MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94d359b58ad8043b411eb3b9ca8f983a1f4eb3f732a92e8a8c92c5432499d907. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	94d359b58ad8043b411eb3b9ca8f983a1f4eb3f732a92e8a8c92c5432499d907
SHA3-384 hash:	9af55a635ef4ff9672969394ce2b29e0baa30cb719f7be3daa02108b0875f58e82f676e83c55b9ed75a02575d79ec24f
SHA1 hash:	fac2861548084285fa19077acfe67334c6b31a29
MD5 hash:	556e96915efe36ae3b6a50e9af9bde1f
humanhash:	single-potato-colorado-xray
File name:	IMG-202508-WA0008.js
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	5'911'383 bytes
First seen:	2025-08-15 13:12:08 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	98304:sotHyfYk55qvz8BCx1Y36IRXkZt55kb82Rh/fpOuvyvz+tMOUVMixOn9dKzP:PoYSEvQkxtXkb82Rh/fp3vezHhZwd6P
Threatray	4'099 similar samples on MalwareBazaar
TLSH	T19656E7562BC0D4727B656B5CBA3BE5B4840A104368CADF2130ECDA153AEDD07A74CBF6
Magika	javascript
Reporter	James_inthe_box
Tags:	exe js RemcosRAT

Intelligence

File Origin

# of uploads :

1

# of downloads :

79

Origin country :

US

Vendor Threat Intelligence

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689f3248b0026751df5c7c32

Tags:

dropper emotet spawn blic

Verdict:

Malicious

Labled as:

Trojan/JS.Agent

Link:

https://www.hybrid-analysis.com/sample/94d359b58ad8043b411eb3b9ca8f983a1f4eb3f732a92e8a8c92c5432499d907

Score:

86%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/94d359b58ad8043b411eb3b9ca8f983a1f4eb3f732a92e8a8c92c5432499d907

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/94d359b58ad8043b411eb3b9ca8f983a1f4eb3f732a92e8a8c92c5432499d907/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/94d359b58ad8043b411eb3b9ca8f983a1f4eb3f732a92e8a8c92c5432499d907

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2025-08-15 05:59:19 UTC

File Type:

Text (JavaScript)

AV detection:

6 of 23 (26.09%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=stjvtnmk3acdwqi6wo44vd4yhipu5m7xgkus5cumslcugjez3edq._file

Verdict:

malicious

Label(s):

dbatloader

remcos

Similar samples:

066ae9155891b102aaec4c4b2731fd9cc434f58b8687dd71d58728bc0c9d78ce

11433468e3572b72da5f85dad70544d49b68883801a8defa35ff29626c3b95a1

150adfe834b0509c5fa6f96048215cb69a9810d5ab2157aea11f72c6d9221e68

2d2f75ebacf859e1d3022588fdcee9c11e1a18a0bba02c65c8968501c89de6a5

9b2de92b594b90349714b0aa22ff5346729e829804d7b58804ab90c0dbc82d44

dcce4fcb1527dade75d9e78cd0b1c252166253ebd393c59fe613901df50ef8ec

ea9723cd4dfeb319cedc75c0dd4cb5fa326b995580aee939085780092aafcda9

+ 4'089 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader defense_evasion discovery execution persistence trojan

Link:

https://tria.ge/reports/250815-qfrphsaq4s/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Binary Proxy Execution: ScriptRunner

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

ModiLoader Second Stage

ModiLoader, DBatLoader

Modiloader family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/94d359b58ad8043b411eb3b9ca8f983a1f4eb3f732a92e8a8c92c5432499d907

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample