MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f7e614ee696c3c2c437fa513db6c09a5203536793ef2e2b2f47971df90fbc1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f7e614ee696c3c2c437fa513db6c09a5203536793ef2e2b2f47971df90fbc1f
SHA3-384 hash: bc352374a28cf0037a339cb14321b5580b1ccd832c97cadb0ae76ff3c8eba64a2a35b808f674ffb859a93b768a4f2ff4
SHA1 hash: e90101a6ce07dd7e13446ade45aeee7a888433f6
MD5 hash: 136d009e2306806d83c76ff8fb72650f
humanhash: magazine-michigan-burger-quiet
File name:NS 001 DOP IPS ORIENTATIONS.doc
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:692'298 bytes
First seen:2021-04-01 16:08:41 UTC
Last seen:2021-04-01 17:06:32 UTC
File type:Word file doc
MIME type:text/rtf
ssdeep 6144:hF8aQDHMeLZIpZ2+W96n+1ugN5I0IWIMmb7/I91N+o+2WM4l1JW:hIHFUjW4+1uvhWoI91NDH
TLSH 3AE4B5F404C918A5E2C7C0817EAEFDA012B6F5DBCDE68D6413BCD2720979B66BD43909
Reporter c_APT_ure
Tags:DESKTOP-group remcos RemcosRAT


Avatar
c_APT_ure
Date: Thu, 01 Apr 2021 03:30:58 -0700
From: PTC SUPPORT <ptc.support@upu.int>
To: undisclosed-recipients:;
Subject: DILIGENCE FORM IPS
Message-ID: <9186836bcc1de9ffa225f47a37cf9ccb@upu.int>
X-Sender: ptc.support@upu.int
User-Agent: Roundcube Webmail/1.3.16

Attachment:
136d009e2306806d83c76ff8fb72650f NS 001 DOP IPS ORIENTATIONS.doc

Payload URL
https://urlhaus.abuse.ch/url/1101124/
- hXXp://179.43.140[.]150/shtq/Fake.jpg

Remcos C2:
poseidon99.ddns[.]net (79.134.225[.]73)

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NS 001 DOP IPS ORIENTATIONS.doc
Verdict:
No threats detected
Analysis date:
2021-04-01 16:20:27 UTC
Tags:
generated-doc
Link:
https://app.any.run/tasks/d099cb5a-0504-4295-bd94-269b09c711f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
False
Detection(s):
TwinWave.EvilDoc.DLrPSHELLRunLikeHell.20210223.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.PublicDottedQuadDLrRunLikeHell.20210223.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27291.RtfHeur.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Result
Verdict:
Malicious
File Type:
Fake RTF File
Link:
https://app.docguard.net/5f7e614ee696c3c2c437fa513db6c09a5203536793ef2e2b2f47971df90fbc1f/results/dashboard
Result
Verdict:
MALICIOUS
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Macro with File System Write
Detected macro logic that can write data to the file system.
IPv4 Dotted Quad URL
A URL was detected referencing a direct IP address, as opposed to a domain name.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/663257
Signature
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Document exploit detected (process start blacklist hit)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Powershell download and execute file
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected MSILLoadEncryptedAssembly
Yara detected Powershell download and execute
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 380563 Sample: NS 001 DOP IPS ORIENTATIONS.doc Startdate: 02/04/2021 Architecture: WINDOWS Score: 100 56 poseidon99.ddns.net 2->56 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Sigma detected: Powershell download and execute file 2->74 76 11 other signatures 2->76 8 EXCEL.EXE 149 15 2->8         started        10 EXCEL.EXE 2 13 2->10         started        12 EXCEL.EXE 2 13 2->12         started        14 7 other processes 2->14 signatures3 process4 process5 16 powershell.exe 12 6 8->16         started        20 powershell.exe 7 10->20         started        22 powershell.exe 7 12->22         started        24 powershell.exe 7 14->24         started        26 powershell.exe 14->26         started        28 powershell.exe 14->28         started        30 3 other processes 14->30 dnsIp6 52 179.43.140.150, 49167, 49168, 49177 PLI-ASCH Panama 16->52 58 Writes to foreign memory regions 16->58 60 Injects a PE file into a foreign processes 16->60 32 RegSvcs.exe 2 3 16->32         started        36 RegSvcs.exe 20->36         started        38 RegSvcs.exe 22->38         started        40 RegSvcs.exe 24->40         started        42 RegSvcs.exe 26->42         started        44 RegSvcs.exe 28->44         started        46 RegSvcs.exe 30->46         started        48 RegSvcs.exe 30->48         started        50 RegSvcs.exe 30->50         started        signatures7 process8 dnsIp9 54 poseidon99.ddns.net 79.134.225.73, 47582, 49169, 49170 FINK-TELECOM-SERVICESCH Switzerland 32->54 62 Contains functionality to steal Chrome passwords or cookies 32->62 64 Contains functionality to capture and log keystrokes 32->64 66 Contains functionality to inject code into remote processes 32->66 68 3 other signatures 32->68 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f7e614ee696c3c2c437fa513db6c09a5203536793ef2e2b2f47971df90fbc1f/
Threat name:
Script-PowerShell.Exploit.CVE-2017-0199
Create hunting rule
Status:
Malicious
First seen:
2021-04-01 16:09:05 UTC
AV detection:
10 of 45 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l57gctxgs3b4frbx7jit3nwatjjagu3hspxs4kzpi6lr36ipxqpq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210401-kh6zlaqk3a/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/5f7e614ee696c3c2c437fa513db6c09a5203536793ef2e2b2f47971df90fbc1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_RTF_Embedded_Excel_SheetMacroEnabled
Create hunting rule
Author:ditekSHen
Description:Detects RTF documents embedding an Excel sheet with macros enabled. Observed in exploit followed by dropper behavior
Rule name:INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2
Create hunting rule
Author:ditekSHen
Description:detects CVE-2017-8759 weaponized RTF documents.
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Word file doc 5f7e614ee696c3c2c437fa513db6c09a5203536793ef2e2b2f47971df90fbc1f

(this sample)

  
X
https://twitter.com/c_APT_ure/status/1179062052150743040
  
Delivery method
Distributed via e-mail attachment

Comments