# 2017-12-22 - MALSPAM USES CVE-2017-0199 TO DISTRIBUTE REMCOS RAT **malware-traffic-analysis.net/2017/12/22/index.html** ASSOCIATED FILES: [2017-12-21-malspam-pushing-Remcos-RAT-1356-UTC.eml.zip 39.9 kB (39,888](http://malware-traffic-analysis.net/2017/12/22/2017-12-21-malspam-pushing-Remcos-RAT-1356-UTC.eml.zip) bytes) [2017-12-22-malspam-pushing-RemcosRAT.pcap.zip 1.0 MB (1,044,955 bytes)](http://malware-traffic-analysis.net/2017/12/22/2017-12-22-malspam-pushing-RemcosRAT.pcap.zip) [2017-12-22-artifacts-from-Remcos-RAT-malspam-infection.zip 1.9 MB (1,875,694](http://malware-traffic-analysis.net/2017/12/22/2017-12-22-artifacts-from-Remcos-RAT-malspam-infection.zip) bytes) NOTES: On 2017-12-21, I saw malspam dated 2017-12-21 with an RTF attachment using CVE2017-0199 to push [Remcos RAT.](https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2) Today's post-infection traffic is similar to Remcos RAT post-infection traffic I reported [almost 2 months ago on 2017-10-27.](http://malware-traffic-analysis.net/2017/10/27/index.html) _Shown above: Flowchart for today's infection._ ----- ## WEB TRAFFIC BLOCK LIST Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs: hxxps://streetsave.club/styles/break/beta.hta hxxps://regwide.club/images/scale/nile.php hxxps://regwide.club/images/scale/nite.exe darlz.freeddns.org ## IMAGES _Shown above: Screenshot of the email._ ----- _Shown above: The attached .doc file is actually an RTF that uses CVE-2017-0199. I clicked_ _my way "yes" to an infection!_ _Shown above: The exectuable for Remcos RAT needed my permission to run._ ----- _[Shown above: Traffic from the infection filtered in Wireshark.](https://www.wireshark.org/)_ _Shown above: HTTPS traffic as seen in_ _[Fiddler.](https://www.telerik.com/fiddler)_ _Shown above: Post-infection traffic from the Remcos RAT-infected host._ ----- _Shown above: Randomly-named key with binary data in the Windows registry._ _Shown above: Updated key in the Windows registry to keep the infection persistent._ ----- _Shown above: Folder in the user's AppData/Local/Temp directory._ _Shown above: File run by the AutoIT script engine, vje=wtl, as seen in a text editor._ ----- ## INDICATORS EMAIL DATA: Date: Thursday, 2017-12-21 at 13:56 UTC Subject: Invoice From: "Helen Rowe" Reply-To: "Helen Rowe" Message-ID: User-Agent: SquirrelMail/1.4.22 Attachment: Proforma invoice.doc TRAFFIC: 148.164.124.20 port 443 - streetsave.club - GET /styles/break/beta.hta (HTTPS) 148.164.124.20 port 443 - regwide.club - GET /images/scale/nile.php (HTTPS) 148.164.124.20 port 443 - regwide.club - GET /images/scale/nite.exe (HTTPS) 185.62.190.214 por 1695 - darlz.freeddns.org - encrypted post-infection traffic caused by Remcos RAT MALWARE AND ARTIFACTS FROM THE INFECTED WINDOWS HOST: SHA256 hash:&bnsp; [1b78b77b4f571548df7d7a7e324bfe38425b901663906d91d7c5ec110a333a07](https://www.virustotal.com/#/file/1b78b77b4f571548df7d7a7e324bfe38425b901663906d91d7c5ec110a333a07/details) File size:&bnsp; 332,066 bytes File name:&bnsp; Proforma invoice.doc File description:&bnsp; RTF document using CVE-2017-0199 SHA256 hash:&bnsp; [402517926305219d9d482063334b9955866fbeb7fadd5fe9e0f72cc04a112173](https://www.virustotal.com/#/file/402517926305219d9d482063334b9955866fbeb7fadd5fe9e0f72cc04a112173/detection) File size:&bnsp; 1,243 bytes File name:&bnsp; beta.hta File description:&bnsp; HTML application (HTA) file to download the next-stage malware SHA256 hash:&bnsp; [9717a2ec51316ca3b97d5c379e4b331e03e274dfd6de5433f3382b760f09b51b](https://www.virustotal.com/#/file/9717a2ec51316ca3b97d5c379e4b331e03e274dfd6de5433f3382b760f09b51b/detection) File size:&bnsp; 999,301 bytes File location:&bnsp; C:\Users\[username]\AppData\Roaming\foxread.exe File description:&bnsp; RemcosRAT Installer for next stage of the infection ----- SHA256 hash:&bnsp; [fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b](https://www.virustotal.com/#/file/fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b/detection) File size:&bnsp; 750,320 bytes File location:&bnsp; C:\Users\[username]\AppData\Local\Temp\58594949\mrk.exe File description:&bnsp; AutoIT v3 script engine (version 3.3.8.1) NOTE: This is a legitimate file. It is not inherently malicious. SHA256 hash:&bnsp; [fd00256c375f5d744d73a7ddba571f1887779af042bd6cf7100533c68c461a33](https://www.virustotal.com/#/file/fd00256c375f5d744d73a7ddba571f1887779af042bd6cf7100533c68c461a33/detection) File size:&bnsp; 3,092,687 bytes File location:&bnsp; C:\Users\[username]\AppData\Local\Temp\58594949\vje=wtl File description:&bnsp; AutoIT script file executed by mrk.exe WINDOWS REGISTRY UPDATES: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "WindowsUpdate"="C:\\Users\\[username]\\AppData\\Local\\Temp\\58594949\\mrk.exe C:\\Users\\[username]\\AppData\\Local\\Temp\\58594949\\VJE_WT~1" [HKEY_CURRENT_USER\Software\dizy-937GNR] "EXEpath"=hex:a5,60,7c,77,81,d6,3f,89,8c,1b,1a,3f,d2,97,d8,f6,d6,4e,19,c2,2c,\ 28,9b,08,4f,9c,14,72,41,7f,d2,5f,47,bb,e7,24,8c,64,f5,0f,44,91,cb,54,5f,1a,\ ba,bc,67,e6,94,1a,c0,54,66,67,c0,79,55,c1,8f,7c,29,3e,8a,08,bc,ed,f9,3f,5f,\ 6d,17,22,66,b1,c8,c8,a3,e0,27,f2,ac,f3,82,3b,ed,3e,2a,69,56,21,8b,85,f4,c0,\ 35,47,be,02,9f,d0,a0,c7,2a,f0,87,28,83,42,7c,97,2d,90,3b,c3 ## FINAL NOTES Once again, here are the associated files: [2017-12-21-malspam-pushing-Remcos-RAT-1356-UTC.eml.zip 39.9 kB (39,888](http://malware-traffic-analysis.net/2017/12/22/2017-12-21-malspam-pushing-Remcos-RAT-1356-UTC.eml.zip) bytes) [2017-12-22-malspam-pushing-RemcosRAT.pcap.zip 1.0 MB (1,044,955 bytes)](http://malware-traffic-analysis.net/2017/12/22/2017-12-22-malspam-pushing-RemcosRAT.pcap.zip) [2017-12-22-artifacts-from-Remcos-RAT-malspam-infection.zip 1.9 MB (1,875,694](http://malware-traffic-analysis.net/2017/12/22/2017-12-22-artifacts-from-Remcos-RAT-malspam-infection.zip) bytes) Zip and saz files are password-protected with the standard password. If you don't know it, look at the "about" page of this website. [Click here to return to the main page.](http://malware-traffic-analysis.net/index.html) -----