remcos | ac5701c2635f4ea82d70b75d1a33ae56ebfd431e9f1ad34134a06307ad9d12b8[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

ac5701c2635f4ea82d70b75d1a33ae56ebfd431e9f1ad34134a06307ad9d12b8.exe
Size

180KB
MD5

291270e7fd1ea4ce6f878528e03ff33c
SHA1

f3aa4a90bea77c23376955bb563fc8b65dcdb54b
SHA256

ac5701c2635f4ea82d70b75d1a33ae56ebfd431e9f1ad34134a06307ad9d12b8
SHA512

3657db07f8c01d9a12d3902ce0a8fd4bf7240594fd4704cf19d971c7d6b29e579448155d92cdf949307846c5ce8f9ce7cc3bcd772316ccca4e90493f3646008b
SSDEEP

3072:kqM8+466FzyRsXVR4VRclmCD+/tjxsTQRS:kqM8+4TFGqGVRcgCD+/tjxsTQRS

Score

10^/10

upx remotehost remcos

Malware Config

Extracted

Family

remcos

Version

2.5.0 Light

Botnet

RemoteHost

127.0.0.1:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-YCDIWY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos family
remcos

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
sample	upx

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ac5701c2635f4ea82d70b75d1a33ae56ebfd431e9f1ad34134a06307ad9d12b8.exe

Files

ac5701c2635f4ea82d70b75d1a33ae56ebfd431e9f1ad34134a06307ad9d12b8.exe
.exe windows:4 windows x86 arch:x86

94f57f37f2f5e2a1ca886beb393c29cb

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SizeofResource
LockResource
LoadResource
FindResourceA
GetLocaleInfoA
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
GetTickCount
GlobalUnlock
GlobalLock
GlobalAlloc
GetCurrentProcessId
GetModuleHandleA
GlobalFree
LocalAlloc
OpenProcess
DuplicateHandle
GetCurrentThread
RemoveDirectoryW
GetLongPathNameW
lstrcpynA
GetModuleFileNameA
ExitProcess
AllocConsole
GetStartupInfoA
CreateMutexA
GetModuleFileNameW
SetFileAttributesW
ExpandEnvironmentStringsA
FindFirstFileA
FindNextFileA
DeleteFileA
GetLastError
LoadLibraryA
GetProcAddress
CreateFileMappingA
MapViewOfFileEx
TerminateThread
FindClose
ExitThread
GetLogicalDriveStringsA
CreateDirectoryW
GetFileAttributesW
DeleteFileW
CreateFileW
GetFileSize
SetFilePointer
CreateThread
GetDriveTypeA
lstrlenA
FindFirstFileW
FindNextFileW
CreatePipe
CreateProcessA
PeekNamedPipe
ReadFile
WriteFile
TerminateProcess
SetEvent
HeapCreate
HeapFree
Sleep
GetLocalTime
CreateEventA
WaitForSingleObject
CloseHandle
GetCurrentProcess

advapi32

RegSetValueExW
RegEnumKeyExA
GetUserNameW
ChangeServiceConfigW
QueryServiceStatus
ControlService
OpenSCManagerW
StartServiceW
OpenSCManagerA
EnumServicesStatusW
OpenServiceW
RegDeleteKeyA
RegOpenKeyExA
RegCloseKey
RegQueryValueExA
RegQueryValueExW
RegOpenKeyExW
RegSetValueExA
RegCreateKeyA
RegCreateKeyW
RegDeleteValueW
RegEnumValueW
RegEnumKeyExW
RegQueryInfoKeyW
RegCreateKeyExW
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
CloseServiceHandle
QueryServiceConfigW

gdi32

CreateDCA
GetDIBits
GetObjectA
StretchBlt
SelectObject
DeleteObject
DeleteDC
CreateCompatibleBitmap
GetDeviceCaps
CreateCompatibleDC

gdiplus

GdipLoadImageFromStreamICM
GdipLoadImageFromStream
GdipDisposeImage
GdipCloneImage
GdipAlloc
GdipSaveImageToStream
GdipGetImageEncoders
GdipGetImageEncodersSize
GdipFree
GdiplusStartup

msvcp60

??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z
??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ
?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z
??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z
??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z
?find_last_of@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z
?find_last_of@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ
??0Init@ios_base@std@@QAE@XZ
??1Init@ios_base@std@@QAE@XZ
??0_Winit@std@@QAE@XZ
??1_Winit@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z
?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z
?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z
?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ
?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ
?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z
?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID@Z
?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGIABV?$allocator@G@1@@Z
??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z
??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ
?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z
?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ
?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z
??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@G@Z
?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB
?rfind@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z
??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z
?resize@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEXI@Z
??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z
??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z
??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z
??1out_of_range@std@@UAE@XZ
??0out_of_range@std@@QAE@ABV01@@Z
??0logic_error@std@@QAE@ABV01@@Z
?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ
?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ
??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ
??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z

msvcrt

_controlfp
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
_XcptFilter
_exit
??1type_info@@UAE@XZ
_onexit
__dllonexit
_iob
wcscat
_itow
_wsystem
sprintf
wcscpy
wcslen
_wgetenv
exit
_EH_prolog
__CxxFrameHandler
tolower
wcscmp
atoi
_wrename
??2@YAPAXI@Z
getenv
??3@YAXPAX@Z
_CxxThrowException
??0exception@@QAE@ABV0@@Z
printf
strncmp
malloc
free
freopen
_itoa

shell32

ExtractIconA
Shell_NotifyIconA
ShellExecuteExA
ShellExecuteW

shlwapi

StrToIntA
PathFileExistsW
PathFileExistsA

urlmon

URLDownloadToFileW

user32

AppendMenuA
RegisterClassExA
CreateWindowExA
SystemParametersInfoW
GetForegroundWindow
SendInput
mouse_event
GetIconInfo
DrawIcon
EnumWindows
GetWindowTextW
IsWindowVisible
CloseWindow
GetWindowThreadProcessId
OpenClipboard
MessageBoxW
ExitWindowsEx
EmptyClipboard
SetClipboardData
CloseClipboard
GetClipboardData
ShowWindow
SetWindowTextW
SetForegroundWindow
GetMessageA
TranslateMessage
CreatePopupMenu
TrackPopupMenu
GetCursorPos
DispatchMessageA
DefWindowProcA

wininet

InternetReadFile
InternetOpenUrlA
InternetOpenA
InternetCloseHandle

winmm

PlaySoundW
mciSendStringW
mciSendStringA

ws2_32

gethostbyname
socket
WSAStartup
connect
recv
send
htons
closesocket

Sections

UPX0
Size: 76KB - Virtual size: 76KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 72KB - Virtual size: 72KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Extracted

Signatures

Files

94f57f37f2f5e2a1ca886beb393c29cb

Headers

File Characteristics

Imports

kernel32

advapi32

gdi32

gdiplus

msvcp60

msvcrt

shell32

shlwapi

urlmon

user32

wininet

winmm

ws2_32

Sections

UPX0 Size: 76KB - Virtual size: 76KB

UPX1 Size: 28KB - Virtual size: 28KB

.rsrc Size: 72KB - Virtual size: 72KB

UPX0
Size: 76KB - Virtual size: 76KB

UPX1
Size: 28KB - Virtual size: 28KB

.rsrc
Size: 72KB - Virtual size: 72KB