Remcos RAT10 minutes read
Remcos Remote Control -
Control remotely your computers, anywhere in the world.
I’m using the free version of
Remcos and using
MPRESS as a packer.
You can download sample from hybrid-analysis.com
As wee see it’s packed with MPRESS:
Let’s look at it’s behavior, procmon:
It creates folder
remcos and PE file named
Run key as persistence method, also creates file called
hybrid-analysis we get almost same information:
install.bat pings C&C, executes
%APPDATA% directory, and removes itself:
After this, we can connect to our C&C, we control the machine:
Let’s dive deep and open in
What?! such a few functions, suspicious entry point, few imports, high entropy, they are signs of the packed executable:
Let’s open in
x32dbg and unpack it.
MPRESS makes programs and libraries smaller, and decrease start time when the application loaded from a slow removable media or from the network.
MPRESS is a generic packer, it’s not created for protecting applications, because of it, it’s very easy to unpack apps packed with it.
At the entry point, there is
pushad instruction, it’s very common for packers, such as
it saves all register values at the stack and after unpacking application it restores using
There are many ways to unpack such packed files, let’s use one of them, after saving register values at the stack, set the hardware breakpoint at any pushed register values and run:
…and we hit
Let’s follow to
jmp, probably there are unpacked instructions:
C++ and several other normal functions. Seems like it’s unpacked.
Let’s dump it using
x32dbg’s built-in plugin
Plugin->Scylla->IAT Autosearch->Get Imports->Dump->Fix Dump
…and open in
std functions, it’s unpacked, you can download unpacked version from hyberid-analysis.
Open unpacked sample in
IDA pro and dive deep.
WinMain function it checks command line arguments, and if there is
-l option it creates
00403BC7 it creates Mutex, and if there is one, it terminates itself:
00403BDE gets function addresses using
00403C09 gets product name from
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName, at
00403C28 checks if process is under 64-bit windows:
Checks if the process is executed with admin privileges:
Possibly, RAT will send this information to C&C.
Seems like at
00403D5D function gets directory path based on configuration:
00403DEB creates directory
remcos and copies file into it:
…and fills with following code:
After successfull execuation application exits:
install.bat creates new instance of
If we want to get information what happens when
remcos.exe we must patch instruction at
00403D7A or manualy jump to
00403E82 function adds one more entry in registry:
Seems like the value of
EXEpath is the encrypted path to original executable:
Before set value:
DEP and calls function which is some kind of loop:
Let’s see what’s inside function, which is called at
Seems like it set ups connection:
The most important call is at
recv_and_exec function recievs commands and executes them:
lpStartAddress is passed as an argument to
recv_and_exec, let’s investigate it,
RunCommands function at
00406371 is a core of the RAT, it executes commands from C&C.
It’s C&C panel:
RunCommands is kind of switch statement, there are following possible values: filemgr, downloadfromurltofile, downloadfromlocaltofile, getproclist, prockill, getwindows, closewindow, maxwindow, restorewindow, closeprocfromwindow, execcom, consolecmd, openaddress, initializescrcap, freescrcap, deletefile, close, uninstall, updatefromurl, updatefromlocal, msgbox, keyinput, mclick, OSpower, getclipboard, setclipboard, emptyclipboard, dlldata, dllurl, initfun, initremscript, initregedit, renamebck, initsocks, SetSuspendState.
Let’s investagete some of them.
- filemgr uses
FindNextFileWto list files:
inside filemgr there are several other commands, such as
- downloadfromurltofile downloads from url and executes it:
downloadfromurltofile downloads file from C&C, saves to %TEMP% directory and executes it:
- getproclist lists processes using
- prockill determines a process using
- getwindows, closewindow, maxwindow, restorewindow, closeprocfromwindow used to manipuate windows:
- execcom executes commands:
- consolecmd to get command prompt:
- openaddress opens web-page:
- initializescrcap uses many image functions(msdn) and used to capture screen. freescrcap is called when we close Capture window at C&C panel:
- deletefile and close are easy to guess:
- uninstall removes value from
Uninstall.bat in %TEMP% directory and runs it:
- updatefromurl downloads file from internet and changes all old files and registry entries:
- updatefromlocal is almost same as updatefromurl:
- msgbox calls
- I think keyinput and mclick are used in keylogger, which is not available in free edition:
- getclipboard, setclipboard, emptyclipboard are used to do corresponding work:
- dlldata and dllurl are used to download
dllfrom attackers machine and from internet:
…and injects without writting on the disk using
I think it uses reflective
GetProcAddress are used to get imports for injected
- initregedit is used to done things in registry:
Uses functions from
Shlwapi.dll to manipulate registry:
- initremscript is used to execute scripts from C&C:
- renamebck is used to change a value of
Software\Remcos-MUTEXval, which is used as ID:
- OSpower is used to sleep, shut down, log off, hibernate, restart infected machine.
Shut down using
- initsocks is used to get SOCKS proxy:
Let’s see how it sends files and information. That’s data before encryption routine:
That’s encryption routine:
That’s data after encryption:
We can inject into malicious application and see data before send using
That’s same data.
Maybe I overlook something, due to my limited knowledge, if you find something interesting please contact me.
That’s all. I’m new to reversing malware and any kind of feedback will be helpful for me.