MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a599385c43311035af6070258be344f7aa74097cfe66137c0deb50100aab5a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash: 9a599385c43311035af6070258be344f7aa74097cfe66137c0deb50100aab5a6
SHA3-384 hash: 1cbed006b218e8cd1099c0e5ef944e6fdaede87c280ac7d455d13bdda6d5e1ad943645b1d6ba5bbcd341706cdfce30d3
SHA1 hash: 5f43297bb8a9df032fcb3ae86c890987aa693672
MD5 hash: b8c2c17fcd7306447c93b1af8a0fdce2
humanhash: december-don-lake-beer
File name:Purchase_Order_docs(1).js
Download: download sample
Signature RemcosRAT
File size:76'976 bytes
First seen:2026-06-22 15:21:09 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 1536:hGeS559dcXkAmqxAcV0PzC0unMsXpgkFXtP36+X5fOdic:hGeSD9WUAxJV0rhun7XpgstP3tXNOsc
TLSH T171734A60DA5105B34F83BB9CBCA90260CAADD321953349B1F6DAC70E910D9ECE77D25B
Magika javascript
Reporter abuse_ch
Tags:js RemcosRAT

Intelligence


File Origin
# of uploads :
1
# of downloads :
134
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated repaired
Verdict:
Malicious
File Type:
js
First seen:
2026-06-22T02:04:00Z UTC
Last seen:
2026-06-24T10:25:00Z UTC
Hits:
~1000
Detections:
Trojan-Downloader.JS.SLoad.sb HEUR:Trojan.Script.Generic Trojan.JS.SAgent.sb HEUR:Trojan.Script.SAgent.gen
Result
Threat name:
Remcos, GuLoader
Detection:
malicious
Classification:
evad.troj.spyw
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Found suspicious powershell code related to unpacking or dynamic code loading
Injects code into the Windows Explorer (explorer.exe)
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Behaviour
Behavior Graph:
Verdict:
inconclusive
YARA:
1 match(es)
Verdict:
Malicious
Threat:
Trojan-Downloader.JS.SLoad
Threat name:
Win32.Trojan.Kepavll
Status:
Malicious
First seen:
2026-06-22 09:29:20 UTC
File Type:
Text (JavaScript)
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware discovery execution spyware
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops desktop.ini file(s)
Checks QEMU agent file
Checks computer location settings
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments