MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c63dee86806da2bd0061973cd65f45f3a9326a42e843b5a0a5824e73ebf5916d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c63dee86806da2bd0061973cd65f45f3a9326a42e843b5a0a5824e73ebf5916d
SHA3-384 hash: 13b4819e54d40b8ebd7a6d891cc51082c382b9ca63acb966c7e343b69436b85a6200a457e0eae7924106217aaecff4da
SHA1 hash: e7157fa52804ca8434e056f13bb8b59835f7bf44
MD5 hash: e2adcfcd0be5c41db181067bd4a1b0ef
humanhash: idaho-william-august-wisconsin
File name:FedEx Import Invoice AWB# 390444549836.JS
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:7'062'428 bytes
First seen:2025-07-12 17:37:23 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 196608:SZ+NAimuo7TJ7t7pdfsYmjtUrnIvUl5d9JYhz/YyYT25:ZNA6o/FtlVsDUzUUl5dsl/Rp5
Threatray 4'117 similar samples on MalwareBazaar
TLSH T1206640C7E5F19AE0B2882F983938774388CD4197EB6654F466A8DA36CD3D519C38E433
Magika javascript
Reporter abuse_ch
Tags:FedEx js RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
28
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68729d66900df8e7f86a3d41
Tags:
delphi emotet
Verdict:
Suspicious
Labled as:
JS/Agent.DBE
Link:
https://www.hybrid-analysis.com/sample/c63dee86806da2bd0061973cd65f45f3a9326a42e843b5a0a5824e73ebf5916d
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1734829
Signature
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Remcos
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DBatLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1734829 Sample: FedEx Import Invoice AWB# 3... Startdate: 12/07/2025 Architecture: WINDOWS Score: 100 45 email-server.xyz 2->45 47 geoplugin.net 2->47 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 61 12 other signatures 2->61 10 rundll32.exe 3 2->10         started        12 wscript.exe 1 6 2->12         started        signatures3 59 Performs DNS queries to domains with low reputation 45->59 process4 signatures5 15 Jsxfxhjd.PIF 10->15         started        79 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->79 18 ScriptRunner.exe 3 12->18         started        process6 signatures7 85 Early bird code injection technique detected 15->85 87 Allocates memory in foreign processes 15->87 89 Allocates many large memory junks 15->89 20 colorcpl.exe 15->20         started        23 wall.css.exe 7 18->23         started        25 conhost.exe 18->25         started        process8 signatures9 63 Detected Remcos RAT 20->63 65 Contains functionalty to change the wallpaper 20->65 67 Contains functionality to steal Chrome passwords or cookies 20->67 75 3 other signatures 20->75 69 Early bird code injection technique detected 23->69 71 Allocates memory in foreign processes 23->71 73 Allocates many large memory junks 23->73 77 2 other signatures 23->77 27 SndVol.exe 2 13 23->27         started        31 cmd.exe 1 23->31         started        33 cmd.exe 1 23->33         started        35 cmd.exe 1 23->35         started        process10 dnsIp11 49 geoplugin.net 178.237.33.50, 49686, 80 ATOM86-ASATOM86NL Netherlands 27->49 51 email-server.xyz 216.250.253.13, 2990, 49685 AS-TIERP-19019US United States 27->51 81 Detected Remcos RAT 27->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 31->83 37 conhost.exe 31->37         started        39 conhost.exe 33->39         started        41 schtasks.exe 1 33->41         started        43 conhost.exe 35->43         started        signatures12 process13
Score:
92%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c63dee86806da2bd0061973cd65f45f3a9326a42e843b5a0a5824e73ebf5916d
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c63dee86806da2bd0061973cd65f45f3a9326a42e843b5a0a5824e73ebf5916d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-12 00:57:46 UTC
File Type:
Text (JavaScript)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yy665buanwrl2adbs46nmx2f6oute2sc5bb3liffqjhhh27vsfwq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
dbatloader
Create hunting rule
Similar samples:
0b090f1471629e7e852850166eb814c09ace3c88f0c9f5e5ffeb1b9f754875aa
RemcosRAT
28c5d4ff59d23953034db50e3b0246be696d767ccdd0e5e299e8617d93b5269d
RemcosRAT
3107d53f9e37c496f08e3742c379976a80f7297c192aba5b8eb7c5f29af18f33
RemcosRAT
70a92cdcd65bad4c5ed38adf340d5123944acde22d94c44df7ee8178f778d761
RemcosRAT
82f7dba0eebc3b3218d3457402d67086b617c3f3ee3ebaee7832dd3c9821e9dc
RemcosRAT
88b9af5f7b87fadf81fb9526558f9e65d5d4988b095248d3029d5c09d969b97c
RemcosRAT
911f50931932d8c5cc89812ad3a0aabca1ae57e9e6926b52a4c75e2ea1870621
RemcosRAT
dcce4fcb1527dade75d9e78cd0b1c252166253ebd393c59fe613901df50ef8ec
RemcosRAT
ea7950a3761e0dbcf1c6e3e2a1167ea296d7986864a35bfd260bb6c0e00f4747
RemcosRAT
error
RemcosRAT
+ 4'107 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader defense_evasion discovery execution persistence trojan
Link:
https://tria.ge/reports/250712-v7crwsaq9z/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Binary Proxy Execution: ScriptRunner
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments