4.3.gajb.pif.4efdf30.0.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4efdf30.0.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4efdf30.0.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
7.3.gajb.pif.3e2df30.16.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.3.gajb.pif.3e2df30.16.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.3.gajb.pif.3e2df30.16.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4efdf30.10.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4efdf30.10.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4efdf30.10.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4eddf28.16.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4eddf28.16.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4eddf28.16.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
7.3.gajb.pif.30e7c20.11.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.3.gajb.pif.30e7c20.11.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.3.gajb.pif.30e7c20.11.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4efdf30.12.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4efdf30.12.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4efdf30.12.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4efdf30.15.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4efdf30.15.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4efdf30.15.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4efdf30.5.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4efdf30.5.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4efdf30.5.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
7.3.gajb.pif.3e2df30.15.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.3.gajb.pif.3e2df30.15.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.3.gajb.pif.3e2df30.15.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
6.2.RegSvcs.exe.b00000.0.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
6.2.RegSvcs.exe.b00000.0.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
6.2.RegSvcs.exe.b00000.0.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4eddf28.11.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4eddf28.11.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4eddf28.11.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
7.3.gajb.pif.3e2df30.3.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.3.gajb.pif.3e2df30.3.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.3.gajb.pif.3e2df30.3.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4eddf28.13.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4eddf28.13.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4eddf28.13.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
4.3.gajb.pif.4eddf28.14.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4eddf28.14.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4eddf28.14.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4f1e740.9.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4f1e740.9.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4f1e740.9.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4eddf28.8.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4eddf28.8.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4eddf28.8.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
10.2.RegSvcs.exe.720000.0.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
10.2.RegSvcs.exe.720000.0.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
10.2.RegSvcs.exe.720000.0.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4efdf30.10.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4efdf30.10.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36d20:$name: Remcos
- 0x37098:$name: Remcos
- 0x375f0:$name: Remcos
- 0x37643:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x35e84:$time: %02i:%02i:%02i:%03i
- 0x35f0c:$time: %02i:%02i:%02i:%03i
- 0x373f4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x23884:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4efdf30.10.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36f08:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x36f24:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x36f24:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x3660c:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x361f0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x36fa8:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36a50:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x36d44:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x36cac:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
4.3.gajb.pif.4efdf30.3.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4efdf30.3.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4efdf30.3.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
7.3.gajb.pif.3e2df30.7.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.3.gajb.pif.3e2df30.7.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.3.gajb.pif.3e2df30.7.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4efdf30.17.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4efdf30.17.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2388c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4efdf30.17.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
7.3.gajb.pif.3e0df28.14.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.3.gajb.pif.3e0df28.14.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.3.gajb.pif.3e0df28.14.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
7.3.gajb.pif.3e2df30.13.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.3.gajb.pif.3e2df30.13.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.3.gajb.pif.3e2df30.13.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4eddf28.13.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4eddf28.13.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4eddf28.13.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
7.3.gajb.pif.3de0050.8.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.3.gajb.pif.3de0050.8.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x26910:$name: Remcos
- 0x26c88:$name: Remcos
- 0x271e0:$name: Remcos
- 0x27233:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x25a74:$time: %02i:%02i:%02i:%03i
- 0x25afc:$time: %02i:%02i:%02i:%03i
- 0x26fe4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.3.gajb.pif.3de0050.8.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x26af8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x26b14:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x26b14:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x261fc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x26800:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x25de0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x26b98:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x26640:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x26934:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x2689c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
4.3.gajb.pif.4eddf28.2.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4eddf28.2.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4eddf28.2.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4efdf30.7.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4efdf30.7.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4efdf30.7.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
7.3.gajb.pif.3e6e748.5.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.3.gajb.pif.3e6e748.5.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.3.gajb.pif.3e6e748.5.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4efdf30.12.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4efdf30.12.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4efdf30.12.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
7.3.gajb.pif.3e0df28.10.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.3.gajb.pif.3e0df28.10.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.3.gajb.pif.3e0df28.10.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
10.2.RegSvcs.exe.720000.0.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
10.2.RegSvcs.exe.720000.0.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
10.2.RegSvcs.exe.720000.0.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
7.3.gajb.pif.3e2df30.1.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.3.gajb.pif.3e2df30.1.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.3.gajb.pif.3e2df30.1.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4eddf28.2.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4eddf28.2.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4eddf28.2.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
4.3.gajb.pif.4efdf30.1.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4efdf30.1.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4efdf30.1.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4eddf28.14.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4eddf28.14.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4eddf28.14.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
7.3.gajb.pif.3e0df28.12.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.3.gajb.pif.3e0df28.12.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.3.gajb.pif.3e0df28.12.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
7.3.gajb.pif.3e0df28.2.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.3.gajb.pif.3e0df28.2.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.3.gajb.pif.3e0df28.2.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
7.3.gajb.pif.3e2df30.17.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.3.gajb.pif.3e2df30.17.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.3.gajb.pif.3e2df30.17.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4eddf28.4.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4eddf28.4.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4eddf28.4.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4eddf28.4.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4eddf28.4.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4eddf28.4.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
4.3.gajb.pif.4efdf30.15.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4efdf30.15.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4efdf30.15.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
6.2.RegSvcs.exe.b00000.0.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
6.2.RegSvcs.exe.b00000.0.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
6.2.RegSvcs.exe.b00000.0.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4eddf28.6.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4eddf28.6.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4eddf28.6.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
7.3.gajb.pif.3e2df30.9.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.3.gajb.pif.3e2df30.9.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.3.gajb.pif.3e2df30.9.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
7.3.gajb.pif.3e2df30.4.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.3.gajb.pif.3e2df30.4.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.3.gajb.pif.3e2df30.4.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4efdf30.7.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4efdf30.7.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4efdf30.7.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4eddf28.16.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4eddf28.16.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x43894:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4eddf28.16.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
7.3.gajb.pif.3e2df30.0.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.3.gajb.pif.3e2df30.0.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.3.gajb.pif.3e2df30.0.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4eddf28.11.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4eddf28.11.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x56d28:$name: Remcos
- 0x570a0:$name: Remcos
- 0x575f8:$name: Remcos
- 0x5764b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x55e8c:$time: %02i:%02i:%02i:%03i
- 0x55f14:$time: %02i:%02i:%02i:%03i
- 0x573fc:$time: %02i:%02i:%02i:%03i
|
4.3.gajb.pif.4eddf28.11.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x56f10:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x56f2c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x56f2c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x56614:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x56c18:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x561f8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x56fb0:$str_b3: GetDirectListeningPort
|
4.3.gajb.pif.4efdf30.3.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4efdf30.3.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4efdf30.3.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4efdf30.5.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4efdf30.5.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4efdf30.5.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.41a67d0.18.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.41a67d0.18.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.41a67d0.18.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4efdf30.17.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4efdf30.17.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4efdf30.17.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4efdf30.0.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4efdf30.0.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4efdf30.0.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4eddf28.8.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4eddf28.8.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4eddf28.8.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
4.3.gajb.pif.4efdf30.1.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4efdf30.1.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4efdf30.1.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
7.3.gajb.pif.3e0df28.6.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
7.3.gajb.pif.3e0df28.6.raw.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x36518:$name: Remcos
- 0x36890:$name: Remcos
- 0x36de8:$name: Remcos
- 0x36e3b:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3567c:$time: %02i:%02i:%02i:%03i
- 0x35704:$time: %02i:%02i:%02i:%03i
- 0x36bec:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
- 0x2307c:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
7.3.gajb.pif.3e0df28.6.raw.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x36700:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x3671c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x35e04:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x36408:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x359e8:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x367a0:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x36248:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x3653c:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x364a4:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
|
4.3.gajb.pif.4eddf28.6.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.3.gajb.pif.4eddf28.6.unpack | Remcos_1 | Remcos Payload | kevoreilly | - 0x16510:$name: Remcos
- 0x16888:$name: Remcos
- 0x16de0:$name: Remcos
- 0x16e33:$name: Remcos
- 0x15674:$time: %02i:%02i:%02i:%03i
- 0x156fc:$time: %02i:%02i:%02i:%03i
- 0x16be4:$time: %02i:%02i:%02i:%03i
- 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
|
4.3.gajb.pif.4eddf28.6.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
- 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x159e0:$str_b2: Executing file:
- 0x16798:$str_b3: GetDirectListeningPort
- 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x16534:$str_b5: licence_code.txt
- 0x1649c:$str_b6: \restart.vbs
- 0x163c0:$str_b8: \uninstall.vbs
- 0x1596c:$str_b9: Downloaded file:
- 0x15998:$str_b10: Downloading file:
- 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
- 0x159fc:$str_b12: Failed to upload file:
- 0x167d8:$str_b13: StartForward
- 0x167bc:$str_b14: StopForward
- 0x16330:$str_b15: fso.DeleteFile "
- 0x16394:$str_b16: On Error Resume Next
- 0x162fc:$str_b17: fso.DeleteFolder "
- 0x15a14:$str_b18: Uploaded file:
|
Click to see the 169 entries |