1/8 itaymigdal Remcos github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md Malware Name File Type SHA256 Remcos x32 exe (.NET) 5eb996275b36c1e8c1d3daa71e6469507a29401c77f2b1fd91e4d354ccde9860 Analysis process This writeup starts with a suspicious executable that was sent via mail. We can see that most part of the PE is packed (entropy ~ 8 -> High entropy indicates on encrypted / compressed data): https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md 2/8 The PE is .NET so we'll check it out in Dnspy: As usual, we'll watch it under Procmon. this is the interesting process tree: We can see that: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/img/1.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/img/2.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/img/3.PNG 3/8 The file creates scheduled task for persistence The file writes a vbs script to \AppData\Local\Temp\ and runs it The vbs script copies the malware to \AppData\Roaming\remcos\ (Nice spoiler, thank you malware author šŸ˜˜), and executes it from there. The Script content: As we can see, after the copy & execute, the vbs script deletes itself (and is written back next execution). In this analysis i took the "quick and dirty" approach, so i in order to unpack the file, i let it run for about a minute or two, and then dumped it using Pe-Sieve (i added the /data argument, because this is .NET executable): And Vwalla: We've got our unpacked version with nice icon: And it isn't packed: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/img/4.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/img/5.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/img/6.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/img/7.PNG 4/8 The file is a native PE file (i.e. written in C\C++, unlike the loader which was written in .NET), and it's importing a lot of interesting libraries: Observing the strings we find very interesting finds: Indeed the malware is Remcos PRO 2.7.2: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/img/8.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/img/9.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/img/10.PNG 5/8 Keylogger capabilities: Browser stealing capabilities: Exfilitration and Infilitration capabilities: The malware contains a setting resource which looks encrypted: So we will try to watch it decrypted in memory. here we can see the file loads it: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/img/11.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/img/12.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/img/13.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/img/14.PNG 6/8 And after some math we see the settings in clear text: c2 Server: 185.244.26.209 We can see some more juicy stuff, like Mutex string, execution path, logs path and encryption keys. After some Googling about Remcos, seems like it is total legal software which has a very detailed site. This is how the panel from the attacker side looks like: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/img/15.PNG https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/img/16.PNG https://breakingsecurity.net/remcos/ 7/8 A lot of nice and evil capabilities šŸ˜. Bonus After watching this, i learned how Remcos encrypts his config, so i wrote a little script that retrieves a Remcos encrypted SETTINGS file, and decrypts is: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/img/18.PNG https://www.youtube.com/watch?v=CYnzzJ8f3Ts&t=573s https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos_Config_Decrypter.py 8/8 https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/img/17.PNG EĀ„ Administrator: Windows PowerShell . A HHHHHH Hexdump ###### 8000180 28000190 185. 244.26. 209: 1989:s%qDr Renee loss 6 winnit.exe win 4] Remcos-QKUG1Z 6 logs .dat EBT OLE Screenshots 5 6 MicRecords a a ce ce ce c# ce ce ce ce c# ce ce c# ce ce c# ce ce ce ce ce ce 8/8