remcos | 9dbb7358e1d37ffaa33e16065310c067_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

9dbb7358e1d37ffaa33e16065310c067_JaffaCakes118
Size

113KB
MD5

9dbb7358e1d37ffaa33e16065310c067
SHA1

3505d6b6de8fb7b305e0e2f8cab8838e0c90ac1e
SHA256

851950510f4760bded5792e8d8cfcbe2debf31c41b807e760495752d55674bc4
SHA512

e03d57f9ca0f87e80c25154a7cc53259ab14b9084d275ada84fca48f19703d0cce258da49e1e2b524cc3cda8403503dd9d3c4bc95474c4ddbbd5bd93fdec1689
SSDEEP

3072:TFNUcekHxRkuHxSWMDUajQJf/p/itxBCBpEzImXnr+vHI+zIcdWrA:THUcLxRkuRSWMDUaGf/p/sxWpEzImXqn

Score

10^/10

tuks remcos

Malware Config

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

tuks

127.0.0.1:2404

77.48.28.223:9030

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
tuks.exe
copy_folder
tuks
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
tuks-6PR8DL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos family
remcos

Files

9dbb7358e1d37ffaa33e16065310c067_JaffaCakes118
.exe windows:4 windows x86 arch:x86

ddf2d42cce3b13f014929f020763460a

Code Sign

60:6f:97:ad:43:7d:03:23:3f:16:ca:67:9f:a7:eb:9d
Certificate

Issuer

CN=thawte SHA256 Code Signing CA,O=thawte\, Inc.,C=US

Not Before

14/09/2017, 00:00

Not After

14/09/2018, 23:59

Subject

CN=Elevara Ltd,O=Elevara Ltd,L=London,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
Certificate

Issuer

CN=DigiCert Assured ID CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

22/10/2014, 00:00

Not After

22/10/2024, 00:00

Subject

CN=DigiCert Timestamp Responder,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

10/11/2006, 00:00

Not After

10/11/2021, 00:00

Subject

CN=DigiCert Assured ID CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageEmailProtection
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ff:4c:66:b6:5f:79:c1:0b:42:14:ec:80:71:4c:d1:44:85:1a:fe:3c
Signer

Actual PE Digest

ff:4c:66:b6:5f:79:c1:0b:42:14:ec:80:71:4c:d1:44:85:1a:fe:3c

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetLongPathNameW
CreateMutexA
OpenMutexA
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
SizeofResource
LockResource
LoadResource
FindResourceA
GetLocaleInfoA
OpenProcess
GetCurrentProcessId
lstrcatW
GetTempFileNameW
GetTempPathW
GetTickCount
GlobalUnlock
GlobalLock
GetModuleFileNameW
GetLogicalDriveStringsA
GetCurrentProcess
ResumeThread
SetThreadContext
WriteProcessMemory
VirtualAllocEx
ReadProcessMemory
GetThreadContext
VirtualAlloc
CreateProcessW
GlobalFree
LocalAlloc
DuplicateHandle
GetCurrentThread
lstrcpynA
GetModuleFileNameA
ExitProcess
AllocConsole
GetStartupInfoA
CopyFileW
ExpandEnvironmentStringsA
FindFirstFileA
FindNextFileA
DeleteFileA
GetLastError
CreateFileMappingA
MapViewOfFileEx
DeleteFileW
RemoveDirectoryW
GetFileAttributesW
SetFileAttributesW
TerminateThread
FindClose
GetFileSize
SetFilePointer
GetDriveTypeA
lstrlenA
FindFirstFileW
FindNextFileW
LoadLibraryA
GetProcAddress
CreatePipe
CreateProcessA
PeekNamedPipe
ReadFile
TerminateProcess
SetEvent
HeapCreate
HeapFree
GetLocalTime
CreateEventA
WaitForSingleObject
CreateDirectoryW
CreateFileW
WriteFile
CloseHandle
ExitThread
Sleep
GetModuleHandleA
GlobalAlloc
CreateThread

user32

CallNextHookEx
GetKeyState
GetWindowTextA
GetWindowTextLengthA
GetForegroundWindow
UnhookWindowsHookEx
CloseClipboard
GetClipboardData
OpenClipboard
SetClipboardData
EmptyClipboard
ExitWindowsEx
MessageBoxW
GetKeyboardLayoutNameA
SetWindowTextW
GetWindowThreadProcessId
ShowWindow
CloseWindow
IsWindowVisible
GetWindowTextW
EnumWindows
DrawIcon
GetIconInfo
SendInput
SystemParametersInfoW
CreateWindowExA
RegisterClassExA
AppendMenuA
CreatePopupMenu
TrackPopupMenu
SetForegroundWindow
GetCursorPos
DefWindowProcA
DispatchMessageA
SetWindowsHookExA
GetKeyboardLayout
GetMessageA
FindWindowA
TranslateMessage

gdi32

CreateDCA
CreateCompatibleDC
GetDeviceCaps
CreateCompatibleBitmap
DeleteDC
DeleteObject
SelectObject
StretchBlt
GetDIBits
GetObjectA

advapi32

GetUserNameW
ChangeServiceConfigW
QueryServiceStatus
ControlService
OpenSCManagerW
StartServiceW
OpenSCManagerA
EnumServicesStatusW
OpenServiceW
QueryServiceConfigW
RegOpenKeyExA
RegDeleteKeyA
RegCloseKey
RegQueryValueExA
RegQueryValueExW
RegOpenKeyExW
RegSetValueExA
RegCreateKeyA
RegSetValueExW
RegCreateKeyW
RegDeleteValueW
RegEnumValueW
RegEnumKeyExW
RegQueryInfoKeyW
RegCreateKeyExW
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
CloseServiceHandle
RegEnumKeyExA

shell32

ShellExecuteW
ExtractIconA
Shell_NotifyIconA
ShellExecuteExA

msvcp60

??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z
?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ
??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ
?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z
??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z
??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z
?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z
?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z
??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z
?find_last_of@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z
?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z
?find_last_of@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z
?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB
??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@G@Z
?resize@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEXI@Z
?rfind@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ
??0Init@ios_base@std@@QAE@XZ
??1Init@ios_base@std@@QAE@XZ
??0_Winit@std@@QAE@XZ
??1_Winit@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z
?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z
?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ
?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ
?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z
?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID@Z
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGIABV?$allocator@G@1@@Z
??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z
??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z
??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z
?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ
??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z
?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
??0logic_error@std@@QAE@ABV01@@Z
??0out_of_range@std@@QAE@ABV01@@Z
??1out_of_range@std@@UAE@XZ
??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z
??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z
?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ
??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z
??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z
??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z
??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ
??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z
?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z
?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ
?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ
?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z

shlwapi

StrToIntA
PathFileExistsA
PathFileExistsW

msvcrt

toupper
_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
_XcptFilter
_exit
_onexit
__dllonexit
??1type_info@@UAE@XZ
_iob
freopen
wcscat
_itow
srand
rand
swprintf
_wrename
_wsystem
wcscpy
wcslen
_wgetenv
_itoa
sprintf
tolower
wcscmp
getenv
printf
strncmp
malloc
free
__CxxFrameHandler
time
localtime
strftime
atoi
_ftol
??2@YAPAXI@Z
_CxxThrowException
??0exception@@QAE@ABV0@@Z
exit
_except_handler3

winmm

waveInStart
waveInClose
waveInUnprepareHeader
waveInPrepareHeader
waveInStop
waveInAddBuffer
waveInOpen

ws2_32

htons
gethostbyname
closesocket
socket
WSAStartup
inet_ntoa
recv
send
connect

urlmon

URLDownloadToFileW
URLOpenBlockingStreamW

gdiplus

GdipLoadImageFromStream
GdipFree
GdipDisposeImage
GdipCloneImage
GdipAlloc
GdipSaveImageToStream
GdipSaveImageToFile
GdiplusStartup
GdipGetImageEncoders
GdipLoadImageFromStreamICM
GdipGetImageEncodersSize

wininet

InternetCloseHandle
InternetOpenUrlA
InternetOpenA
InternetReadFile

Sections

.text
Size: 72KB - Virtual size: 71KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

ddf2d42cce3b13f014929f020763460a

Code Sign

60:6f:97:ad:43:7d:03:23:3f:16:ca:67:9f:a7:eb:9dCertificate

Extended Key Usages

Key Usages

03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66Certificate

Extended Key Usages

Key Usages

06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1bCertificate

Extended Key Usages

Key Usages

ff:4c:66:b6:5f:79:c1:0b:42:14:ec:80:71:4c:d1:44:85:1a:fe:3cSigner

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

msvcp60

shlwapi

msvcrt

winmm

ws2_32

urlmon

gdiplus

wininet

Sections

.text Size: 72KB - Virtual size: 71KB

.rdata Size: 24KB - Virtual size: 20KB

.data Size: 4KB - Virtual size: 3KB

.rsrc Size: 4KB - Virtual size: 3KB

60:6f:97:ad:43:7d:03:23:3f:16:ca:67:9f:a7:eb:9d
Certificate

03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
Certificate

06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
Certificate

ff:4c:66:b6:5f:79:c1:0b:42:14:ec:80:71:4c:d1:44:85:1a:fe:3c
Signer

.text
Size: 72KB - Virtual size: 71KB

.rdata
Size: 24KB - Virtual size: 20KB

.data
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 4KB - Virtual size: 3KB