MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7eedda8563dcd7ec049d04f836fd590cb047d3a5a89142221067ce97db1320e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7eedda8563dcd7ec049d04f836fd590cb047d3a5a89142221067ce97db1320e9
SHA3-384 hash: 61ce474fd26bc982db4f260c1a440cbdba5d5479c4ab9f3f3f6c16f7cd880f98f72e19173d85d7092aca0272794ce5a9
SHA1 hash: eccac256679e1ee760abb6922a1a8c5c86a38128
MD5 hash: 9c219e3bd7982c6c42d6fcd710c750bd
humanhash: fix-xray-table-dakota
File name:wecreatedwithnewthingswithouthavingnewthings______seethebestthingswithnewthingsgreatforeverybodytogetme______seethebestthignswithgreatthignsgoodforme.doc
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:88'581 bytes
First seen:2024-10-23 06:05:49 UTC
Last seen:2024-10-23 08:28:25 UTC
File type:Word file doc
MIME type:text/rtf
ssdeep 384:JzVX6j++Q+mYH4Ur+inrboE+Jkk6g3RXv3J/mK0jN57zm7DlpMyK5rpv43:LXA+SvbRnrM0CZv5/mK0jN5EpMLZpv43
TLSH T116833548D79F45A5CF44A633522B4A4942FCB73EF20502BAB06C93B137EDC2E44A59BC
Magika rtf
Reporter abuse_ch
Tags:CVE-2017-11882 doc RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
446
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EX0096959.docx
Verdict:
Malicious activity
Analysis date:
2024-10-22 14:07:53 UTC
Tags:
cve-2017-11882 exploit
Link:
https://app.any.run/tasks/49448d27-dfa2-4f7a-92da-f826eeffd343

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Shelter.Malware.BadRtf.ObjUpd.UNOFFICIAL
Create hunting rule

MiscreantPunch.RTF.2017-0199.Obfus.171711.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671893569e67c24682035d23
Tags:
Powershell Gumen
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Creating a window
Sending an HTTP GET request
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a process with a hidden window
Launching a service
Creating a file in the %temp% directory
Connection attempt
Creating a process from a recently created file
Possible injection to a system process
Connection attempt by exploiting the app vulnerability
Launching a process by exploiting the app vulnerability
Launching a file downloaded from the Internet
Result
Verdict:
Malicious
File Type:
Fake RTF File
Link:
https://app.docguard.net/7eedda8563dcd7ec049d04f836fd590cb047d3a5a89142221067ce97db1320e9/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6718924d718466003853f135/reports/1aa72080-ac82-40fe-93f3-d8d0d7ae3f0a/overview
Verdict:
Malicious
Labled as:
CVE-2017-11882
Link:
https://www.hybrid-analysis.com/sample/7eedda8563dcd7ec049d04f836fd590cb047d3a5a89142221067ce97db1320e9
Label:
Malicious
Suspicious Score:
10/10
Score Malicious:
1%
Score Benign:
0%
Link:
https://www.malware.ai/gui/files/?id=9a61d09d-1cd1-4030-9325-9ed99205616f
Result
Verdict:
MALICIOUS
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1539856
Signature
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Document exploit detected (process start blacklist hit)
Found malware configuration
Injects a PE file into a foreign processes
Installs new ROOT certificates
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: Equation Editor Network Connection
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1539856 Sample: oodforme.doc Startdate: 23/10/2024 Architecture: WINDOWS Score: 100 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 24 other signatures 2->79 12 WINWORD.EXE 291 17 2->12         started        process3 process4 14 EQNEDT32.EXE 12 12->14         started        19 EQNEDT32.EXE 12->19         started        dnsIp5 67 135.125.89.73, 49161, 49162, 49165 AVAYAUS United States 14->67 55 greatworkwithnewth...greatthignswith.hta, HTML 14->55 dropped 57 greatworkwithnewth...nswithmehave[1].hta, HTML 14->57 dropped 69 Office equation editor establishes network connection 14->69 71 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 14->71 21 mshta.exe 10 14->21         started        file6 signatures7 process8 signatures9 85 Suspicious powershell command line found 21->85 87 PowerShell case anomaly found 21->87 24 powershell.exe 24 21->24         started        process10 file11 51 wecreatedgoodnewsw...reatworkwithnew.vbS, Unicode 24->51 dropped 53 C:\Users\user\AppData\...\lis4p2me.cmdline, Unicode 24->53 dropped 89 Suspicious powershell command line found 24->89 91 Obfuscated command line found 24->91 28 wscript.exe 1 24->28         started        31 powershell.exe 4 24->31         started        33 csc.exe 2 24->33         started        signatures12 process13 file14 99 Suspicious powershell command line found 28->99 101 Wscript starts Powershell (via cmd or directly) 28->101 103 Bypasses PowerShell execution policy 28->103 107 2 other signatures 28->107 36 powershell.exe 4 28->36         started        105 Installs new ROOT certificates 31->105 49 C:\Users\user\AppData\Local\...\lis4p2me.dll, PE32 33->49 dropped 39 cvtres.exe 33->39         started        signatures15 process16 signatures17 81 Suspicious powershell command line found 36->81 83 Obfuscated command line found 36->83 41 powershell.exe 12 4 36->41         started        process18 dnsIp19 59 drive.google.com 142.250.186.142, 443, 49163 GOOGLEUS United States 41->59 61 drive.usercontent.google.com 142.250.186.97, 443, 49164 GOOGLEUS United States 41->61 93 Installs new ROOT certificates 41->93 95 Writes to foreign memory regions 41->95 97 Injects a PE file into a foreign processes 41->97 45 AddInProcess32.exe 3 41->45         started        signatures20 process21 dnsIp22 63 goodab.duckdns.org 45->63 65 goodab.duckdns.org 178.215.224.176, 4044, 49166, 49167 LVLT-10753US Germany 45->65 109 Contains functionality to bypass UAC (CMSTPLUA) 45->109 111 Detected Remcos RAT 45->111 113 Contains functionalty to change the wallpaper 45->113 117 4 other signatures 45->117 signatures23 115 Uses dynamic DNS services 63->115
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7eedda8563dcd7ec049d04f836fd590cb047d3a5a89142221067ce97db1320e9
Detection:
cve-2017-11882-shellcode
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7eedda8563dcd7ec049d04f836fd590cb047d3a5a89142221067ce97db1320e9/
Threat name:
Document-RTF.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2024-10-22 12:42:36 UTC
File Type:
Document
Extracted files:
4
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p3w5vbld3tl6ybe5at4dn7kzbsyepu5fvciueiqqm7hjpwyteduq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/241023-gtqjyavbra/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Legitimate hosting services abused for malware hosting/C2
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Evasion via Device Credential Deployment
Malware Config
Dropper Extraction:
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cd0f7352-d27c-447c-812e-55ea6a23423d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7eedda8563dcd7ec049d04f836fd590cb047d3a5a89142221067ce97db1320e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_INDICATOR_RTF_MalVer_Objects
Create hunting rule
Author:ditekSHen
Description:Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.
Reference:https://github.com/ditekshen/detection

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Word file doc 7eedda8563dcd7ec049d04f836fd590cb047d3a5a89142221067ce97db1320e9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3249407/
  
Delivery method
Distributed via web download

Comments