{
	"id": "17e9af40-9b73-4dea-983c-8f3583ec4670",
	"created_at": "2026-04-06T00:19:36.710659Z",
	"updated_at": "2026-04-10T13:12:51.738624Z",
	"deleted_at": null,
	"sha1_hash": "ef95281fe837e37b7614b192f2d084f9824ce4f0",
	"title": "Malware-Traffic-Analysis.net - 2017-12-22 - Remcos RAT infection from RTF using CVE-2017-0199 exploit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2251826,
	"plain_text": "Malware-Traffic-Analysis.net - 2017-12-22 - Remcos RAT infection\r\nfrom RTF using CVE-2017-0199 exploit\r\nArchived: 2026-04-05 22:36:03 UTC\r\nNOTICE:\r\nThe zip archives on this page have been updated, and they now use the new password scheme.  For the new\r\npassword, see the \"about\" page of this website.\r\nASSOCIATED FILES:\r\n2017-12-22-Remcos-RAT-malspam-example.eml.zip   39.9 kB (39,866 bytes)\r\n2017-12-22-Remcos-RAT-infection-traffic.pcap.zip   1.0 MB (1,044,961 bytes)\r\n2017-12-22-malware-from-Remcos-RAT-infection.zip   1.9 MB (1,880,322 bytes)\r\nNOTES:\r\nOn 2017-12-21, I saw malspam dated 2017-12-21 with an RTF attachment using CVE-2017-0199 to push\r\nRemcos RAT.\r\nToday's post-infection traffic is similar to Remcos RAT post-infection traffic I reported almost 2 months\r\nago on 2017-10-27.\r\nhttp://malware-traffic-analysis.net/2017/12/22/index.html\r\nPage 1 of 8\n\nShown above:  Flowchart for today's infection.\r\nWEB TRAFFIC BLOCK LIST\r\nIndicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and\r\nURLs:\r\nhxxps[:]//streetsave[.]club/styles/break/beta.hta\r\nhxxps[:]//regwide[.]club/images/scale/nile.php\r\nhxxps[:]//regwide[.]club/images/scale/nite.exe\r\ndarlz.freeddns[.]org\r\nIMAGES\r\nhttp://malware-traffic-analysis.net/2017/12/22/index.html\r\nPage 2 of 8\n\nShown above:  Screenshot of the email.\r\nShown above:  The attached .doc file is actually an RTF that uses CVE-2017-0199.  I clicked my way \"yes\" to an\r\ninfection!\r\nhttp://malware-traffic-analysis.net/2017/12/22/index.html\r\nPage 3 of 8\n\nShown above:  The exectuable for Remcos RAT needed my permission to run.\r\nShown above:  Traffic from the infection filtered in Wireshark.\r\nShown above:  HTTPS traffic as seen in Fiddler.\r\nhttp://malware-traffic-analysis.net/2017/12/22/index.html\r\nPage 4 of 8\n\nShown above:  Post-infection traffic from the Remcos RAT-infected host.\r\nShown above:  Randomly-named key with binary data in the Windows registry.\r\nShown above:  Updated key in the Windows registry to keep the infection persistent.\r\nhttp://malware-traffic-analysis.net/2017/12/22/index.html\r\nPage 5 of 8\n\nShown above:  Folder in the user's AppData/Local/Temp directory.\r\nhttp://malware-traffic-analysis.net/2017/12/22/index.html\r\nPage 6 of 8\n\nShown above:  File run by the AutoIt script engine, vje=wtl, as seen in a text editor.\r\nINDICATORS\r\nEMAIL DATA:\r\nDate:  Thursday, 2017-12-21 at 13:56 UTC\r\nSubject:  Invoice\r\nFrom:  \"Helen Rowe\" \u003cadmin@besita[.]tk\u003e\r\nReply-To:  \"Helen Rowe\" \u003corder.sbsbio@outlook[.]com\u003e\r\nMessage-ID:  \u003cb98edd6e87c6201c7056c859bb73b48a.squirrel@212.237.6[.]14\u003e\r\nUser-Agent:  SquirrelMail/1.4.22\r\nAttachment:  Proforma invoice.doc\r\nTRAFFIC:\r\n148.164.124[.]20 port 443 - streetsave[.]club - GET /styles/break/beta.hta   (HTTPS)\r\n148.164.124[.]20 port 443 - regwide[.]club - GET /images/scale/nile.php   (HTTPS)\r\n148.164.124[.]20 port 443 - regwide[.]club - GET /images/scale/nite.exe   (HTTPS)\r\n185.62.190[.]214 por 1695 - darlz.freeddns[.]org - encrypted post-infection traffic caused by Remcos\r\nRAT\r\nMALWARE AND ARTIFACTS FROM THE INFECTED WINDOWS HOST:\r\nSHA256 hash:\u0026bnsp; 1b78b77b4f571548df7d7a7e324bfe38425b901663906d91d7c5ec110a333a07\r\nFile size:\u0026bnsp; 332,066 bytes\r\nhttp://malware-traffic-analysis.net/2017/12/22/index.html\r\nPage 7 of 8\n\nFile name:\u0026bnsp; Proforma invoice.doc\r\nFile description:\u0026bnsp; RTF document using CVE-2017-0199\r\nSHA256 hash:\u0026bnsp; 402517926305219d9d482063334b9955866fbeb7fadd5fe9e0f72cc04a112173\r\nFile size:\u0026bnsp; 1,243 bytes\r\nFile name:\u0026bnsp; beta.hta\r\nFile description:\u0026bnsp; HTML application (HTA) file to download the next-stage malware\r\nSHA256 hash:\u0026bnsp; 9717a2ec51316ca3b97d5c379e4b331e03e274dfd6de5433f3382b760f09b51b\r\nFile size:\u0026bnsp; 999,301 bytes\r\nFile location:\u0026bnsp; C:\\Users\\[username]\\AppData\\Roaming\\foxread.exe\r\nFile description:\u0026bnsp; RemcosRAT Installer for next stage of the infection\r\nSHA256 hash:\u0026bnsp; fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b\r\nFile size:\u0026bnsp; 750,320 bytes\r\nFile location:\u0026bnsp; C:\\Users\\[username]\\AppData\\Local\\Temp\\58594949\\mrk.exe\r\nFile description:\u0026bnsp; AutoIt v3 script engine (version 3.3.8.1)   NOTE: This is a legitimate file. It is not\r\ninherently malicious.\r\nSHA256 hash:\u0026bnsp; fd00256c375f5d744d73a7ddba571f1887779af042bd6cf7100533c68c461a33\r\nFile size:\u0026bnsp; 3,092,687 bytes\r\nFile location:\u0026bnsp; C:\\Users\\[username]\\AppData\\Local\\Temp\\58594949\\vje=wtl\r\nFile description:\u0026bnsp; AutoIt script file executed by mrk.exe\r\nWINDOWS REGISTRY UPDATES:\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]\r\n\"WindowsUpdate\"=\"C:\\\\Users\\\\[username]\\\\AppData\\\\Local\\\\Temp\\\\58594949\\\\mrk.exe C:\\\\Users\\\\\r\n[username]\\\\AppData\\\\Local\\\\Temp\\\\58594949\\\\VJE_WT~1\"\r\n[HKEY_CURRENT_USER\\Software\\dizy-937GNR]\r\n\"EXEpath\"=hex:a5,60,7c,77,81,d6,3f,89,8c,1b,1a,3f,d2,97,d8,f6,d6,4e,19,c2,2c,\\\r\n  28,9b,08,4f,9c,14,72,41,7f,d2,5f,47,bb,e7,24,8c,64,f5,0f,44,91,cb,54,5f,1a,\\\r\n  ba,bc,67,e6,94,1a,c0,54,66,67,c0,79,55,c1,8f,7c,29,3e,8a,08,bc,ed,f9,3f,5f,\\\r\n  6d,17,22,66,b1,c8,c8,a3,e0,27,f2,ac,f3,82,3b,ed,3e,2a,69,56,21,8b,85,f4,c0,\\\r\n  35,47,be,02,9f,d0,a0,c7,2a,f0,87,28,83,42,7c,97,2d,90,3b,c3\r\nClick here to return to the main page.\r\nSource: http://malware-traffic-analysis.net/2017/12/22/index.html\r\nhttp://malware-traffic-analysis.net/2017/12/22/index.html\r\nPage 8 of 8\n\n  http://malware-traffic-analysis.net/2017/12/22/index.html  \nShown above: Post-infection traffic from the Remcos RAT-infected host.\nShown above: Randomly-named key with binary data in the Windows registry.\nShown above: Updated key in the Windows registry to keep the infection persistent.\n   Page 5 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://malware-traffic-analysis.net/2017/12/22/index.html"
	],
	"report_names": [
		"index.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434776,
	"ts_updated_at": 1775826771,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef95281fe837e37b7614b192f2d084f9824ce4f0.pdf",
		"text": "https://archive.orkl.eu/ef95281fe837e37b7614b192f2d084f9824ce4f0.txt",
		"img": "https://archive.orkl.eu/ef95281fe837e37b7614b192f2d084f9824ce4f0.jpg"
	}
}