Play interactive tour

Edit tour

Windows Analysis Report RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

Overview

General Information

Sample Name:	RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe
Analysis ID:	479213
MD5:	06534c059b111776b838f793c6444622
SHA1:	7ebda7124a60de107a00960d9fe0563fd3cd2760
SHA256:	933a4d2abfdf0f91550a102808d00adace6eb9df89ea9e254e2df7601b02dd8f
Infos:
Most interesting Screenshot:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Detected Remcos RAT

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to inject code into remote processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Contains functionality to download and launch executables

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to simulate mouse events

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe (PID: 5256 cmdline: 'C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe' MD5: 06534C059B111776B838F793C6444622)

mobsync.exe (PID: 4692 cmdline: C:\Windows\System32\mobsync.exe MD5: 44C19378FA529DD88674BAF647EBDC3C)

Cshgvzx.exe (PID: 5384 cmdline: 'C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe' MD5: 06534C059B111776B838F793C6444622)

dialer.exe (PID: 6544 cmdline: C:\Windows\System32\dialer.exe MD5: F176211F7372248224D02AC023573870)

Cshgvzx.exe (PID: 5296 cmdline: 'C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe' MD5: 06534C059B111776B838F793C6444622)

secinit.exe (PID: 6672 cmdline: C:\Windows\System32\secinit.exe MD5: 174A363BB5A2D88B224546C15DD10906)

cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "204.44.86.179:49151:0123qwegus.duckdns.org:49151:0", "Assigned name": "septttt", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-ZXIQGD", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\Libraries\xzvghsC.url	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x14:$file: URL= 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000012.00000002.331608026.0000000002F98000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x606bc:$str_a1: C:\Windows\System32\cmd.exe 0x60638:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60638:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f86c:$str_b2: Executing file: 0x60800:$str_b3: GetDirectListeningPort 0x60050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x603d4:$str_b5: licence_code.txt 0x60278:$str_b7: \update.vbs 0x5f8dc:$str_b9: Downloaded file: 0x5f8a8:$str_b10: Downloading file: 0x5f890:$str_b12: Failed to upload file: 0x607c8:$str_b13: StartForward 0x607e8:$str_b14: StopForward 0x60220:$str_b15: fso.DeleteFile " 0x601b4:$str_b16: On Error Resume Next 0x60250:$str_b17: fso.DeleteFolder " 0x5f880:$str_b18: Uploaded file: 0x5f91c:$str_b19: Unable to delete: 0x601e8:$str_b20: while fso.FileExists("
00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x60553:$str_a1: C:\Windows\System32\cmd.exe 0x604cf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x604cf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5facf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60127:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f703:$str_b2: Executing file: 0x60697:$str_b3: GetDirectListeningPort 0x5fee7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6026b:$str_b5: licence_code.txt 0x6010f:$str_b7: \update.vbs 0x5f773:$str_b9: Downloaded file: 0x5f73f:$str_b10: Downloading file: 0x5f727:$str_b12: Failed to upload file: 0x6065f:$str_b13: StartForward 0x6067f:$str_b14: StopForward 0x600b7:$str_b15: fso.DeleteFile " 0x6004b:$str_b16: On Error Resume Next 0x600e7:$str_b17: fso.DeleteFolder " 0x5f717:$str_b18: Uploaded file: 0x5f7b3:$str_b19: Unable to delete: 0x6007f:$str_b20: while fso.FileExists("
00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x606bc:$str_a1: C:\Windows\System32\cmd.exe 0x60638:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60638:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f86c:$str_b2: Executing file: 0x60800:$str_b3: GetDirectListeningPort 0x60050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x603d4:$str_b5: licence_code.txt 0x60278:$str_b7: \update.vbs 0x5f8dc:$str_b9: Downloaded file: 0x5f8a8:$str_b10: Downloading file: 0x5f890:$str_b12: Failed to upload file: 0x607c8:$str_b13: StartForward 0x607e8:$str_b14: StopForward 0x60220:$str_b15: fso.DeleteFile " 0x601b4:$str_b16: On Error Resume Next 0x60250:$str_b17: fso.DeleteFolder " 0x5f880:$str_b18: Uploaded file: 0x5f91c:$str_b19: Unable to delete: 0x601e8:$str_b20: while fso.FileExists("
00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x606bc:$str_a1: C:\Windows\System32\cmd.exe 0x60638:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60638:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f86c:$str_b2: Executing file: 0x60800:$str_b3: GetDirectListeningPort 0x60050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x603d4:$str_b5: licence_code.txt 0x60278:$str_b7: \update.vbs 0x5f8dc:$str_b9: Downloaded file: 0x5f8a8:$str_b10: Downloading file: 0x5f890:$str_b12: Failed to upload file: 0x607c8:$str_b13: StartForward 0x607e8:$str_b14: StopForward 0x60220:$str_b15: fso.DeleteFile " 0x601b4:$str_b16: On Error Resume Next 0x60250:$str_b17: fso.DeleteFolder " 0x5f880:$str_b18: Uploaded file: 0x5f91c:$str_b19: Unable to delete: 0x601e8:$str_b20: while fso.FileExists("
00000013.00000002.356879289.00000000006E8000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x60553:$str_a1: C:\Windows\System32\cmd.exe 0x604cf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x604cf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5facf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60127:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f703:$str_b2: Executing file: 0x60697:$str_b3: GetDirectListeningPort 0x5fee7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6026b:$str_b5: licence_code.txt 0x6010f:$str_b7: \update.vbs 0x5f773:$str_b9: Downloaded file: 0x5f73f:$str_b10: Downloading file: 0x5f727:$str_b12: Failed to upload file: 0x6065f:$str_b13: StartForward 0x6067f:$str_b14: StopForward 0x600b7:$str_b15: fso.DeleteFile " 0x6004b:$str_b16: On Error Resume Next 0x600e7:$str_b17: fso.DeleteFolder " 0x5f717:$str_b18: Uploaded file: 0x5f7b3:$str_b19: Unable to delete: 0x6007f:$str_b20: while fso.FileExists("
00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x60553:$str_a1: C:\Windows\System32\cmd.exe 0x604cf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x604cf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5facf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60127:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f703:$str_b2: Executing file: 0x60697:$str_b3: GetDirectListeningPort 0x5fee7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6026b:$str_b5: licence_code.txt 0x6010f:$str_b7: \update.vbs 0x5f773:$str_b9: Downloaded file: 0x5f73f:$str_b10: Downloading file: 0x5f727:$str_b12: Failed to upload file: 0x6065f:$str_b13: StartForward 0x6067f:$str_b14: StopForward 0x600b7:$str_b15: fso.DeleteFile " 0x6004b:$str_b16: On Error Resume Next 0x600e7:$str_b17: fso.DeleteFolder " 0x5f717:$str_b18: Uploaded file: 0x5f7b3:$str_b19: Unable to delete: 0x6007f:$str_b20: while fso.FileExists("
Process Memory Space: mobsync.exe PID: 4692	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: dialer.exe PID: 6544	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: secinit.exe PID: 6672	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.mobsync.exe.10590000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.mobsync.exe.10590000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x60553:$str_a1: C:\Windows\System32\cmd.exe 0x604cf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x604cf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5facf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60127:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f703:$str_b2: Executing file: 0x60697:$str_b3: GetDirectListeningPort 0x5fee7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6026b:$str_b5: licence_code.txt 0x6010f:$str_b7: \update.vbs 0x5f773:$str_b9: Downloaded file: 0x5f73f:$str_b10: Downloading file: 0x5f727:$str_b12: Failed to upload file: 0x6065f:$str_b13: StartForward 0x6067f:$str_b14: StopForward 0x600b7:$str_b15: fso.DeleteFile " 0x6004b:$str_b16: On Error Resume Next 0x600e7:$str_b17: fso.DeleteFolder " 0x5f717:$str_b18: Uploaded file: 0x5f7b3:$str_b19: Unable to delete: 0x6007f:$str_b20: while fso.FileExists("
18.2.dialer.exe.10590000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
18.2.dialer.exe.10590000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f953:$str_a1: C:\Windows\System32\cmd.exe 0x5f8cf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f8cf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5eecf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f527:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5eb03:$str_b2: Executing file: 0x5fa97:$str_b3: GetDirectListeningPort 0x5f2e7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f66b:$str_b5: licence_code.txt 0x5f50f:$str_b7: \update.vbs 0x5eb73:$str_b9: Downloaded file: 0x5eb3f:$str_b10: Downloading file: 0x5eb27:$str_b12: Failed to upload file: 0x5fa5f:$str_b13: StartForward 0x5fa7f:$str_b14: StopForward 0x5f4b7:$str_b15: fso.DeleteFile " 0x5f44b:$str_b16: On Error Resume Next 0x5f4e7:$str_b17: fso.DeleteFolder " 0x5eb17:$str_b18: Uploaded file: 0x5ebb3:$str_b19: Unable to delete: 0x5f47f:$str_b20: while fso.FileExists("
8.2.mobsync.exe.10590000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.mobsync.exe.10590000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f953:$str_a1: C:\Windows\System32\cmd.exe 0x5f8cf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f8cf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5eecf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f527:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5eb03:$str_b2: Executing file: 0x5fa97:$str_b3: GetDirectListeningPort 0x5f2e7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f66b:$str_b5: licence_code.txt 0x5f50f:$str_b7: \update.vbs 0x5eb73:$str_b9: Downloaded file: 0x5eb3f:$str_b10: Downloading file: 0x5eb27:$str_b12: Failed to upload file: 0x5fa5f:$str_b13: StartForward 0x5fa7f:$str_b14: StopForward 0x5f4b7:$str_b15: fso.DeleteFile " 0x5f44b:$str_b16: On Error Resume Next 0x5f4e7:$str_b17: fso.DeleteFolder " 0x5eb17:$str_b18: Uploaded file: 0x5ebb3:$str_b19: Unable to delete: 0x5f47f:$str_b20: while fso.FileExists("
8.2.mobsync.exe.10591897.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.mobsync.exe.10591897.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5ecbc:$str_a1: C:\Windows\System32\cmd.exe 0x5ec38:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec38:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e238:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e890:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5de6c:$str_b2: Executing file: 0x5ee00:$str_b3: GetDirectListeningPort 0x5e650:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e9d4:$str_b5: licence_code.txt 0x5e878:$str_b7: \update.vbs 0x5dedc:$str_b9: Downloaded file: 0x5dea8:$str_b10: Downloading file: 0x5de90:$str_b12: Failed to upload file: 0x5edc8:$str_b13: StartForward 0x5ede8:$str_b14: StopForward 0x5e820:$str_b15: fso.DeleteFile " 0x5e7b4:$str_b16: On Error Resume Next 0x5e850:$str_b17: fso.DeleteFolder " 0x5de80:$str_b18: Uploaded file: 0x5df1c:$str_b19: Unable to delete: 0x5e7e8:$str_b20: while fso.FileExists("
19.2.secinit.exe.10590000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.secinit.exe.10590000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x60553:$str_a1: C:\Windows\System32\cmd.exe 0x604cf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x604cf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5facf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60127:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f703:$str_b2: Executing file: 0x60697:$str_b3: GetDirectListeningPort 0x5fee7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6026b:$str_b5: licence_code.txt 0x6010f:$str_b7: \update.vbs 0x5f773:$str_b9: Downloaded file: 0x5f73f:$str_b10: Downloading file: 0x5f727:$str_b12: Failed to upload file: 0x6065f:$str_b13: StartForward 0x6067f:$str_b14: StopForward 0x600b7:$str_b15: fso.DeleteFile " 0x6004b:$str_b16: On Error Resume Next 0x600e7:$str_b17: fso.DeleteFolder " 0x5f717:$str_b18: Uploaded file: 0x5f7b3:$str_b19: Unable to delete: 0x6007f:$str_b20: while fso.FileExists("
19.2.secinit.exe.500000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.secinit.exe.500000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x606bc:$str_a1: C:\Windows\System32\cmd.exe 0x60638:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60638:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f86c:$str_b2: Executing file: 0x60800:$str_b3: GetDirectListeningPort 0x60050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x603d4:$str_b5: licence_code.txt 0x60278:$str_b7: \update.vbs 0x5f8dc:$str_b9: Downloaded file: 0x5f8a8:$str_b10: Downloading file: 0x5f890:$str_b12: Failed to upload file: 0x607c8:$str_b13: StartForward 0x607e8:$str_b14: StopForward 0x60220:$str_b15: fso.DeleteFile " 0x601b4:$str_b16: On Error Resume Next 0x60250:$str_b17: fso.DeleteFolder " 0x5f880:$str_b18: Uploaded file: 0x5f91c:$str_b19: Unable to delete: 0x601e8:$str_b20: while fso.FileExists("
19.2.secinit.exe.10591897.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.secinit.exe.10591897.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5ecbc:$str_a1: C:\Windows\System32\cmd.exe 0x5ec38:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec38:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e238:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e890:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5de6c:$str_b2: Executing file: 0x5ee00:$str_b3: GetDirectListeningPort 0x5e650:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e9d4:$str_b5: licence_code.txt 0x5e878:$str_b7: \update.vbs 0x5dedc:$str_b9: Downloaded file: 0x5dea8:$str_b10: Downloading file: 0x5de90:$str_b12: Failed to upload file: 0x5edc8:$str_b13: StartForward 0x5ede8:$str_b14: StopForward 0x5e820:$str_b15: fso.DeleteFile " 0x5e7b4:$str_b16: On Error Resume Next 0x5e850:$str_b17: fso.DeleteFolder " 0x5de80:$str_b18: Uploaded file: 0x5df1c:$str_b19: Unable to delete: 0x5e7e8:$str_b20: while fso.FileExists("
19.2.secinit.exe.10591897.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.secinit.exe.10591897.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x5d2bc:$str_a1: C:\Windows\System32\cmd.exe 0x5d238:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5d238:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5c838:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5ce90:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5c46c:$str_b2: Executing file: 0x5d400:$str_b3: GetDirectListeningPort 0x5cc50:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5cfd4:$str_b5: licence_code.txt 0x5ce78:$str_b7: \update.vbs 0x5c4dc:$str_b9: Downloaded file: 0x5c4a8:$str_b10: Downloading file: 0x5c490:$str_b12: Failed to upload file: 0x5d3c8:$str_b13: StartForward 0x5d3e8:$str_b14: StopForward 0x5ce20:$str_b15: fso.DeleteFile " 0x5cdb4:$str_b16: On Error Resume Next 0x5ce50:$str_b17: fso.DeleteFolder " 0x5c480:$str_b18: Uploaded file: 0x5c51c:$str_b19: Unable to delete: 0x5cde8:$str_b20: while fso.FileExists("
8.2.mobsync.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.mobsync.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5ecbc:$str_a1: C:\Windows\System32\cmd.exe 0x5ec38:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec38:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e238:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e890:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5de6c:$str_b2: Executing file: 0x5ee00:$str_b3: GetDirectListeningPort 0x5e650:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e9d4:$str_b5: licence_code.txt 0x5e878:$str_b7: \update.vbs 0x5dedc:$str_b9: Downloaded file: 0x5dea8:$str_b10: Downloading file: 0x5de90:$str_b12: Failed to upload file: 0x5edc8:$str_b13: StartForward 0x5ede8:$str_b14: StopForward 0x5e820:$str_b15: fso.DeleteFile " 0x5e7b4:$str_b16: On Error Resume Next 0x5e850:$str_b17: fso.DeleteFolder " 0x5de80:$str_b18: Uploaded file: 0x5df1c:$str_b19: Unable to delete: 0x5e7e8:$str_b20: while fso.FileExists("
19.2.secinit.exe.500000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.secinit.exe.500000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5ecbc:$str_a1: C:\Windows\System32\cmd.exe 0x5ec38:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec38:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e238:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e890:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5de6c:$str_b2: Executing file: 0x5ee00:$str_b3: GetDirectListeningPort 0x5e650:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e9d4:$str_b5: licence_code.txt 0x5e878:$str_b7: \update.vbs 0x5dedc:$str_b9: Downloaded file: 0x5dea8:$str_b10: Downloading file: 0x5de90:$str_b12: Failed to upload file: 0x5edc8:$str_b13: StartForward 0x5ede8:$str_b14: StopForward 0x5e820:$str_b15: fso.DeleteFile " 0x5e7b4:$str_b16: On Error Resume Next 0x5e850:$str_b17: fso.DeleteFolder " 0x5de80:$str_b18: Uploaded file: 0x5df1c:$str_b19: Unable to delete: 0x5e7e8:$str_b20: while fso.FileExists("
8.2.mobsync.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.mobsync.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x606bc:$str_a1: C:\Windows\System32\cmd.exe 0x60638:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60638:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f86c:$str_b2: Executing file: 0x60800:$str_b3: GetDirectListeningPort 0x60050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x603d4:$str_b5: licence_code.txt 0x60278:$str_b7: \update.vbs 0x5f8dc:$str_b9: Downloaded file: 0x5f8a8:$str_b10: Downloading file: 0x5f890:$str_b12: Failed to upload file: 0x607c8:$str_b13: StartForward 0x607e8:$str_b14: StopForward 0x60220:$str_b15: fso.DeleteFile " 0x601b4:$str_b16: On Error Resume Next 0x60250:$str_b17: fso.DeleteFolder " 0x5f880:$str_b18: Uploaded file: 0x5f91c:$str_b19: Unable to delete: 0x601e8:$str_b20: while fso.FileExists("
18.2.dialer.exe.10590000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
18.2.dialer.exe.10590000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x60553:$str_a1: C:\Windows\System32\cmd.exe 0x604cf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x604cf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5facf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60127:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f703:$str_b2: Executing file: 0x60697:$str_b3: GetDirectListeningPort 0x5fee7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6026b:$str_b5: licence_code.txt 0x6010f:$str_b7: \update.vbs 0x5f773:$str_b9: Downloaded file: 0x5f73f:$str_b10: Downloading file: 0x5f727:$str_b12: Failed to upload file: 0x6065f:$str_b13: StartForward 0x6067f:$str_b14: StopForward 0x600b7:$str_b15: fso.DeleteFile " 0x6004b:$str_b16: On Error Resume Next 0x600e7:$str_b17: fso.DeleteFolder " 0x5f717:$str_b18: Uploaded file: 0x5f7b3:$str_b19: Unable to delete: 0x6007f:$str_b20: while fso.FileExists("
18.2.dialer.exe.10591897.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
18.2.dialer.exe.10591897.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x5d2bc:$str_a1: C:\Windows\System32\cmd.exe 0x5d238:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5d238:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5c838:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5ce90:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5c46c:$str_b2: Executing file: 0x5d400:$str_b3: GetDirectListeningPort 0x5cc50:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5cfd4:$str_b5: licence_code.txt 0x5ce78:$str_b7: \update.vbs 0x5c4dc:$str_b9: Downloaded file: 0x5c4a8:$str_b10: Downloading file: 0x5c490:$str_b12: Failed to upload file: 0x5d3c8:$str_b13: StartForward 0x5d3e8:$str_b14: StopForward 0x5ce20:$str_b15: fso.DeleteFile " 0x5cdb4:$str_b16: On Error Resume Next 0x5ce50:$str_b17: fso.DeleteFolder " 0x5c480:$str_b18: Uploaded file: 0x5c51c:$str_b19: Unable to delete: 0x5cde8:$str_b20: while fso.FileExists("
18.2.dialer.exe.10591897.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
18.2.dialer.exe.10591897.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5ecbc:$str_a1: C:\Windows\System32\cmd.exe 0x5ec38:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec38:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e238:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e890:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5de6c:$str_b2: Executing file: 0x5ee00:$str_b3: GetDirectListeningPort 0x5e650:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e9d4:$str_b5: licence_code.txt 0x5e878:$str_b7: \update.vbs 0x5dedc:$str_b9: Downloaded file: 0x5dea8:$str_b10: Downloading file: 0x5de90:$str_b12: Failed to upload file: 0x5edc8:$str_b13: StartForward 0x5ede8:$str_b14: StopForward 0x5e820:$str_b15: fso.DeleteFile " 0x5e7b4:$str_b16: On Error Resume Next 0x5e850:$str_b17: fso.DeleteFolder " 0x5de80:$str_b18: Uploaded file: 0x5df1c:$str_b19: Unable to delete: 0x5e7e8:$str_b20: while fso.FileExists("
18.2.dialer.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
18.2.dialer.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x606bc:$str_a1: C:\Windows\System32\cmd.exe 0x60638:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60638:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f86c:$str_b2: Executing file: 0x60800:$str_b3: GetDirectListeningPort 0x60050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x603d4:$str_b5: licence_code.txt 0x60278:$str_b7: \update.vbs 0x5f8dc:$str_b9: Downloaded file: 0x5f8a8:$str_b10: Downloading file: 0x5f890:$str_b12: Failed to upload file: 0x607c8:$str_b13: StartForward 0x607e8:$str_b14: StopForward 0x60220:$str_b15: fso.DeleteFile " 0x601b4:$str_b16: On Error Resume Next 0x60250:$str_b17: fso.DeleteFolder " 0x5f880:$str_b18: Uploaded file: 0x5f91c:$str_b19: Unable to delete: 0x601e8:$str_b20: while fso.FileExists("
18.2.dialer.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
18.2.dialer.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5ecbc:$str_a1: C:\Windows\System32\cmd.exe 0x5ec38:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec38:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e238:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e890:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5de6c:$str_b2: Executing file: 0x5ee00:$str_b3: GetDirectListeningPort 0x5e650:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e9d4:$str_b5: licence_code.txt 0x5e878:$str_b7: \update.vbs 0x5dedc:$str_b9: Downloaded file: 0x5dea8:$str_b10: Downloading file: 0x5de90:$str_b12: Failed to upload file: 0x5edc8:$str_b13: StartForward 0x5ede8:$str_b14: StopForward 0x5e820:$str_b15: fso.DeleteFile " 0x5e7b4:$str_b16: On Error Resume Next 0x5e850:$str_b17: fso.DeleteFolder " 0x5de80:$str_b18: Uploaded file: 0x5df1c:$str_b19: Unable to delete: 0x5e7e8:$str_b20: while fso.FileExists("
19.2.secinit.exe.10590000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.secinit.exe.10590000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f953:$str_a1: C:\Windows\System32\cmd.exe 0x5f8cf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f8cf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5eecf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f527:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5eb03:$str_b2: Executing file: 0x5fa97:$str_b3: GetDirectListeningPort 0x5f2e7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f66b:$str_b5: licence_code.txt 0x5f50f:$str_b7: \update.vbs 0x5eb73:$str_b9: Downloaded file: 0x5eb3f:$str_b10: Downloading file: 0x5eb27:$str_b12: Failed to upload file: 0x5fa5f:$str_b13: StartForward 0x5fa7f:$str_b14: StopForward 0x5f4b7:$str_b15: fso.DeleteFile " 0x5f44b:$str_b16: On Error Resume Next 0x5f4e7:$str_b17: fso.DeleteFolder " 0x5eb17:$str_b18: Uploaded file: 0x5ebb3:$str_b19: Unable to delete: 0x5f47f:$str_b20: while fso.FileExists("
8.2.mobsync.exe.10591897.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.mobsync.exe.10591897.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x5d2bc:$str_a1: C:\Windows\System32\cmd.exe 0x5d238:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5d238:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5c838:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5ce90:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5c46c:$str_b2: Executing file: 0x5d400:$str_b3: GetDirectListeningPort 0x5cc50:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5cfd4:$str_b5: licence_code.txt 0x5ce78:$str_b7: \update.vbs 0x5c4dc:$str_b9: Downloaded file: 0x5c4a8:$str_b10: Downloading file: 0x5c490:$str_b12: Failed to upload file: 0x5d3c8:$str_b13: StartForward 0x5d3e8:$str_b14: StopForward 0x5ce20:$str_b15: fso.DeleteFile " 0x5cdb4:$str_b16: On Error Resume Next 0x5ce50:$str_b17: fso.DeleteFolder " 0x5c480:$str_b18: Uploaded file: 0x5c51c:$str_b19: Unable to delete: 0x5cde8:$str_b20: while fso.FileExists("
Click to see the 31 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "204.44.86.179:49151:0123qwegus.duckdns.org:49151:0", "Assigned name": "septttt", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-ZXIQGD", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.331608026.0000000002F98000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.356879289.00000000006E8000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mobsync.exe PID: 4692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dialer.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: secinit.exe PID: 6672, type: MEMORYSTR

Source: 8.0.mobsync.exe.10590000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.2.dialer.exe.10590000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.0.mobsync.exe.10590000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.mobsync.exe.10590000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.0.dialer.exe.10590000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.0.secinit.exe.10590000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.0.secinit.exe.10590000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.0.secinit.exe.10590000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.0.dialer.exe.10590000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.mobsync.exe.10590000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.0.dialer.exe.10590000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.mobsync.exe.10590000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.0.dialer.exe.10590000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.2.secinit.exe.10590000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 19.0.secinit.exe.10590000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: mobsync.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	8_2_004170AC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_00406176 FindFirstFileW,FindNextFileW,	8_2_00406176
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_0040A3AF
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	8_2_0040A5CA
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_004456A9 FindFirstFileExA,	8_2_004456A9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_004077EE
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	18_2_004170AC
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_00406176 FindFirstFileW,FindNextFileW,	18_2_00406176
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	18_2_0040A3AF
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	18_2_0040A5CA
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_004456A9 FindFirstFileExA,	18_2_004456A9
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	18_2_004077EE
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_00407C57 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	18_2_00407C57

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_00406930 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

8_2_00406930

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remocs 3.x Unencrypted Checkin 192.168.2.5:49707 -> 204.44.86.179:49151
Source: Traffic	Snort IDS: 2032777 ET TROJAN Remocs 3.x Unencrypted Server Response 204.44.86.179:49151 -> 192.168.2.5:49707

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: 204.44.86.179

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View	IP Address: 162.159.135.233 162.159.135.233
Source: Joe Sandbox View	IP Address: 162.159.135.233 162.159.135.233

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 204.44.86.179:49151

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown	TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown	TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown	TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown	TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown	TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown	TCP traffic detected without corresponding DNS query: 204.44.86.179

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_0041242F Sleep,URLDownloadToFileW,

8_2_0041242F

Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_004126A5 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

8_2_004126A5

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_004089BC GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

8_2_004089BC

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_004126A5 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

8_2_004126A5

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.331608026.0000000002F98000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.356879289.00000000006E8000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mobsync.exe PID: 4692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dialer.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: secinit.exe PID: 6672, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

Source: RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.0<

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Remcos

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary: