MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0149c0c3476c97e13ab5f4d656ad0b53ba45dea1b3f8fdaf51d0e4ef5db2aa9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	e0149c0c3476c97e13ab5f4d656ad0b53ba45dea1b3f8fdaf51d0e4ef5db2aa9
SHA3-384 hash:	d32d3474a4ba881d383213fcbbe3b766219b79b2e1ec09cf38fb2b0e4d4030a628a224f75a930bd61377f80269a329e0
SHA1 hash:	3b8ca3a3b325fb1ddb13528422487abd169ddfc8
MD5 hash:	c894799d11c657b5482c768edd4a693d
humanhash:	monkey-saturn-happy-angel
File name:	SecuriteInfo.com.Exploit.CVE-2017-11882.123.30451.5205
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	462'848 bytes
First seen:	2026-05-14 12:44:02 UTC
Last seen:	Never
File type:	xlsx
MIME type:	application/vnd.ms-excel
ssdeep	3072:Dh8q9rWNXULqd+O13x6cwCLTVddNd3ECs9rWNXULqd+O13x6cwCLTOddNd3EGnCH:Dh859NdVfMNdvC0KR+VTOxN1NUV8G9
TLSH	T1AEA46C7BF09CC5CEDB6782B1AB674900070EAD183B955626342F7A36F5B3E2CCA87045
TrID	34.0% (.XLS) Microsoft Excel sheet (32500/1/3) 29.3% (.XLS) Microsoft Excel sheet (alternate) (28000/1/3) 25.6% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2) 8.3% (.) Generic OLE2 / Multistream Compound (8000/1) 2.6% (.ASSETS) Unity binary serialized Assets (generic) (2509/3/1)
Magika	xls
Reporter	SecuriteInfoCom
Tags:	RemcosRAT xlsx

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 26 sections in this file using oledump:

Section ID	Section size	Section name
1	114 bytes	CompObj
2	244 bytes	DocumentSummaryInformation
3	200 bytes	SummaryInformation
4	94 bytes	MBD001785C0/CompObj
5	62 bytes	MBD001785C0/Ole
6	93693 bytes	MBD001785C0/CONTENTS
7	94 bytes	MBD001785C1/CompObj
8	20 bytes	MBD001785C1/Ole
9	53021 bytes	MBD001785C1/CONTENTS
10	94 bytes	MBD001785C2/CompObj
11	62 bytes	MBD001785C2/Ole
12	93693 bytes	MBD001785C2/CONTENTS
13	94 bytes	MBD001785C3/CompObj
14	20 bytes	MBD001785C3/Ole
15	53021 bytes	MBD001785C3/CONTENTS
16	1627 bytes	MBD001785C4/OLE10NatIve
17	20 bytes	MBD001785C4/Ole
18	147328 bytes	Workbook
19	525 bytes	_VBA_PROJECT_CUR/PROJECT
20	104 bytes	_VBA_PROJECT_CUR/PROJECTwm
21	977 bytes	_VBA_PROJECT_CUR/VBA/Sheet1
22	977 bytes	_VBA_PROJECT_CUR/VBA/Sheet2
23	977 bytes	_VBA_PROJECT_CUR/VBA/Sheet3
24	985 bytes	_VBA_PROJECT_CUR/VBA/ThisWorkbook
25	2644 bytes	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
26	553 bytes	_VBA_PROJECT_CUR/VBA/dir

Intelligence

File Origin

# of uploads :

# of downloads :

120

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

MSO

Details

MSO

extracted VBA Macros and, if observed, MS-OFORM variables/data are added to the knowledge base for usage in later parsing of the Macros

Link:

https://research.acce.ciphertechsolutions.com/results/3f7c6af0-77b5-469c-bd78-70dc60dd566d/

Malware family:

n/a

ID:

File name:

Orden No. 5700080331.xls

Verdict:

No threats detected

Analysis date:

2026-05-14 12:38:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d4693cd7-d009-447e-8915-4a9414f9148a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Legit

File type:

application/vnd.openxmlformats-officedocument.spreadsheetml.sheet

Has a screenshot:

False

Contains macros:

False

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/65894/

Detection(s):

SecuriteInfo.com.Exploit.CVE-2017-11882.123.30451.5205.UNOFFICIAL

Sanesecurity.Shelter.Malware.BadMacro.BadOleNatEquat.UNOFFICIAL

TwinWave.EvilDoc.EQAndMisCasedOleNativeWasTheCaseThatTheyGaveMe.20200215.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a05c59746d6967b3d904aef

Tags:

office micro macro

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for synchronization primitives

Launching a process

DNS request

Creating a file in the %AppData% directory

Сreating synchronization primitives

Searching for the window

Using the Windows Management Instrumentation requests

Creating a process with a hidden window

Launching a service

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request to an infection source

Possible injection to a system process

Connection attempt by exploiting the app vulnerability

Connection attempt to an infection source

Bypassing of proactive protection methods using Windows Management Instrumentation (WMI)

Connection attempt to an infection source by exploiting the app vulnerability

Sending an HTTP GET request to an infection source by exploiting the app vulnerability

Sending a custom TCP request by exploiting the app vulnerability

Launching a process by exploiting the app vulnerability

Result

Verdict:

Malicious

File Type:

Legacy Excel File with Macro

Link:

https://app.docguard.net/e0149c0c3476c97e13ab5f4d656ad0b53ba45dea1b3f8fdaf51d0e4ef5db2aa9/results/dashboard

Behaviour

BlacklistAPI detected

Document image

Image:

Download PNG

Verdict:

Malicious

Labled as:

CVE-2017-11882

Link:

https://www.hybrid-analysis.com/sample/e0149c0c3476c97e13ab5f4d656ad0b53ba45dea1b3f8fdaf51d0e4ef5db2aa9

Label:

Malicious

Suspicious Score:

10/10

Score Malicious:

Score Benign:

Link:

https://www.malware.ai/gui/files/?id=d6ac5dd0-1c72-48dc-b3bc-80c9f4e5d108

Verdict:

Malicious

File Type:

xls

First seen:

2026-05-14T05:14:00Z UTC

Last seen:

2026-05-16T10:24:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/e0149c0c3476c97e13ab5f4d656ad0b53ba45dea1b3f8fdaf51d0e4ef5db2aa9/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

OFFICE

Link:

https://malprob.io/report/e0149c0c3476c97e13ab5f4d656ad0b53ba45dea1b3f8fdaf51d0e4ef5db2aa9

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

Office Document

Link:

https://app.malva.re/file/c894799d11c657b5482c768edd4a693d

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/e0149c0c3476c97e13ab5f4d656ad0b53ba45dea1b3f8fdaf51d0e4ef5db2aa9/

Threat name:

Win32.Exploit.CVE-2017-11882

Status:

Malicious

First seen:

2026-05-14 12:44:45 UTC

File Type:

Document

Extracted files:

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4akjydbuo3ex4e5ll5gwk2wqwu52ixpkdm7y7wxvduhe55o3fkuq._file

Gathering data

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e0149c0c3476/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e0149c0c3476c97e13ab5f4d656ad0b53ba45dea1b3f8fdaf51d0e4ef5db2aa9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	informational_win_ole_protected Create hunting rule
Author:	Jeff White (karttoon@gmail.com) @noottrak
Description:	Identify OLE Project protection within documents.

Rule name:	XLS_STRINGS Create hunting rule
Author:	somedieyoungZZ
Description:	Detect Strings targeting Bangladesh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/65894/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample