MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 069e33991bd7de11fd8defd71166ec16592380f263c3c71cd657abfba072cb60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Maldoc score: 9


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 069e33991bd7de11fd8defd71166ec16592380f263c3c71cd657abfba072cb60
SHA3-384 hash: 42727669db24d84e659dfd9e7bfed525befd2798257f8fbb7690e5481006c6bf567db5a2ffcd76089bbb5c43e310bfda
SHA1 hash: d2167313fe068469e05ae6b719b129867ef92ee0
MD5 hash: e29bd4599eefa068da48a8d2c312b999
humanhash: delaware-sierra-kitten-oscar
File name:Payment_Advice_Note_wf002272.xls
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:233'984 bytes
First seen:2022-02-07 19:08:41 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 6144:ogAPvAqW5261qSgMmM1c92+Cgmivgah5mAb4LeFOk:aZKcbgcigmivmqFOk
TLSH T1E834F111BB80D85AE29967B88EF6D29A7732FC455EC7420B728DF35E6F707809C06607
Reporter 604Kuzushi
Tags:RemcosRAT xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 9
OLE dump

MalwareBazaar was able to identify 17 sections in this file using oledump:

Section IDSection sizeSection name
1108 bytesCompObj
2264 bytesDocumentSummaryInformation
3256 bytesSummaryInformation
4213225 bytesWorkbook
5455 bytes_VBA_PROJECT_CUR/PROJECT
680 bytes_VBA_PROJECT_CUR/PROJECTwm
7991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
82530 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
92820 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
101871 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
11234 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
12852 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
13230 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
14214 bytes_VBA_PROJECT_CUR/VBA/__SRP_4
15220 bytes_VBA_PROJECT_CUR/VBA/__SRP_5
16562 bytes_VBA_PROJECT_CUR/VBA/dir
172034 bytes_VBA_PROJECT_CUR/VBA/dufzG
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecWorkbook_ActivateRuns when the Excel Workbook is opened
SuspiciousGetObjectMay get an OLE object with a running instance
SuspiciousCallByNameMay attempt to obfuscate malicious function calls
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e29bd4599eefa068da48a8d2c312b999.xls.vir
Verdict:
Malicious activity
Analysis date:
2022-02-08 04:26:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f95ea923-e2f1-46d7-be7a-87522c3eca22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/236426/
Detection(s):
TwinWave.GetObjectStringManipulationDontMessAroundWithJim.20200804.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.TakeMeHomeTonight.20210923.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.OutRunThis.20220121.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.EvilDoc.DMC12_GAUGE_SHELLAPP.20210901.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/069e33991bd7de11fd8defd71166ec16592380f263c3c71cd657abfba072cb60/results/dashboard
Payload URLs
URL
File name
http://64.188.19.241/dataf.vbs'',$env
WorkBook
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros macros-on-open powershell wscript
Link:
https://www.filescan.io/uploads/62016e524077c8b9a01caf87/reports/977f70ff-05e5-464c-8b1f-e9c49224725c/overview
Label:
Benign
Suspicious Score:
4.3/10
Score Malicious:
44%
Score Benign:
56%
Link:
https://www.malware.ai/gui/files/?id=a461c942-215a-47e8-a83c-81d6f11efaf0
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/069e33991bd7de11fd8defd71166ec16592380f263c3c71cd657abfba072cb60
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
IPv4 Dotted Quad URL
A URL was detected referencing a direct IP address, as opposed to a domain name.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/935620
Signature
Antivirus detection for URL or domain
DLL side loading technique detected
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Cmdline
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Very long command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Wscript starts Powershell (via cmd or directly)
Yara detected MSILLoadEncryptedAssembly
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 568100 Sample: Payment_Advice_Note_wf002272.xls Startdate: 08/02/2022 Architecture: WINDOWS Score: 100 48 google.com 2->48 60 Multi AV Scanner detection for domain / URL 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for URL or domain 2->64 66 10 other signatures 2->66 10 EXCEL.EXE 53 13 2->10         started        signatures3 process4 file5 40 C:\Users\...\Payment_Advice_Note_wf002272.xls, Composite 10->40 dropped 76 Suspicious powershell command line found 10->76 14 powershell.exe 12 7 10->14         started        signatures6 process7 dnsIp8 54 64.188.19.241, 49167, 49168, 80 ASN-QUADRANET-GLOBALUS United States 14->54 46 C:\Users\user\AppData\Local\Temp\run.vbs, ASCII 14->46 dropped 56 Uses ping.exe to check the status of other devices and networks 14->56 58 Powershell drops PE file 14->58 19 wscript.exe 11 14->19         started        22 PING.EXE 14->22         started        file9 signatures10 process11 dnsIp12 68 System process connects to network (likely due to code injection or exploit) 19->68 70 Wscript starts Powershell (via cmd or directly) 19->70 72 Very long command line found 19->72 74 2 other signatures 19->74 25 powershell.exe 4 11 19->25         started        30 cmd.exe 19->30         started        50 google.com 172.217.168.14 GOOGLEUS United States 22->50 signatures13 process14 dnsIp15 52 209.127.19.101, 49169, 80 SERVER-MANIACA Canada 25->52 42 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 25->42 dropped 44 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 25->44 dropped 78 DLL side loading technique detected 25->78 32 RegAsm.exe 25->32         started        34 RegAsm.exe 25->34         started        36 RegAsm.exe 25->36         started        38 2 other processes 25->38 file16 signatures17 process18
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/069e33991bd7de11fd8defd71166ec16592380f263c3c71cd657abfba072cb60/
Threat name:
Script-Macro.Downloader.EncDoc
Create hunting rule
Status:
Malicious
First seen:
2022-02-07 19:09:08 UTC
File Type:
Document
Extracted files:
25
AV detection:
13 of 27 (48.15%)
Threat level:
  3/5
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:shiesty macro macro_on_action rat
Link:
https://tria.ge/reports/220207-xtsx3afhbk/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Process spawned unexpected child process
Remcos
Malware Config
C2 Extraction:
shiestynerd.dvrlists.com:10174
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/069e33991bd7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:TA505_Maldoc_21Nov_2
Create hunting rule
Author:Arkbird_SOLG
Description:invitation (1).xls
Reference:https://twitter.com/58_158_177_102/status/1197432303057637377

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Excel file xls 069e33991bd7de11fd8defd71166ec16592380f263c3c71cd657abfba072cb60

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/236426/

Comments