MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41b48f4d9714d0341dac4d33baca3c2c8e6ccb0f255f1a07f82f0c35162067f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RemcosRAT


Vendor detections: 15


Maldoc score: 9


Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash: 41b48f4d9714d0341dac4d33baca3c2c8e6ccb0f255f1a07f82f0c35162067f4
SHA3-384 hash: 4994c9cf79ef636eb53f60d3fa2220babb82c51e423fb1dd0806cd1f5fff3986f95a3cf02d0da4b5d8cb4ce762cdd506
SHA1 hash: 1bdbd8ca44f9ca79dc2316291c37b21cc09f0c9e
MD5 hash: c5aa116f5515e660b53ff4bc50f4b4f1
humanhash: friend-pip-failed-football
File name:Fraud_Awareness_-_Bank_Records_-_Debits_Made.xls
Download: download sample
Signature RemcosRAT
File size:670'208 bytes
First seen:2026-07-03 18:01:41 UTC
Last seen:2026-07-03 18:02:49 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 12288:nXjP1wRBME1LrwCGyzcdd1OJZ1gbvUxnoZXc:TPErstOJfgbvUxoZX
TLSH T1CAE4F14A75A9D98AC3BA57F15FC2C0D7820EBEA28E8A4127714E775F2F32E51EC03141
TrID 34.9% (.XLS) Microsoft Excel sheet (32500/1/3)
30.1% (.XLS) Microsoft Excel sheet (alternate) (28000/1/3)
26.3% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
8.6% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika xls
Reporter TomU
Tags:RemcosRAT xls

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 9
Application name is Microsoft Excel
File Format is MS Excel 97-2003
Container Format is OLE
Office document is in encrypted
Office document contains VBA Macros
OLE dump

MalwareBazaar was able to identify 20 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2244 bytesDocumentSummaryInformation
3200 bytesSummaryInformation
4114 bytesMBD0046FB8C/CompObj
5268 bytesMBD0046FB8C/DocumentSummaryInformation
6107192 bytesMBD0046FB8C/SummaryInformation
794 bytesMBD0046FB8C/MBD001CD4CA/CompObj
820 bytesMBD0046FB8C/MBD001CD4CA/Ole
9138920 bytesMBD0046FB8C/MBD001CD4CA/CONTENTS
10209667 bytesMBD0046FB8C/Workbook
11980 bytesMBD0046FB8D/Ole
12191588 bytesWorkbook
13531 bytes_VBA_PROJECT_CUR/PROJECT
14104 bytes_VBA_PROJECT_CUR/PROJECTwm
15977 bytes_VBA_PROJECT_CUR/VBA/Sheet1
16977 bytes_VBA_PROJECT_CUR/VBA/Sheet2
17977 bytes_VBA_PROJECT_CUR/VBA/Sheet3
18985 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
192644 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
20553 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
SuspiciousHex StringsHex-encoded strings were detected, may beused to obfuscate strings (option --decode tosee all)

Intelligence


File Origin
# of uploads :
2
# of downloads :
139
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://email.emss.gov.eg/owa/#path=/mail/inbox
Verdict:
Malicious activity
Analysis date:
2026-06-30 07:32:20 UTC
Tags:
phishing phish-outlook outlook

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
False
Verdict:
Malicious
Score:
96.5%
Tags:
trojan macro micro lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending an HTTP GET request
Connection attempt to an infection source by exploiting the app vulnerability
Сreating synchronization primitives
Connection attempt by exploiting the app vulnerability
Query of malicious DNS domain
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
macros
Label:
Malicious
Suspicious Score:
10/10
Score Malicious:
1%
Score Benign:
0%
Verdict:
Malicious
File Type:
xls
First seen:
2026-06-29T04:53:00Z UTC
Last seen:
2026-07-05T15:58:00Z UTC
Hits:
~10000
Detections:
Trojan.MSOffice.SAgent.sb Trojan-Downloader.Agent.HTTP.C&C HEUR:Trojan.Script.Generic HEUR:Trojan.OLE2.UrcBadur.genw HEUR:Trojan.OLE2.Badur.genw HEUR:Exploit.MSOffice.CVE-2017-0199.gen BSS:Exploit.Win32.Generic HEUR:Trojan-Downloader.MSOffice.Agent.gen
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
Office Document
Threat name:
Win32.Trojan.Malgent
Status:
Malicious
First seen:
2026-06-29 15:10:01 UTC
File Type:
Document
Extracted files:
73
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
persistence ransomware
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:informational_win_ole_protected
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:NET
Author:malware-lu
Rule name:XLS_STRINGS
Author:somedieyoungZZ
Description:Detect Strings targeting Bangladesh

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Excel file xls 41b48f4d9714d0341dac4d33baca3c2c8e6ccb0f255f1a07f82f0c35162067f4

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments