cd ../../Reversing Malware

Remcos RAT

10 minutes read

Remcos Remote Control - Control remotely your computers, anywhere in the world.


I’m using the free version of Remcos and using MPRESS as a packer.

remcos

You can download sample from hybrid-analysis.com

As wee see it’s packed with MPRESS:

protID

Let’s look at it’s behavior, procmon:

procmon

It creates folder remcos and PE file named remcos.exe in %APPDATA% directory, remcos uses Run key as persistence method, also creates file called install.bat in %TEMP% directory.

From hybrid-analysis we get almost same information:

hybrid-analysis

install.bat pings C&C, executes remcos.exe from %APPDATA% directory, and removes itself:

install.bat

After this, we can connect to our C&C, we control the machine:

image

Let’s dive deep and open in IDA Pro:

ida

What?! such a few functions, suspicious entry point, few imports, high entropy, they are signs of the packed executable:

imports

entropy

Let’s open in x32dbg and unpack it.

MPRESS makes programs and libraries smaller, and decrease start time when the application loaded from a slow removable media or from the network.

MPRESS is a generic packer, it’s not created for protecting applications, because of it, it’s very easy to unpack apps packed with it.

At the entry point, there is pushad instruction, it’s very common for packers, such as UPX, it saves all register values at the stack and after unpacking application it restores using popa(d) instruction.

x32dbg

There are many ways to unpack such packed files, let’s use one of them, after saving register values at the stack, set the hardware breakpoint at any pushed register values and run:

unpack

…and we hit popad instruction:

image

Let’s follow to jmp, probably there are unpacked instructions:

image

There is except_handler3 from C++ and several other normal functions. Seems like it’s unpacked.

Let’s dump it using x32dbg’s built-in plugin Scylla.

Plugin->Scylla->IAT Autosearch->Get Imports->Dump->Fix Dump

dump

…and open in IDA pro:

image

There are WinMain and std functions, it’s unpacked, you can download unpacked version from hyberid-analysis.

Open unpacked sample in IDA pro and dive deep.

In WinMain function it checks command line arguments, and if there is -l option it creates lic.txt file:

image

At 00403BC7 it creates Mutex, and if there is one, it terminates itself:

image

At 00403BDE gets function addresses using LoadLibraryA, GetProcAddress, at 00403C09 gets product name from SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName, at 00403C28 checks if process is under 64-bit windows:

image

productname

image

Checks if the process is executed with admin privileges:

image

Possibly, RAT will send this information to C&C.

Seems like at 00403D5D function gets directory path based on configuration:

image

Function at 00403DEB creates directory remcos and copies file into it:

image

Creates install.bat in %TEMP% directory:

image

…and fills with following code:

image

After successfull execuation application exits:

image

install.bat creates new instance of remcos.exe from %APPDATA% directory:

image

If we want to get information what happens when install.bat executes remcos.exe we must patch instruction at 00403D7A or manualy jump to loc_403DFA:

image

At 00403E82 function adds one more entry in registry:

image

Seems like the value of EXEpath is the encrypted path to original executable:

Before encrypt:

image

Before set value:

image

Application disables DEP and calls function which is some kind of loop:

image

Let’s see what’s inside function, which is called at 00403F14. Seems like it set ups connection:

image

The most important call is at 00406277:

image

recv_and_exec function recievs commands and executes them:

image

lpStartAddress is passed as an argument to recv_and_exec, let’s investigate it, RunCommands function at 00406371 is a core of the RAT, it executes commands from C&C. It’s C&C panel:

image

RunCommands is kind of switch statement, there are following possible values: filemgr, downloadfromurltofile, downloadfromlocaltofile, getproclist, prockill, getwindows, closewindow, maxwindow, restorewindow, closeprocfromwindow, execcom, consolecmd, openaddress, initializescrcap, freescrcap, deletefile, close, uninstall, updatefromurl, updatefromlocal, msgbox, keyinput, mclick, OSpower, getclipboard, setclipboard, emptyclipboard, dlldata, dllurl, initfun, initremscript, initregedit, renamebck, initsocks, SetSuspendState.

Let’s investagete some of them.

  • filemgr uses FindFirstFileW, FindNextFileW to list files:

image

inside filemgr there are several other commands, such as newfolder, upload, download etc.

image

C&C:

image

  • downloadfromurltofile downloads from url and executes it:

image downloadfromurltofile downloads file from C&C, saves to %TEMP% directory and executes it:

image

image

C&C:

image

  • getproclist lists processes using CreateToolhelp32Snapshot, Process32FirstW, Process32NextW functions:

image

  • prockill determines a process using TetermineProcess function:

image

  • getwindows, closewindow, maxwindow, restorewindow, closeprocfromwindow used to manipuate windows:

image

image

  • execcom executes commands:

image

  • consolecmd to get command prompt:

capture

  • openaddress opens web-page:

image

  • initializescrcap uses many image functions(msdn) and used to capture screen. freescrcap is called when we close Capture window at C&C panel:

image

  • deletefile and close are easy to guess:

image

  • uninstall removes value from Run key:

image

Creates Uninstall.bat in %TEMP% directory and runs it:

image

  • updatefromurl downloads file from internet and changes all old files and registry entries:

image

..and runs update.bat:

image

  • updatefromlocal is almost same as updatefromurl:

image

  • msgbox calls MessageBoxA:

image

  • I think keyinput and mclick are used in keylogger, which is not available in free edition:

image

  • getclipboard, setclipboard, emptyclipboard are used to do corresponding work:

image

  • dlldata and dllurl are used to download dll from attackers machine and from internet:

image

…and injects without writting on the disk using CreateFileMappingA and MapViewOfFileEx:

image

I think it uses reflective dll injection, LoadLibrarA and GetProcAddress are used to get imports for injected dll:

image

  • initregedit is used to done things in registry:

image

Uses functions from Shlwapi.dll to manipulate registry:

image

  • initremscript is used to execute scripts from C&C:

image

Execute VBScript:

image

  • renamebck is used to change a value of name key at Software\Remcos-MUTEXval, which is used as ID:

image

  • OSpower is used to sleep, shut down, log off, hibernate, restart infected machine.

sleep using SetSuspendState:

image Shut down using ExitWindowsEx:

image

  • initsocks is used to get SOCKS proxy:

image

Let’s see how it sends files and information. That’s data before encryption routine:

senddatabefire

That’s encryption routine:

encryptfunction

That’s data after encryption:

senddataafterenc

We can inject into malicious application and see data before send using Echo Mirage:

encryptedechomirage

That’s same data.

Maybe I overlook something, due to my limited knowledge, if you find something interesting please contact me.

That’s all. I’m new to reversing malware and any kind of feedback will be helpful for me.

Twitter: @_qaz_qaz