->56 28 conhost.exe 24->28         started        30 schtasks.exe 1 24->30         started        32 WerFault.exe 21 26->32         started        signatures11 process12
Score:
88%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/5db217d0e51f8314d13845973949dd917e6c6dda1fd7b65fe6676dd92525c3fa
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5db217d0e51f8314d13845973949dd917e6c6dda1fd7b65fe6676dd92525c3fa/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lwzbpuhfd6brjujyiwltsso5sf7gy3o2d7l3mx7gm5w5sjjfyp5a._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
5db217d0e51f8314d13845973949dd917e6c6dda1fd7b65fe6676dd92525c3fa
RemcosRAT
7bebb4d67681a2bbc41b319216b30634a031700e7158d2ba98ef65567d7405f2
RemcosRAT
933b087d6005a3d6631c0488bb71dcc2aadcfc80d47e1818efc6d892259bbff4
RemcosRAT
a6a7bc63173aa9d0395bdfb47d09b97d5304856e3a856ef8231dc25341d99793
RemcosRAT
b8373fea2c5155a89422132909719c981bd4ec94e29158b4301001fb66953fa0
RemcosRAT
c39f34c2541a3b808efabac95b5f7182b38f1f5a49cfc1037d53a89c527ed376
RemcosRAT
error
RemcosRAT
f21c0eca3a658a0534304f54b0ed6dabb7753f220bf6c1284bb3bfd1caf84656
RemcosRAT
f67132cce7f29a8ee2355a8354f630c2bfbec20697664559d413808a48c2e56e
RemcosRAT
+ 347 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery execution trojan
Link:
https://tria.ge/reports/250618-j1pmbsdm4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5db217d0e51f8314d13845973949dd917e6c6dda1fd7b65fe6676dd92525c3fa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments