remcos | 4c9b84877211d5ba1ae0bd681b01bfec_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

4c9b84877211d5ba1ae0bd681b01bfec_JaffaCakes118
Size

76KB
MD5

4c9b84877211d5ba1ae0bd681b01bfec
SHA1

e1ba87e79741a9e0fd05440db3609deef355f5f0
SHA256

64483724fdd0ba596f1dcebdf178bb9c856c9b4f6990d8ca47706cc233c41bb0
SHA512

ffbfeaa387cc8440045249b14b33fea3b7fc43d74c3b9f8fc2d9b37cc158dd668fea0dc46d4bd7fd42bd8850cbcd7f169e45151764d67b95a5ffefa0012dde87
SSDEEP

1536:+M0THlVkReWHpsClKVrHCCSLWVfMV2C9kSlGLcOzqFT39lUnr3f:+M0JBepllKVDmWZMV2C9aLcOzWT3UnrP

Score

10^/10

remotehost remcos

Malware Config

Extracted

Family

remcos

Version

2.0.5 Free

Botnet

RemoteHost

127.0.0.1:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-GEU5X7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos family
remcos

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
4c9b84877211d5ba1ae0bd681b01bfec_JaffaCakes118

Files

4c9b84877211d5ba1ae0bd681b01bfec_JaffaCakes118
.exe windows:4 windows x86 arch:x86

33ebcaabec7dbf2869632c1182416a0a

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateToolhelp32Snapshot
GetTickCount
CreateDirectoryW
GetFileAttributesW
GetLogicalDriveStringsA
GlobalUnlock
GlobalLock
GlobalAlloc
DeleteFileW
GetCurrentProcessId
GetCurrentProcess
DeleteFileA
Process32FirstW
LocalAlloc
OpenProcess
DuplicateHandle
GetCurrentThread
RemoveDirectoryW
lstrcpynA
GetModuleFileNameA
ExitProcess
AllocConsole
GetStartupInfoA
Process32NextW
GetLocaleInfoA
FindResourceA
LoadResource
LockResource
SizeofResource
GetModuleHandleA
CreateMutexA
GetLastError
GetLongPathNameW
GetModuleFileNameW
SetFileAttributesW
LoadLibraryA
GetProcAddress
CreateFileMappingA
MapViewOfFileEx
TerminateThread
FindClose
ExitThread
CreateFileW
GetFileSize
CreateThread
SetFilePointer
GetDriveTypeA
lstrlenA
FindFirstFileW
FindNextFileW
CreatePipe
CreateProcessA
PeekNamedPipe
ReadFile
WriteFile
TerminateProcess
SetEvent
HeapCreate
HeapFree
Sleep
GetLocalTime
CreateEventA
WaitForSingleObject
CloseHandle
GlobalFree

user32

SetForegroundWindow
TrackPopupMenu
CreatePopupMenu
AppendMenuA
RegisterClassExA
CreateWindowExA
SystemParametersInfoW
GetForegroundWindow
SendInput
GetIconInfo
DrawIcon
EnumWindows
GetCursorPos
IsWindowVisible
OpenClipboard
CloseWindow
ShowWindow
GetWindowThreadProcessId
MessageBoxW
ExitWindowsEx
EmptyClipboard
SetClipboardData
CloseClipboard
GetClipboardData
SetWindowTextW
TranslateMessage
GetWindowTextW
DefWindowProcA
DispatchMessageA
GetMessageA

gdi32

GetDIBits
GetObjectA
StretchBlt
SelectObject
DeleteObject
DeleteDC
CreateCompatibleBitmap
GetDeviceCaps
CreateCompatibleDC
CreateDCA

advapi32

RegCreateKeyW
RegEnumKeyExA
GetUserNameW
ChangeServiceConfigW
QueryServiceStatus
ControlService
OpenSCManagerW
StartServiceW
OpenSCManagerA
EnumServicesStatusW
OpenServiceW
RegDeleteKeyA
RegOpenKeyExA
RegCloseKey
RegQueryValueExA
RegQueryValueExW
RegOpenKeyExW
RegSetValueExA
RegCreateKeyA
RegSetValueExW
RegDeleteValueW
RegEnumValueW
RegEnumKeyExW
RegQueryInfoKeyW
RegCreateKeyExW
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
CloseServiceHandle
QueryServiceConfigW

shell32

ExtractIconA
Shell_NotifyIconA
ShellExecuteExA
ShellExecuteW

msvcrt

_controlfp
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
_XcptFilter
_exit
??1type_info@@UAE@XZ
_onexit
__dllonexit
freopen
wcscat
_itow
_wsystem
_wrename
sprintf
wcscpy
wcslen
_wgetenv
exit
__CxxFrameHandler
tolower
wcscmp
atoi
??2@YAPAXI@Z
getenv
??3@YAXPAX@Z
_CxxThrowException
??0exception@@QAE@ABV0@@Z
printf
strncmp
malloc
free
_iob
_itoa

msvcp60

?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z
?find_last_of@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z
?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB
??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@G@Z
?resize@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEXI@Z
?rfind@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z
?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ
??0Init@ios_base@std@@QAE@XZ
??1Init@ios_base@std@@QAE@XZ
??0_Winit@std@@QAE@XZ
??1_Winit@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z
?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ
?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ
?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z
?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ
?find_last_of@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z
??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z
?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ
??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ
??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGIABV?$allocator@G@1@@Z
??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z
??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z
??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z
?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z
??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z
?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ
?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ
??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z
??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z
?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z
??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z
??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z
??1out_of_range@std@@UAE@XZ
??0out_of_range@std@@QAE@ABV01@@Z
??0logic_error@std@@QAE@ABV01@@Z
??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z
?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ
??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ
??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z

shlwapi

StrToIntA

ws2_32

htons
socket
send
recv
closesocket
connect
gethostbyname
WSAStartup

urlmon

URLDownloadToFileW

gdiplus

GdipLoadImageFromStream
GdipFree
GdipDisposeImage
GdipCloneImage
GdipAlloc
GdipSaveImageToStream
GdiplusStartup
GdipGetImageEncoders
GdipGetImageEncodersSize
GdipLoadImageFromStreamICM

wininet

InternetReadFile
InternetOpenUrlA
InternetOpenA
InternetCloseHandle

Sections

.text
Size: 48KB - Virtual size: 44KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

33ebcaabec7dbf2869632c1182416a0a

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

msvcrt

msvcp60

shlwapi

ws2_32

urlmon

gdiplus

wininet

Sections

.text Size: 48KB - Virtual size: 44KB

.rdata Size: 16KB - Virtual size: 14KB

.data Size: 4KB - Virtual size: 3KB

.rsrc Size: 4KB - Virtual size: 3KB

.text
Size: 48KB - Virtual size: 44KB

.rdata
Size: 16KB - Virtual size: 14KB

.data
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 4KB - Virtual size: 3KB