| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.raw.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.raw.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.raw.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.raw.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3ed9988.6.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3ed9988.6.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x34c74:$name: Remcos
- 0x354e8:$name: Remcos
- 0x3553b:$name: REMCOS
- 0x342c8:$time: %02i:%02i:%02i:%03i
- 0x34f60:$time: %02i:%02i:%02i:%03i
- 0x2663c:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3ed9988.6.raw.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x34c74:$remcos: Remcos
- 0x354e8:$remcos: Remcos
- 0x35520:$url: Breaking-Security.Net
- 0x39d2a:$resource: SETTINGS
|
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3ed9988.6.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x3511c:$funcs1: autogetofflinelogs
- 0x35100:$funcs2: clearlogins
- 0x35130:$funcs3: getofflinelogs
- 0x351b8:$funcs4: execcom
- 0x3510c:$funcs5: deletekeylog
- 0x353d8:$funcs6: remscriptexecd
- 0x351fc:$funcs7: getwindows
- 0x349e0:$funcs8: fundlldata
- 0x349b8:$funcs9: getfunlib
- 0x3442c:$funcs10: autofflinelogs
- 0x34ff8:$funcs11: getclipboard
- 0x350f4:$funcs12: getscrslist
- 0x34420:$funcs13: offlinelogs
- 0x34208:$funcs14: getcamsingleframe
- 0x35324:$funcs15: listfiles
- 0x35220:$funcs16: getproclist
- 0x34468:$funcs17: onlinelogs
- 0x35340:$funcs18: getdrives
- 0x353c4:$funcs19: remscriptsuccess
- 0x34240:$funcs20: getcamframe
- 0x34d9c:$str_a1: C:\Windows\System32\cmd.exe
|
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.raw.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x11034:$name: Remcos
- 0x118a8:$name: Remcos
- 0x118fb:$name: REMCOS
- 0x10688:$time: %02i:%02i:%02i:%03i
- 0x11320:$time: %02i:%02i:%02i:%03i
- 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
|
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.unpack | Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group | - 0x11034:$remcos: Remcos
- 0x118a8:$remcos: Remcos
- 0x118e0:$url: Breaking-Security.Net
- 0x160ea:$resource: SETTINGS
|
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x114dc:$funcs1: autogetofflinelogs
- 0x114c0:$funcs2: clearlogins
- 0x114f0:$funcs3: getofflinelogs
- 0x11578:$funcs4: execcom
- 0x114cc:$funcs5: deletekeylog
- 0x11798:$funcs6: remscriptexecd
- 0x115bc:$funcs7: getwindows
- 0x10da0:$funcs8: fundlldata
- 0x10d78:$funcs9: getfunlib
- 0x107ec:$funcs10: autofflinelogs
- 0x113b8:$funcs11: getclipboard
- 0x114b4:$funcs12: getscrslist
- 0x107e0:$funcs13: offlinelogs
- 0x105c8:$funcs14: getcamsingleframe
- 0x116e4:$funcs15: listfiles
- 0x115e0:$funcs16: getproclist
- 0x10828:$funcs17: onlinelogs
- 0x11700:$funcs18: getdrives
- 0x11784:$funcs19: remscriptsuccess
- 0x10600:$funcs20: getcamframe
- 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
|
| 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.6.raw.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.6.raw.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.4.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.3.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.3.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.9.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.9.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.4.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 33.0.dwnl.exe.842704.1.raw.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 33.0.dwnl.exe.842704.1.raw.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 33.2.dwnl.exe.842704.1.raw.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 33.2.dwnl.exe.842704.1.raw.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2fcf496.0.raw.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2fcf496.0.raw.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 33.2.dwnl.exe.820000.0.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 33.2.dwnl.exe.820000.0.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.5.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.5.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 33.0.dwnl.exe.820000.0.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 33.0.dwnl.exe.820000.0.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2faeb92.2.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2faeb92.2.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.3.raw.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.3.raw.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.10.raw.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.10.raw.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.8.raw.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.8.raw.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.9.raw.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.9.raw.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.5.raw.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.5.raw.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.4.raw.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.4.raw.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.4.raw.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.4.raw.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.3.raw.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.3.raw.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.1.raw.unpack | JoeSecurity_Matiex | Yara detected Matiex Keylogger | Joe Security | |
| 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.1.raw.unpack | JoeSecurity_BedsObfuscator | Yara detected Beds Obfuscator | Joe Security | |
| Click to see the 85 entries |
Play interactive tour
Edit tour
