Home Remcos Malware Unpacking
Post
Cancel

Remcos Malware Unpacking

Abdelrahman Eldawi on Sep 212021-09-21T05:33:00+02:00
3 min read
Preview Image

Remcos or Remote Control and Surveillance, marketed as a legitimate software by a Germany-based firm Breaking Security for remotely managing Windows systems is now widely used in multiple malicious campaigns by threat actors

Sample info

Malware family: Remcos RAT

MD5 hash: 5E9770C2B22B03E5726285900AFAB954

Initial assessment

At Malware initial assessment using PE-Studio

It looks like

  • This sample is .NET sample

  • This sample contains the magic byte “MZ” which means it’s executable

  • Follows x32 architecture

By using DIE to analyze each section entropy

We can conclude that both (.text , .rsrc) are packed

Analysis

At first let’s start analyzing this file using dnspy

Resources

The first interesting things we can observe from this image are “Costura” & “compressed” strings!

So, the first question we should ask ourselves. What is Costura?

Costura is an addon responsible for Embedding dependencies as resources on extensible tool for weaving .net assemblies called Fody, it is also loads itself with the same technique. After, reaching it’s github project https://github.com/Fody/Costura they also clarified that “Embedded assemblies are compressed by default” so “compressed” string makes sense now.

By opening “Campos.properties.resources” resource we can find

  • As we clarified before they are compressed so there is no reason to check them. But as a head up the malware maybe reside in one of them.

  • So, we should keep track of decompression/decryption and assembly loading functions to be able to unpack it.

Execution analysis

  1. We can see there that it accesses the resource (MainWindow.nabexx + MainWindow.nabexx+ MainWindow.nabexx == “XX” +”XX” + “XX” == “XXXXXX”)

  2. It decrypts it using AES algorithm using the resource (XX) as key

  3. Then it loads it into the memory

By extracting the two resources (XX, XXXXXX) and using this simple python script, we can check what is loaded into the memory.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

from Cryptodome.Cipher import AES

fk = open("XX", "rb")

key = fk.read()

bf = open("XXXXXX", "rb")

file = bf.read()

cipher = AES.new(key, AES.MODE_ECB)

new_file = open("file" , "wb")

new_file.write(cipher.decrypt(file))

new_file.close()

Continuing the analysis

It looks like it calls function X from Class1 passing the loaded assembly on it

Then it invokes the first method on the loaded assembly.by adding a watch on X.getMethods()[0]

It looks like that it invoked Function Void X() on X class on the loaded assembly

Let’s go through extracted and loaded file analysis

Extracted file Analysis

File initial assessment

MD5 Hash : 544D12F82787E4453E68906610453093

using PE-Studio

It looks like

  • This sample is .NET sample

  • This sample contains the magic byte “MZ”, file type is DLL

  • Follows x32 architecture

By using DIE to analyze each section entropy

We can conclude that both .text section is packed

Analysis

At first let’s start analyzing this file using dnspy

Resources

As we have concluded before in the previous sample, it could be using the same technique and there is something packed on these resources and it decrypts it then it is loaded into memory.

Execution analysis

As we have concluded in the previous section, Function Void X() in class X was executed

It passes the executed file to the main function resided in LOL class

**
**

For the second time, It it decrypting a resources and loading it them to the memory, But life is too short to trace both unpacking functions .so, We are going to replicate this code snippet into VSCode and extract both files by writing them to disk after decryption

Analyzing Second file

File initial assessment

MD5 hash: 06BD2C0097E3CFC03B530BA1391846E3

using PE-Studio

It looks like

  • This sample contains the magic byte “MZ”, file type is DLL

  • Follows x32 architecture

By using DIE to

It looks like

  • It’s .NET sample

  • This file is not packed

Analysis

At first let’s start analyzing this file using dnspy

By checking the main function there, it looks that this DLL is loaded before the actual malware unpacking, to check for active antiviruses and use it to avoid original malware detection

Analyzing third file

File initial assessment

MD5 hash: 5987997662571356AE78251EA3F44C5E

using PE-Studio

It looks like

  • This sample is C++ sample

  • This sample contains the magic byte “MZ”, and it’s executable

  • Follows x32 architecture

By using DIE to analyze each section entropy

Then finally this is the unpacked malware

malware-unpacking
malware-unpacking unpacking
This post is licensed under CC BY 4.0 by the author.
Recent Update
Contents

-

PoetRAT