MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8318d2c5023d9b1a29b20918610d7625ba04e58dfe1fc5da51aeac65dbdff9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	e8318d2c5023d9b1a29b20918610d7625ba04e58dfe1fc5da51aeac65dbdff9d
SHA3-384 hash:	8dbba648801e875b67f17c670355944ddbc810b58bdf86c40b76a812613cca17fdbc380cdc6d9f176cc9317f14e6da5a
SHA1 hash:	371df9dbbbb4c4f726642d20425b9e221474aded
MD5 hash:	c4a112ee4fc83191470fd3227fc0e850
humanhash:	india-papa-king-bakerloo
File name:	SecuriteInfo.com.Exploit.CVE-2017-11882.123.2483.2434
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	463'360 bytes
First seen:	2026-05-14 12:44:04 UTC
Last seen:	2026-05-14 13:42:10 UTC
File type:	xlsx
MIME type:	application/vnd.ms-excel
ssdeep	6144:Mh859NdVZFNd38EPxs7eJCAIIBY7bgc9JsPcBaU:Mh8vTVbTjhf+7QPcB
TLSH	T112A47C77F098C5DEDB638271AB678900170EAE183B855666342F7A36B1B3E2CDBC7045
TrID	34.0% (.XLS) Microsoft Excel sheet (32500/1/3) 29.3% (.XLS) Microsoft Excel sheet (alternate) (28000/1/3) 25.6% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2) 8.3% (.) Generic OLE2 / Multistream Compound (8000/1) 2.6% (.ASSETS) Unity binary serialized Assets (generic) (2509/3/1)
Magika	xls
Reporter	SecuriteInfoCom
Tags:	CVE-2017-11882 RemcosRAT xlsx

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 26 sections in this file using oledump:

Section ID	Section size	Section name
1	114 bytes	CompObj
2	244 bytes	DocumentSummaryInformation
3	200 bytes	SummaryInformation
4	94 bytes	MBD0005D27A/CompObj
5	62 bytes	MBD0005D27A/Ole
6	93693 bytes	MBD0005D27A/CONTENTS
7	94 bytes	MBD0005D27B/CompObj
8	20 bytes	MBD0005D27B/Ole
9	53021 bytes	MBD0005D27B/CONTENTS
10	94 bytes	MBD0005D27C/CompObj
11	62 bytes	MBD0005D27C/Ole
12	93693 bytes	MBD0005D27C/CONTENTS
13	94 bytes	MBD0005D27D/CompObj
14	20 bytes	MBD0005D27D/Ole
15	53021 bytes	MBD0005D27D/CONTENTS
16	1836 bytes	MBD0005D27E/OLe10NATivE
17	20 bytes	MBD0005D27E/Ole
18	147334 bytes	Workbook
19	527 bytes	_VBA_PROJECT_CUR/PROJECT
20	104 bytes	_VBA_PROJECT_CUR/PROJECTwm
21	977 bytes	_VBA_PROJECT_CUR/VBA/Sheet1
22	977 bytes	_VBA_PROJECT_CUR/VBA/Sheet2
23	977 bytes	_VBA_PROJECT_CUR/VBA/Sheet3
24	985 bytes	_VBA_PROJECT_CUR/VBA/ThisWorkbook
25	2644 bytes	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
26	553 bytes	_VBA_PROJECT_CUR/VBA/dir

Intelligence

File Origin

# of uploads :

# of downloads :

126

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

MSO

Details

MSO

extracted VBA Macros and, if observed, MS-OFORM variables/data are added to the knowledge base for usage in later parsing of the Macros

Link:

https://research.acce.ciphertechsolutions.com/results/3183541d-e6c3-4f65-9dbf-7f8d844aa68f/

Malware family:

n/a

ID:

File name:

FW_ Гарантийное письмо АК БА.eml

Verdict:

No threats detected

Analysis date:

2026-05-14 10:46:53 UTC

Tags:

attachments attc-doc

Link:

https://app.any.run/tasks/1270652f-1875-4507-b9be-b3700ec8b4f4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Legit

File type:

application/vnd.openxmlformats-officedocument.spreadsheetml.sheet

Has a screenshot:

False

Contains macros:

False

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/65895/

Detection(s):

Sanesecurity.Shelter.Malware.BadMacro.BadOleNatEquat.UNOFFICIAL

TwinWave.EvilDoc.EQAndMisCasedOleNativeWasTheCaseThatTheyGaveMe.20200215.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a05c59a46d6967b3d904afa

Tags:

office micro lien sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for synchronization primitives

Launching a process

DNS request

Creating a file in the %AppData% directory

Sending a custom TCP request

Connection attempt by exploiting the app vulnerability

Sending an HTTP GET request

Sending a custom TCP request by exploiting the app vulnerability

Result

Verdict:

Malicious

File Type:

Legacy Excel File with Macro

Link:

https://app.docguard.net/e8318d2c5023d9b1a29b20918610d7625ba04e58dfe1fc5da51aeac65dbdff9d/results/dashboard

Behaviour

BlacklistAPI detected

Document image

Image:

Download PNG

Verdict:

Malicious

Labled as:

CVE-2017-11882

Link:

https://www.hybrid-analysis.com/sample/e8318d2c5023d9b1a29b20918610d7625ba04e58dfe1fc5da51aeac65dbdff9d

Label:

Malicious

Suspicious Score:

10/10

Score Malicious:

Score Benign:

Link:

https://www.malware.ai/gui/files/?id=64339511-642b-4a16-846b-4ede34608906

Verdict:

Malicious

File Type:

xls

First seen:

2026-05-14T01:03:00Z UTC

Last seen:

2026-05-16T09:12:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/e8318d2c5023d9b1a29b20918610d7625ba04e58dfe1fc5da51aeac65dbdff9d/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

OFFICE

Link:

https://malprob.io/report/e8318d2c5023d9b1a29b20918610d7625ba04e58dfe1fc5da51aeac65dbdff9d

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

Office Document

Link:

https://app.malva.re/file/c4a112ee4fc83191470fd3227fc0e850

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/e8318d2c5023d9b1a29b20918610d7625ba04e58dfe1fc5da51aeac65dbdff9d/

Threat name:

Win32.Exploit.CVE-2017-11882

Status:

Malicious

First seen:

2026-05-14 07:21:33 UTC

File Type:

Document

Extracted files:

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5ayy2lcqepm3diu3eciymegxmjn2atsy37q7yxnfdlvmmxn576oq._file

Gathering data

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e8318d2c5023/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e8318d2c5023d9b1a29b20918610d7625ba04e58dfe1fc5da51aeac65dbdff9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	informational_win_ole_protected Create hunting rule
Author:	Jeff White (karttoon@gmail.com) @noottrak
Description:	Identify OLE Project protection within documents.

Rule name:	XLS_STRINGS Create hunting rule
Author:	somedieyoungZZ
Description:	Detect Strings targeting Bangladesh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/65895/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample