MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41c5f1255cce4354260808461f21f81be011b7114a1782e60a28c3092e73f8af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Maldoc score: 9


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41c5f1255cce4354260808461f21f81be011b7114a1782e60a28c3092e73f8af
SHA3-384 hash: 6f093da27ff81d1c360a8319772cdb5cb1b244e8f6b2702236990242d16065abba5f708a74d2a906266f3adf59314405
SHA1 hash: dc11afd4b277f7c9f5efe3ad25f0fe3b450870d7
MD5 hash: fea8fccb24fde88471634fa9e0188c98
humanhash: stream-rugby-jupiter-twelve
File name:Remittance_Advice.xlsm
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:98'141 bytes
First seen:2022-02-02 16:04:12 UTC
Last seen:Never
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 1536:HEOWAhnxLaboefBBN8dhYlhMG9nCUEWrWfxC8bC//7LMnCT3y:H/LpefzN8dmlh39nyfx1bC//7YnCT3y
TLSH T182A32517D3694873FA28147978CA182344461C733223DCAA28D7B48FB3ABF716E75D96
Reporter info_sec_ca
Tags:RemcosRAT xlsm

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 9
OLE dump

MalwareBazaar was able to identify 13 sections in this file using oledump:

Section IDSection sizeSection name
A1410 bytesPROJECT
A262 bytesPROJECTwm
A31798 bytesVBA/NAMEME
A43298 bytesVBA/ThisWorkbook
A52767 bytesVBA/_VBA_PROJECT
A61998 bytesVBA/__SRP_0
A7238 bytesVBA/__SRP_1
A81068 bytesVBA/__SRP_2
A9396 bytesVBA/__SRP_3
A10606 bytesVBA/__SRP_4
A11226 bytesVBA/__SRP_5
A12519 bytesVBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecWorkbook_ActivateRuns when the Excel Workbook is opened
SuspiciousGetObjectMay get an OLE object with a running instance
SuspiciousCallByNameMay attempt to obfuscate malicious function calls
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
File type:
application/octet-stream
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/230340/
Detection(s):
TwinWave.GetObjectCaptainFantasy.20210204.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
DNS request
Creating a process with a hidden window
Launching a process
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Excel File with Macro
Link:
https://app.docguard.net/41c5f1255cce4354260808461f21f81be011b7114a1782e60a28c3092e73f8af/results/dashboard
Document image
Image:
Download PNG
Document image
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
macros macros-on-open
Link:
https://www.filescan.io/uploads/61faabb56d25ac9e79fcfb03/reports/5985126c-d330-4b8f-8e44-cb6c9083e190/overview
Label:
Malicious
Suspicious Score:
9.9/10
Score Malicious:
1%
Score Benign:
%
Link:
https://www.malware.ai/gui/files/?id=63792157-c637-46e0-b355-14b45553d073
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/41c5f1255cce4354260808461f21f81be011b7114a1782e60a28c3092e73f8af
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Document With Minimal Content
Document contains less than 1 kilobyte of semantic information.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/932534
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
DLL side loading technique detected
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Powershell drops PE file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious PowerShell Cmdline
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Very long command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MSILLoadEncryptedAssembly
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 565008 Sample: Remittance_Advice.xlsm Startdate: 02/02/2022 Architecture: WINDOWS Score: 100 95 mdec.nelreports.net 2->95 97 eter103.dvrlists.com 2->97 99 6 other IPs or domains 2->99 119 Multi AV Scanner detection for domain / URL 2->119 121 Found malware configuration 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 16 other signatures 2->125 13 EXCEL.EXE 53 14 2->13         started        signatures3 process4 file5 87 C:\Users\user\...\~$Remittance_Advice.xlsm, data 13->87 dropped 155 Suspicious powershell command line found 13->155 17 powershell.exe 12 7 13->17         started        signatures6 process7 dnsIp8 93 edi-serverdata.com 68.65.122.97, 49167, 49168, 80 NAMECHEAP-NETUS United States 17->93 85 C:\Users\user\AppData\Local\...\outlook.vbs, ASCII 17->85 dropped 127 Uses ping.exe to check the status of other devices and networks 17->127 129 Powershell drops PE file 17->129 22 wscript.exe 11 17->22         started        26 PING.EXE 17->26         started        file9 signatures10 process11 dnsIp12 113 edi-serverdata.com 22->113 147 System process connects to network (likely due to code injection or exploit) 22->147 149 Wscript starts Powershell (via cmd or directly) 22->149 151 Very long command line found 22->151 153 2 other signatures 22->153 28 powershell.exe 4 11 22->28         started        33 cmd.exe 22->33         started        115 google.com 142.251.37.110 GOOGLEUS United States 26->115 signatures13 process14 dnsIp15 117 edi-serverdata.online 198.54.116.189, 443, 49169, 49170 NAMECHEAP-NETUS United States 28->117 89 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 28->89 dropped 91 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 28->91 dropped 157 Writes to foreign memory regions 28->157 159 DLL side loading technique detected 28->159 161 Injects a PE file into a foreign processes 28->161 35 RegAsm.exe 3 3 28->35         started        39 RegAsm.exe 28->39         started        41 RegAsm.exe 28->41         started        file16 signatures17 process18 dnsIp19 107 eter103.dvrlists.com 191.101.130.129, 2050 MAJESTIC-HOSTING-01US Chile 35->107 109 eter101.dvrlists.com 35->109 131 Writes to foreign memory regions 35->131 133 Allocates memory in foreign processes 35->133 135 Installs a global keyboard hook 35->135 137 Injects a PE file into a foreign processes 35->137 43 svchost.exe 35->43         started        45 svchost.exe 35->45         started        47 svchost.exe 35->47         started        49 9 other processes 35->49 139 Contains functionality to steal Chrome passwords or cookies 39->139 141 Contains functionality to inject code into remote processes 39->141 143 Contains functionality to register a low level keyboard hook 39->143 145 2 other signatures 39->145 signatures20 process21 process22 51 chrome.exe 13 280 43->51         started        54 chrome.exe 45->54         started        56 chrome.exe 47->56         started        58 chrome.exe 49->58         started        60 chrome.exe 49->60         started        62 chrome.exe 49->62         started        64 5 other processes 49->64 dnsIp23 111 239.255.255.250 unknown Reserved 51->111 66 chrome.exe 51->66         started        69 chrome.exe 54->69         started        71 chrome.exe 56->71         started        73 chrome.exe 58->73         started        75 chrome.exe 60->75         started        77 chrome.exe 62->77         started        79 chrome.exe 64->79         started        81 chrome.exe 64->81         started        83 2 other processes 64->83 process24 dnsIp25 101 clients.l.google.com 142.251.36.142, 443, 49173, 57208 GOOGLEUS United States 66->101 103 accounts.google.com 142.251.36.77, 443, 49172 GOOGLEUS United States 66->103 105 11 other IPs or domains 66->105
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41c5f1255cce4354260808461f21f81be011b7114a1782e60a28c3092e73f8af/
Threat name:
Script-Macro.Downloader.EncDoc
Create hunting rule
Status:
Malicious
First seen:
2022-02-02 16:05:12 UTC
File Type:
Document
Extracted files:
30
AV detection:
7 of 27 (25.93%)
Threat level:
  3/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro
Link:
https://tria.ge/reports/220202-tjhskabaa8/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41c5f1255cce4354260808461f21f81be011b7114a1782e60a28c3092e73f8af

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/230340/

Comments