MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25c3bd326e331a73559179092b5d981361dbc693dea7ee098dd4e279f56e084e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25c3bd326e331a73559179092b5d981361dbc693dea7ee098dd4e279f56e084e
SHA3-384 hash: 70ee74ccc2753f5f231161b20d90f5de5d7caeb3ae8a2a7fa5f36bc6bea4b9053bdda3c6eb368627c3f77316ec4bf5fa
SHA1 hash: a71a7fe89268e685c66ee9ad2f4b98e8488b9548
MD5 hash: cc726118cbd826b716eeb32820cefcb6
humanhash: high-floor-kilo-carbon
File name:DHL Shipment Details.xls
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:290'816 bytes
First seen:2026-05-08 09:56:04 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 6144:5NBkSlS8E6akBw9OVbWnKNdpkfomLnW1rm/wLHNQKzRxBfu6qdsxx:58SlLXzSnKTpMtMq/QnzQ6/x
TLSH T16A54CF27A55AC903EF7643744FA74959071DBE287BC1124B382E3F2A63B1E69CD8F049
TrID 34.0% (.XLS) Microsoft Excel sheet (32500/1/3)
29.3% (.XLS) Microsoft Excel sheet (alternate) (28000/1/3)
25.6% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
8.3% (.) Generic OLE2 / Multistream Compound (8000/1)
2.6% (.ASSETS) Unity binary serialized Assets (generic) (2509/3/1)
Magika xls
Reporter abuse_ch
Tags:cve-2017-0199 DHL RemcosRAT xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 18 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2244 bytesDocumentSummaryInformation
3200 bytesSummaryInformation
476 bytesMBD00B4C27D/CompObj
5109311 bytesMBD00B4C27D/Ole10Native
694 bytesMBD00B4C27E/CompObj
720 bytesMBD00B4C27E/Ole
853021 bytesMBD00B4C27E/CONTENTS
9746 bytesMBD00B4C27F/Ole
10110238 bytesWorkbook
11533 bytes_VBA_PROJECT_CUR/PROJECT
12104 bytes_VBA_PROJECT_CUR/PROJECTwm
13977 bytes_VBA_PROJECT_CUR/VBA/Sheet1
14977 bytes_VBA_PROJECT_CUR/VBA/Sheet2
15977 bytes_VBA_PROJECT_CUR/VBA/Sheet3
16985 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
172644 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
18553 bytes_VBA_PROJECT_CUR/VBA/dir

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
MSO
Details
MSO
extracted VBA Macros and, if observed, MS-OFORM variables/data are added to the knowledge base for usage in later parsing of the Macros
Link:
https://research.acce.ciphertechsolutions.com/results/a6b1b376-649d-456b-9513-edba881e92f6/
Malware family:
n/a
ID:
1
File name:
_25c3bd326e331a73559179092b5d981361dbc693dea7ee098dd4e279f56e084e.xls
Verdict:
No threats detected
Analysis date:
2026-05-08 10:00:43 UTC
Tags:
ole-embedded
Link:
https://app.any.run/tasks/98f7db21-35fa-41d2-aaef-a1c053f42bf6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/64868/
Detection(s):
Sanesecurity.Badmacro.Xls.BadUsr1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.VBA.Agent-16.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/25c3bd326e331a73559179092b5d981361dbc693dea7ee098dd4e279f56e084e/results/dashboard
Payload URLs
URL
File name
http://www.iec.ch
WorkBook
Behaviour
SuspiciousRTF detected
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
CVE-2017-0199 exploit macros
Link:
https://www.filescan.io/uploads/69fdb3452fcb905ec2881557/reports/6592ecc7-60a7-4d99-abd3-c291eba005ab/overview
Verdict:
Malicious
Labled as:
CVE-2017-0199
Link:
https://www.hybrid-analysis.com/sample/25c3bd326e331a73559179092b5d981361dbc693dea7ee098dd4e279f56e084e
Label:
Benign
Suspicious Score:
/10
Score Malicious:
%
Score Benign:
1%
Link:
https://www.malware.ai/gui/files/?id=551d2ba2-e92d-4bc2-bf59-37ab776f043d
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/25c3bd326e331a73559179092b5d981361dbc693dea7ee098dd4e279f56e084e
Details
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Excel Macro Manipulates Hidden Sheets
Detected macro logic designed to hide a sheet within the current, or another spreadsheet. This technique is not necessarily indicative of malicious behavior as hidden sheets have legitimate uses.
Verdict:
Malicious
File Type:
xls
First seen:
2026-05-08T02:41:00Z UTC
Last seen:
2026-05-10T07:38:00Z UTC
Hits:
~1000
Detections:
Trojan-Downloader.Agent.HTTP.C&C HEUR:Trojan.OLE2.UrcBadur.genw HEUR:Trojan.OLE2.Badur.genw HEUR:Exploit.MSOffice.CVE-2017-0199.a
Link:
https://opentip.kaspersky.com/25c3bd326e331a73559179092b5d981361dbc693dea7ee098dd4e279f56e084e/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1910591
Signature
Creates and opens a fake document (probably a fake document to hide exploiting)
Document exploit detected (process start blacklist hit)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Microsoft Office Child Process
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/25c3bd326e331a73559179092b5d981361dbc693dea7ee098dd4e279f56e084e
Verdict:
Malware
YARA:
7 match(es)
Tags:
Corrupted Office Document
Link:
https://app.malva.re/file/cc726118cbd826b716eeb32820cefcb6
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/25c3bd326e331a73559179092b5d981361dbc693dea7ee098dd4e279f56e084e/
Verdict:
Malicious
Threat:
Trojan.OLE2.UrcBadur
Link:
https://tip.neiki.dev/file/25c3bd326e331a73559179092b5d981361dbc693dea7ee098dd4e279f56e084e
Threat name:
Win32.Trojan.Qwexlafiba
Create hunting rule
Status:
Malicious
First seen:
2026-05-08 09:57:47 UTC
File Type:
Document
Extracted files:
55
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=exb32mtogmnhgvmrpeeswxmycnq5xrut32t64cmn2trht5lobbha._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/260508-lzv4tsfw4s/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25c3bd326e331a73559179092b5d981361dbc693dea7ee098dd4e279f56e084e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:informational_win_ole_exist
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Packages embedded in Office 97-2K3 Doc Files.
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:XLS_STRINGS
Create hunting rule
Author:somedieyoungZZ
Description:Detect Strings targeting Bangladesh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/64868/

Comments