MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1836e6e0661938656d0d8883daa624f59b4a0885cd663be712bfa88a5ccea19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	d1836e6e0661938656d0d8883daa624f59b4a0885cd663be712bfa88a5ccea19
SHA3-384 hash:	540c20d86fcc93018e32e544c8ea645c0b4b3136ba79a3e0cf34f4b10f1c78ced195a8052a27a1eade48dd2649d23a10
SHA1 hash:	aa99049bcb8caaac23c7c3a9488b47435ce524ec
MD5 hash:	1620224d6efdc7d009b64899a6a67626
humanhash:	cardinal-juliet-montana-potato
File name:	1.xla
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	50'688 bytes
First seen:	2024-03-26 06:53:42 UTC
Last seen:	2024-03-26 07:59:15 UTC
File type:	xlsx
MIME type:	application/vnd.ms-excel
ssdeep	768:fXyBP0IZ3ovboGfJlETRro0LPpeTQMjpHJDQ/QxLEC65:fX68OPwUTRrnp2hjFJDREC
TLSH	T11033B01433AAD029C25399769DCCE2EB97127C11DE479B0F3190770F2E362C69697F4A
TrID	46.5% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4) 26.7% (.XLS) Microsoft Excel sheet (32500/1/3) 20.1% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2) 6.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter	petrovic
Tags:	RemcosRAT xlsx

Intelligence

File Origin

# of uploads :

# of downloads :

490

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

1620224d6efdc7d009b64899a6a67626.xla

Verdict:

Malicious activity

Analysis date:

2024-03-26 04:53:31 UTC

Tags:

opendir exploit cve-2017-11882 stegocampaign remcos rat remote stealer payload

Link:

https://app.any.run/tasks/ca7498c3-b41f-487b-91f5-289d4de484fd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Changing an executable file

Using the Windows Management Instrumentation requests

DNS request

Launching a process

Creating a window

Result

Verdict:

Malicious

File Type:

Legacy Excel File with Macro

Link:

https://app.docguard.net/d1836e6e0661938656d0d8883daa624f59b4a0885cd663be712bfa88a5ccea19/results/dashboard

Payload URLs

URL

File name

http://qr-in.com/VztClRp

Embedded Ole

Behaviour

SuspiciousRTF detected

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

embedequation exploit macros masquerade shellcode sload

Link:

https://www.filescan.io/uploads/6602710b43b314c782c0eb98/reports/2dbae17d-1a25-42e5-96ac-9a951b2cb3c5/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/d1836e6e0661938656d0d8883daa624f59b4a0885cd663be712bfa88a5ccea19

Gathering data

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/d1836e6e0661938656d0d8883daa624f59b4a0885cd663be712bfa88a5ccea19

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d1836e6e0661938656d0d8883daa624f59b4a0885cd663be712bfa88a5ccea19/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2gbw43qgmgjymvwq3ced3ktcj5m3jieiltlghptrfp5irjom5imq._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost collection persistence rat spyware stealer

Link:

https://tria.ge/reports/240326-hn7rpsge8x/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Launches Equation Editor

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Office loads VBA resources, possible macro or embedded object present

Enumerates physical storage devices

Drops file in System32 directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Adds Run key to start application

Abuses OpenXML format to download file from external location

Reads user/profile data of web browsers

Blocklisted process makes network request

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Remcos

Malware Config

C2 Extraction:

107.172.31.178:2404

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d1836e6e0661/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d1836e6e0661938656d0d8883daa624f59b4a0885cd663be712bfa88a5ccea19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	informational_win_ole_protected Create hunting rule
Author:	Jeff White (karttoon@gmail.com) @noottrak
Description:	Identify OLE Project protection within documents.

Rule name:	maldoc_OLE_file_magic_number Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	office_document_vba Create hunting rule
Author:	Jean-Philippe Teissier / @Jipe_
Description:	Office document with embedded VBA
Reference:	https://github.com/jipegit/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample