MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc4b1644ea07e01ed1eb327ae45a1bfe6a8e1d9e6b8d27b356813200ac7ac79f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Maldoc score: 4


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc4b1644ea07e01ed1eb327ae45a1bfe6a8e1d9e6b8d27b356813200ac7ac79f
SHA3-384 hash: 3c00565a4a7cf1b4015330bb739fbc66d8f2db285144659099813abe616d8a8c0b000b2b0bd357a7249be0f1073cfacd
SHA1 hash: edcf5950f63e3d9704c15ca227351dffdd624d48
MD5 hash: e1630932d45b0af54fe7ae8cf0199aeb
humanhash: queen-cold-beryllium-johnny
File name:Inquiry_list_88364836383764834.xls
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:245'248 bytes
First seen:2024-05-07 07:39:41 UTC
Last seen:2024-05-07 08:40:13 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 6144:hd4UcLe0JOqPQZR8MDdATCR3tSv0W8Y1cOAdcA8QbBB7:EUP/qPQZR8MxAm/S8W8Y1ZAdL8kB7
TLSH T12634F126BD71D082C96088B938CEC4D3EB39BE91AF02B14F227433AD5776264DC156DE
TrID 46.5% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4)
26.7% (.XLS) Microsoft Excel sheet (32500/1/3)
20.1% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
6.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:RemcosRAT xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 4
OLE dump

MalwareBazaar was able to identify 15 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2244 bytesDocumentSummaryInformation
3200 bytesSummaryInformation
499 bytesMBD00E8AE1D/CompObj
5147801 bytesMBD00E8AE1D/Package
6490 bytesMBD00E8AE1E/Ole
780996 bytesWorkbook
8523 bytes_VBA_PROJECT_CUR/PROJECT
9104 bytes_VBA_PROJECT_CUR/PROJECTwm
10977 bytes_VBA_PROJECT_CUR/VBA/Sheet1
11977 bytes_VBA_PROJECT_CUR/VBA/Sheet2
12977 bytes_VBA_PROJECT_CUR/VBA/Sheet3
13985 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
142644 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
15553 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
330
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bc4b1644ea07e01ed1eb327ae45a1bfe6a8e1d9e6b8d27b356813200ac7ac79f.xls
Verdict:
No threats detected
Analysis date:
2024-05-07 07:46:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4508bb4d-f3bd-4884-a850-2f47db9cdd48

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
False
Detection(s):
TwinWave.EvilDoc.93TilInfinity.20240412.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a window
Searching for the window
DNS request
Сreating synchronization primitives
Launching a process
Searching for the browser window
Connection attempt
Sending a custom TCP request
Creating a file
Connection attempt by exploiting the app vulnerability
Sending an HTTP GET request
Sending a custom TCP request by exploiting the app vulnerability
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/bc4b1644ea07e01ed1eb327ae45a1bfe6a8e1d9e6b8d27b356813200ac7ac79f/results/dashboard
Payload URLs
URL
File name
http://sorty.cc/XttBz
Embedded Ole
Behaviour
BlacklistAPI detected
Document image
Image:
Download PNG
Document image
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
embedequation exploit language-tr macros
Link:
https://www.filescan.io/uploads/6639dad81c9796b80ab4ea04/reports/59ef0448-6cbf-469b-9417-860ebd9a78b3/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/bc4b1644ea07e01ed1eb327ae45a1bfe6a8e1d9e6b8d27b356813200ac7ac79f
Gathering data
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1437265
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Document exploit detected (process start blacklist hit)
Drops PE files with benign system names
Excel sheet contains many unusual embedded objects
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Installs new ROOT certificates
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office drops RTF file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Sample uses process hollowing technique
Searches for Windows Mail specific files
Shellcode detected
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: Equation Editor Network Connection
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Schedule system process
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: System File Execution Location Anomaly
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1437265 Sample: Inquiry_list_88364836383764... Startdate: 07/05/2024 Architecture: WINDOWS Score: 100 98 sorty.cc 2->98 130 Multi AV Scanner detection for domain / URL 2->130 132 Found malware configuration 2->132 134 Malicious sample detected (through community Yara rule) 2->134 136 36 other signatures 2->136 11 EXCEL.EXE 57 43 2->11         started        15 taskeng.exe 1 2->15         started        17 svchost.exe 2->17         started        20 svchost.exe 2->20         started        signatures3 process4 dnsIp5 104 sorty.cc 104.21.89.249, 443, 49161, 49162 CLOUDFLARENETUS United States 11->104 106 192.3.179.142, 49163, 49170, 49171 AS-COLOCROSSINGUS United States 11->106 90 dayisagooddaytohea...eatforentier[1].doc, Rich 11->90 dropped 22 html.exe 1 6 11->22         started        26 WINWORD.EXE 337 37 11->26         started        29 svchost.exe 1 3 15->29         started        122 Searches for Windows Mail specific files 17->122 124 Writes to foreign memory regions 17->124 126 Allocates memory in foreign processes 17->126 128 3 other signatures 17->128 31 wab.exe 17->31         started        33 powershell.exe 17->33         started        35 WerFault.exe 20->35         started        37 WerFault.exe 20->37         started        39 WerFault.exe 20->39         started        file6 signatures7 process8 dnsIp9 80 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 22->80 dropped 138 Multi AV Scanner detection for dropped file 22->138 140 Machine Learning detection for dropped file 22->140 142 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->142 144 Drops PE files with benign system names 22->144 41 cmd.exe 22->41         started        43 cmd.exe 22->43         started        100 sorty.cc 26->100 102 172.67.166.48, 443, 49164, 49167 CLOUDFLARENETUS United States 26->102 82 C:\Users\user\AppData\...\sorty.cc.url, MS 26->82 dropped 84 C:\Users\user\AppData\Roaming\...\XttBz.url, MS 26->84 dropped 86 ~WRF{DEFD9444-540B...4-644D4CBB1586}.tmp, Composite 26->86 dropped 88 C:\Users\user\AppData\Local\...\C3CDFAAA.doc, Rich 26->88 dropped 146 Microsoft Office launches external ms-search protocol handler (WebDAV) 26->146 148 Office viewer loads remote template 26->148 150 Microsoft Office drops suspicious files 26->150 46 EQNEDT32.EXE 12 26->46         started        152 Searches for Windows Mail specific files 29->152 154 Writes to foreign memory regions 29->154 156 Allocates memory in foreign processes 29->156 160 3 other signatures 29->160 49 wab.exe 29->49         started        51 powershell.exe 29->51         started        53 csc.exe 29->53         started        158 Detected Remcos RAT 31->158 file10 signatures11 process12 file13 55 svchost.exe 41->55         started        58 timeout.exe 41->58         started        178 Uses schtasks.exe or at.exe to add and modify task schedules 43->178 60 schtasks.exe 43->60         started        92 C:\Users\user\AppData\Roaming\html.exe, PE32+ 46->92 dropped 94 C:\Users\user\AppData\Local\...\html[1].exe, PE32+ 46->94 dropped 180 Office equation editor establishes network connection 46->180 182 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 46->182 184 Detected Remcos RAT 49->184 signatures14 process15 signatures16 162 Writes to foreign memory regions 55->162 164 Allocates memory in foreign processes 55->164 166 Adds a directory exclusion to Windows Defender 55->166 168 2 other signatures 55->168 62 wmplayer.exe 55->62         started        67 powershell.exe 55->67         started        69 ngen.exe 55->69         started        71 2 other processes 55->71 process17 dnsIp18 108 107.173.4.16, 2560, 49172, 49173 AS-COLOCROSSINGUS United States 62->108 110 geoplugin.net 178.237.33.50, 49175, 49180, 80 ATOM86-ASATOM86NL Netherlands 62->110 96 C:\ProgramData\remcos\logs.dat, data 62->96 dropped 112 Detected Remcos RAT 62->112 114 Tries to harvest and steal browser information (history, passwords, etc) 62->114 116 Maps a DLL or memory area into another process 62->116 118 Installs a global keyboard hook 62->118 73 wmplayer.exe 62->73         started        76 wmplayer.exe 62->76         started        78 wmplayer.exe 62->78         started        120 Installs new ROOT certificates 67->120 file19 signatures20 process21 signatures22 170 Tries to steal Instant Messenger accounts or passwords 73->170 172 Tries to steal Mail credentials (via file / registry access) 73->172 174 Searches for Windows Mail specific files 73->174 176 Tries to harvest and steal browser information (history, passwords, etc) 76->176
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc4b1644ea07e01ed1eb327ae45a1bfe6a8e1d9e6b8d27b356813200ac7ac79f/
Threat name:
Document-Office.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-05-06 03:49:46 UTC
File Type:
Document
Extracted files:
40
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xrfrmrhka7qb5uplgj5oiwq37zvi4hm6nogspm2wqezabld2y6pq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/240507-jhjclafb4s/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Office loads VBA resources, possible macro or embedded object present
Abuses OpenXML format to download file from external location
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bc4b1644ea07/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:office_document_vba
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Office document with embedded VBA
Reference:https://github.com/jipegit/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments