MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16550f58e8ab8fbcf7dee33901008c44dd9fba3144e1edf94a0033afce770ea1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16550f58e8ab8fbcf7dee33901008c44dd9fba3144e1edf94a0033afce770ea1
SHA3-384 hash: 87b19d4648ecfc87a87d334dca6d04580f85a7e3ba86dbd83646c21cf48194e7aed38fa76eae72c89d296a1ca2ebc2be
SHA1 hash: fbeb803116c8e7cb2a7d8a2ce73093ff5353a70c
MD5 hash: f8b201556d3c349d0fce9702c424c556
humanhash: indigo-edward-leopard-saturn
File name:weareverybeautifulgirlsxygirlwantokissmeharderthanbeforetogetmeback___sheisverybeeautifulgirlforme (1).doc
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:75'087 bytes
First seen:2024-04-09 13:49:34 UTC
Last seen:Never
File type:Word file doc
MIME type:text/rtf
ssdeep 1536:Lz7jWDvjKzZpNCYkLFjImCK3jNB3vhWQI/M+vPKkRRa+FIvMGO:LvjWDrKzmL9IM3jNRhW1M+nKkRRa+FIQ
TLSH T1A173BD6EE74F0915DF5597BB435A4B4A05FCB33DB28100B139AC973437AD82E4A628BC
Reporter e24111111111111
Tags:CVE-2017-11882 doc RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
371
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
16550f58e8ab8fbcf7dee33901008c44dd9fba3144e1edf94a0033afce770ea1.doc
Verdict:
Malicious activity
Analysis date:
2024-04-09 13:56:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4c4d1218-c0e2-407b-95d4-6dc08bb88c59

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Creating a window
Sending an HTTP GET request
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a file in the %temp% directory
Launching a service
Connection attempt by exploiting the app vulnerability
Launching a file downloaded from the Internet
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
Fake RTF File
Link:
https://app.docguard.net/16550f58e8ab8fbcf7dee33901008c44dd9fba3144e1edf94a0033afce770ea1/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit embedequation exploit fingerprint keylogger lolbin packed shell32 shellcode
Link:
https://www.filescan.io/uploads/6615478d0b46b30369306a87/reports/a1d5437b-e354-495c-aba5-e1f3c91bfb67/overview
Verdict:
Malicious
Labled as:
CVE-2017-11882
Link:
https://www.hybrid-analysis.com/sample/16550f58e8ab8fbcf7dee33901008c44dd9fba3144e1edf94a0033afce770ea1
Label:
Malicious
Suspicious Score:
10/10
Score Malicious:
1%
Score Benign:
0%
Link:
https://www.malware.ai/gui/files/?id=2f3ddcc3-d348-4ae9-8a6a-ef6ec5164436
Result
Verdict:
MALICIOUS
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1423027
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Document exploit detected (creates forbidden files)
Document exploit detected (process start blacklist hit)
Drops PE files with benign system names
Drops VBS files to the startup folder
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Shellcode detected
Sigma detected: Drops script at startup location
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: Equation Editor Network Connection
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Remcos
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1423027 Sample: orme (1).doc Startdate: 09/04/2024 Architecture: WINDOWS Score: 100 39 geoplugin.net 2->39 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 23 other signatures 2->53 10 WINWORD.EXE 336 13 2->10         started        signatures3 process4 process5 12 EQNEDT32.EXE 12 10->12         started        17 EQNEDT32.EXE 10->17         started        dnsIp6 45 192.3.95.135, 49164, 80 AS-COLOCROSSINGUS United States 12->45 35 C:\Users\user\AppData\Roaming\wininit.exe, PE32 12->35 dropped 37 C:\Users\user\AppData\...\wininit[1].exe, PE32 12->37 dropped 77 Office equation editor establishes network connection 12->77 79 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 12->79 19 wininit.exe 6 12->19         started        file7 signatures8 process9 file10 31 C:\Users\user\AppData\Local\...\excel.exe, PE32 19->31 dropped 55 Multi AV Scanner detection for dropped file 19->55 57 Binary is likely a compiled AutoIt script file 19->57 59 Machine Learning detection for dropped file 19->59 23 excel.exe 3 19->23         started        signatures11 process12 file13 33 C:\Users\user\AppData\Roaming\...\excel.vbs, data 23->33 dropped 61 Document exploit detected (creates forbidden files) 23->61 63 Binary is likely a compiled AutoIt script file 23->63 65 Machine Learning detection for dropped file 23->65 67 3 other signatures 23->67 27 svchost.exe 3 23->27         started        signatures14 process15 dnsIp16 41 shgoini.com 27->41 43 shgoini.com 107.175.229.143, 30902, 49165 AS-COLOCROSSINGUS United States 27->43 69 System process connects to network (likely due to code injection or exploit) 27->69 71 Contains functionality to bypass UAC (CMSTPLUA) 27->71 73 Detected Remcos RAT 27->73 75 4 other signatures 27->75 signatures17
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/16550f58e8ab8fbcf7dee33901008c44dd9fba3144e1edf94a0033afce770ea1
Detection:
cve-2017-11882-shellcode
Create hunting rule
Link:
https://mwdb.cert.pl/sample/16550f58e8ab8fbcf7dee33901008c44dd9fba3144e1edf94a0033afce770ea1/
Threat name:
Document-RTF.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2024-04-09 05:16:01 UTC
File Type:
Document
Extracted files:
4
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=czkq6whivoh3z5664m4qcaemitoz7orritq636kkaaz27ttxb2qq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/240409-q489gabh9s/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
AutoIT Executable
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/16550f58e8ab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16550f58e8ab8fbcf7dee33901008c44dd9fba3144e1edf94a0033afce770ea1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_RTF_MalVer_Objects
Create hunting rule
Author:ditekSHen
Description:Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Rule name:SUSP_INDICATOR_RTF_MalVer_Objects
Create hunting rule
Author:ditekSHen
Description:Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.
Reference:https://github.com/ditekshen/detection

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Word file doc 16550f58e8ab8fbcf7dee33901008c44dd9fba3144e1edf94a0033afce770ea1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2806196/
  
Delivery method
Distributed via web download

Comments