17.3.glpmruvjds.pif.47bf208.14.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47bf208.14.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47bf208.14.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47ff218.6.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47ff218.6.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47ff218.6.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47df210.9.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47df210.9.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47df210.9.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
5.3.glpmruvjds.pif.3c90a88.7.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
5.3.glpmruvjds.pif.3c90a88.7.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
5.3.glpmruvjds.pif.3c90a88.7.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
5.3.glpmruvjds.pif.3c90a88.5.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
5.3.glpmruvjds.pif.3c90a88.5.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
5.3.glpmruvjds.pif.3c90a88.5.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
7.2.RegSvcs.exe.800000.0.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.2.RegSvcs.exe.800000.0.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.2.RegSvcs.exe.800000.0.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47bf208.8.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47bf208.8.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47bf208.8.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
5.3.glpmruvjds.pif.3c90a88.5.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
5.3.glpmruvjds.pif.3c90a88.5.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
5.3.glpmruvjds.pif.3c90a88.5.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47df210.9.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47df210.9.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47df210.9.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47bf208.12.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47bf208.12.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47bf208.12.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
5.3.glpmruvjds.pif.3c90a88.2.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
5.3.glpmruvjds.pif.3c90a88.2.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
5.3.glpmruvjds.pif.3c90a88.2.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47df210.11.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47df210.11.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47df210.11.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47bf208.12.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47bf208.12.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47bf208.12.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.3ab5f28.0.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.3ab5f28.0.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.3ab5f28.0.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47bf208.4.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47bf208.4.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47bf208.4.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47bf208.2.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47bf208.2.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47bf208.2.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
5.3.glpmruvjds.pif.3c90a88.6.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
5.3.glpmruvjds.pif.3c90a88.6.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
5.3.glpmruvjds.pif.3c90a88.6.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
5.3.glpmruvjds.pif.3cd0a98.3.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
5.3.glpmruvjds.pif.3cd0a98.3.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
5.3.glpmruvjds.pif.3cd0a98.3.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
18.2.RegSvcs.exe.930000.0.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
18.2.RegSvcs.exe.930000.0.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
18.2.RegSvcs.exe.930000.0.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
5.3.glpmruvjds.pif.3c90a88.6.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
5.3.glpmruvjds.pif.3c90a88.6.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
5.3.glpmruvjds.pif.3c90a88.6.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47df210.7.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47df210.7.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47df210.7.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
17.3.glpmruvjds.pif.47bf208.1.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47bf208.1.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47bf208.1.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47ff218.6.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47ff218.6.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x6af0:$str_a1: C:\Windows\System32\cmd.exe
- 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x6b0c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x6b0c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x61f4:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x67f8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x5dd8:$str_b2: Executing file:
- 0x159e0:$str_b2: Executing file:
- 0x6b90:$str_b3: GetDirectListeningPort
- 0x16798:$str_b3: GetDirectListeningPort
- 0x6638:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x692c:$str_b5: licence_code.txt
- 0x16534:$str_b5: licence_code.txt
- 0x6894:$str_b6: \restart.vbs
- 0x1649c:$str_b6: \restart.vbs
- 0x67b8:$str_b8: \uninstall.vbs
|
17.3.glpmruvjds.pif.47df210.3.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47df210.3.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47df210.3.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47bf208.2.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47bf208.2.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47bf208.2.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
17.3.glpmruvjds.pif.47bf208.10.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47bf208.10.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47bf208.10.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
17.3.glpmruvjds.pif.47bf208.10.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47bf208.10.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47bf208.10.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
7.2.RegSvcs.exe.800000.0.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.2.RegSvcs.exe.800000.0.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.2.RegSvcs.exe.800000.0.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47df210.5.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47df210.5.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47df210.5.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47df210.7.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47df210.7.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47df210.7.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47df210.13.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47df210.13.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47df210.13.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.3ab5f28.0.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.3ab5f28.0.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.3ab5f28.0.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
5.3.glpmruvjds.pif.3c90a88.2.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
5.3.glpmruvjds.pif.3c90a88.2.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
5.3.glpmruvjds.pif.3c90a88.2.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
5.3.glpmruvjds.pif.3c90a88.7.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
5.3.glpmruvjds.pif.3c90a88.7.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
5.3.glpmruvjds.pif.3c90a88.7.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
18.2.RegSvcs.exe.930000.0.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
18.2.RegSvcs.exe.930000.0.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
18.2.RegSvcs.exe.930000.0.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47df210.11.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47df210.11.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47df210.11.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47df210.3.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47df210.3.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47df210.3.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.3ab5f28.15.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.3ab5f28.15.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.3ab5f28.15.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
5.3.glpmruvjds.pif.3c50a78.0.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
5.3.glpmruvjds.pif.3c50a78.0.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
5.3.glpmruvjds.pif.3c50a78.0.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
17.3.glpmruvjds.pif.47df210.5.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47df210.5.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47df210.5.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
5.3.glpmruvjds.pif.3cd0a98.4.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
5.3.glpmruvjds.pif.3cd0a98.4.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
5.3.glpmruvjds.pif.3cd0a98.4.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47bf208.14.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47bf208.14.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x42084:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47bf208.14.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
5.3.glpmruvjds.pif.3c70a80.1.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
5.3.glpmruvjds.pif.3c70a80.1.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
5.3.glpmruvjds.pif.3c70a80.1.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47df210.13.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47df210.13.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2207c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47df210.13.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.3ab5f28.15.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.3ab5f28.15.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.3ab5f28.15.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
17.3.glpmruvjds.pif.47bf208.4.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47bf208.4.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47bf208.4.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
17.3.glpmruvjds.pif.47bf208.8.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47bf208.8.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x56520:$name: Remcos
- 0x56898:$name: Remcos
- 0x56df0:$name: Remcos
- 0x56e43:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x55684:$time: %02i:%02i:%02i:%03i
- 0x5570c:$time: %02i:%02i:%02i:%03i
- 0x56bf4:$time: %02i:%02i:%02i:%03i
|
17.3.glpmruvjds.pif.47bf208.8.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x56708:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x56724:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x56724:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x55e0c:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x56410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x559f0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x567a8:$str_b3: GetDirectListeningPort
|
17.3.glpmruvjds.pif.47bf208.1.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
17.3.glpmruvjds.pif.47bf208.1.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
17.3.glpmruvjds.pif.47bf208.1.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
Click to see the 138 entries |