# Remcos **[github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md](https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md)** itaymigdal **Malware** **Name** **File** **Type** **SHA256** Remcos x32 exe (.NET) 5eb996275b36c1e8c1d3daa71e6469507a29401c77f2b1fd91e4d354ccde9860 ## Analysis process This writeup starts with a suspicious executable that was sent via mail. We can see that most part of the PE is packed (entropy ~ 8 -> High entropy indicates on encrypted / compressed data): ----- The PE is .NET so we'll check it out in Dnspy: As usual, we'll watch it under Procmon. this is the interesting process tree: We can see that: ----- The file creates scheduled task for persistence The file writes a vbs script to `\AppData\Local\Temp\ and runs it` The vbs script copies the malware to `\AppData\Roaming\remcos\ (Nice spoiler,` thank you malware author 😘), and executes it from there. The Script content: As we can see, after the copy & execute, the vbs script deletes itself (and is written back next execution). In this analysis i took the "quick and dirty" approach, so i in order to unpack the file, i let it run for about a minute or two, and then dumped it using Pe-Sieve (i added the /data argument, because this is .NET executable): And Vwalla: We've got our unpacked version with nice icon: And it isn't packed: ----- The file is a native PE file (i.e. written in C\C++, unlike the loader which was written in .NET), and it's importing a lot of interesting libraries: Observing the strings we find very interesting finds: Indeed the malware is Remcos PRO 2.7.2: ----- Keylogger capabilities: Browser stealing capabilities: Exfilitration and Infilitration capabilities: The malware contains a setting resource which looks encrypted: So we will try to watch it decrypted in memory. here we can see the file loads it: ----- And after some math we see the settings in clear text: c2 Server: 185.244.26.209 We can see some more juicy stuff, like Mutex string, execution path, logs path and encryption keys. After some Googling about Remcos, seems like it is total legal software which has a very [detailed site. This is how the panel from the attacker side looks like:](https://breakingsecurity.net/remcos/) ----- A lot of nice and evil capabilities 😏. ## Bonus [After watching this, i learned how Remcos encrypts his config, so i wrote a little script that](https://www.youtube.com/watch?v=CYnzzJ8f3Ts&t=573s) retrieves a Remcos encrypted SETTINGS file, and decrypts is: ----- -----