Last Updated: 2022-05-05 04:03:58 UTC
by Brad Duncan (Version: 1)
I haven't really looked into Remcos RAT lately, but I found an email with a password-protected Excel file attached to it. Further investigation revealed Remcos RAT 3.x activity remarkably similar to an infection chain reported by Fortinet last month. Today's diary reviews a Remcos RAT infection in my lab on Wednesday 2022-05-04.
Images from the investigation
Shown above: Registry updates with license key used for at least one other recent Remcos RAT sample.
Indicators of Compromise (IOCs)
- File size: 226,816 bytes
- File name: CNB Payment Advice.xls
- File description: password-protected Excel spreadsheet with macros for Remcos RAT
- Password: 34278
- Any.Run analysis: link
- File size: 2,060 bytes
- File location: hxxp://198.12.89[.]134/ADP/EFT.vbs
- File location: C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\credit.vbs
- File description: VBS file used for Remcos RAT infection
- File size: 84,480 bytes
- File type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: DLL file converted from obfuscated script returned from hxxp://198.12.89[.]134/Accounts/Deposits.jpg
- File note: Did not find this saved to disk during the infection, and I don't know how it's run.
Traffic to retrieve file for Remcos RAT infection:
Remcos RAT C2 - TLSv1.3 traffic:
- 184.75.221[.]203 port 55026 - saptransmissions.dvrlists[.]com
Note: Shortly before the above C2 traffic, the infected Windows host generated DNS query for google.com and an ICMP ping request & response to the associated IP address.
Keylog directory name: MAYB22
License used for this Remcos RAT sample: FDA2A20782EBD0A0B1004D41F9A29296
Malware based on Remcos RAT was first reported in 2017. As 2022 continues, I expect Remcos RAT will continue to be part of our threat landscape.
brad [at] malware-traffic-analysis.net