11 minutes read

Remcos Remote Control - Control remotely your computers, anywhere in the world.

I’m using the free version of Remcos and using MPRESS as a packer.

You can download sample from hybrid-analysis.com

As wee see it’s packed with MPRESS:

Let’s look at it’s behavior, procmon:

It creates folder remcos and PE file named remcos.exe in %APPDATA% directory, remcos uses Run key as persistence method, also creates file called install.bat in %TEMP% directory.

From hybrid-analysis we get almost same information:

install.bat pings C&C, executes remcos.exe from %APPDATA% directory, and removes itself:

After this, we can connect to our C&C, we control the machine:

Let’s dive deep and open in IDA Pro :

What?! such a few functions, suspicious entry point, few imports, high entropy, they are signs of the packed executable:

Let’s open in x32dbg and unpack it.

MPRESS makes programs and libraries smaller, and decrease start time when the application loaded from a slow removable media or from the network.

MPRESS is a generic packer, it’s not created for protecting applications, because of it, it’s very easy to unpack apps packed with it.

At the entry point, there is pushad instruction, it’s very common for packers, such as UPX , it saves all register values at the stack and after unpacking application it restores using popa(d) instruction.

There are many ways to unpack such packed files, let’s use one of them, after saving register values at the stack, set the hardware breakpoint at any pushed register values and run:

…and we hit popad instruction:

Let’s follow to jmp , probably there are unpacked instructions:

There is except_handler3 from C++ and several other normal functions. Seems like it’s unpacked.

Let’s dump it using x32dbg ’s built-in plugin Scylla .

Plugin->Scylla->IAT Autosearch->Get Imports->Dump->Fix Dump

…and open in IDA pro :

There are WinMain and std functions, it’s unpacked, you can download unpacked version from hyberid-analysis.

Open unpacked sample in IDA pro and dive deep.

In WinMain function it checks command line arguments, and if there is -l option it creates lic.txt file:

At 00403BC7 it creates Mutex, and if there is one, it terminates itself:

At 00403BDE gets function addresses using LoadLibraryA , GetProcAddress , at 00403C09 gets product name from SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName , at 00403C28 checks if process is under 64-bit windows:

Checks if the process is executed with admin privileges:

Possibly, RAT will send this information to C&C.

Seems like at 00403D5D function gets directory path based on configuration:

Function at 00403DEB creates directory remcos and copies file into it:

Creates install.bat in %TEMP% directory:

…and fills with following code:

After successfull execuation application exits:

install.bat creates new instance of remcos.exe from %APPDATA% directory:

If we want to get information what happens when install.bat executes remcos.exe we must patch instruction at 00403D7A or manualy jump to loc_403DFA :

At 00403E82 function adds one more entry in registry:

Seems like the value of EXEpath is the encrypted path to original executable:

Before encrypt:

Before set value:

Application disables DEP and calls function which is some kind of loop:

Let’s see what’s inside function, which is called at 00403F14 . Seems like it set ups connection:

The most important call is at 00406277 :

recv_and_exec function recievs commands and executes them:

lpStartAddress is passed as an argument to recv_and_exec , let’s investigate it, RunCommands function at 00406371 is a core of the RAT, it executes commands from C&C. It’s C&C panel:

RunCommands is kind of switch statement, there are following possible values: filemgr, downloadfromurltofile, downloadfromlocaltofile, getproclist, prockill, getwindows, closewindow, maxwindow, restorewindow, closeprocfromwindow, execcom, consolecmd, openaddress, initializescrcap, freescrcap, deletefile, close, uninstall, updatefromurl, updatefromlocal, msgbox, keyinput, mclick, OSpower, getclipboard, setclipboard, emptyclipboard, dlldata, dllurl, initfun, initremscript, initregedit, renamebck, initsocks, SetSuspendState.

Let’s investagete some of them.

filemgr uses FindFirstFileW , FindNextFileW to list files:

inside filemgr there are several other commands, such as newfolder , upload , download etc.

C&C:

downloadfromurltofile downloads from url and executes it:

downloadfromurltofile downloads file from C&C, saves to %TEMP% directory and executes it:

C&C:

getproclist lists processes using CreateToolhelp32Snapshot , Process32FirstW , Process32NextW functions:

prockill determines a process using TetermineProcess function:

getwindows, closewindow, maxwindow, restorewindow, closeprocfromwindow used to manipuate windows:

execcom executes commands:

consolecmd to get command prompt:

openaddress opens web-page:

initializescrcap uses many image functions(msdn) and used to capture screen. freescrcap is called when we close Capture window at C&C panel:

deletefile and close are easy to guess:

uninstall removes value from Run key:

Creates Uninstall.bat in %TEMP% directory and runs it:

updatefromurl downloads file from internet and changes all old files and registry entries:

..and runs update.bat :

updatefromlocal is almost same as updatefromurl:

msgbox calls MessageBoxA :

I think keyinput and mclick are used in keylogger, which is not available in free edition:

getclipboard, setclipboard, emptyclipboard are used to do corresponding work:

dlldata and dllurl are used to download dll from attackers machine and from internet:

…and injects without writting on the disk using CreateFileMappingA and MapViewOfFileEx :

I think it uses reflective dll injection, LoadLibrarA and GetProcAddress are used to get imports for injected dll :

initregedit is used to done things in registry:

Uses functions from Shlwapi.dll to manipulate registry:

initremscript is used to execute scripts from C&C:

Execute VBScript :

renamebck is used to change a value of name key at Software\Remcos-MUTEXval , which is used as ID:

OSpower is used to sleep, shut down, log off, hibernate, restart infected machine.

sleep using SetSuspendState :

Shut down using ExitWindowsEx :

initsocks is used to get SOCKS proxy:

Let’s see how it sends files and information. That’s data before encryption routine:

That’s encryption routine:

That’s data after encryption:

We can inject into malicious application and see data before send using Echo Mirage :

That’s same data.

Maybe I overlook something, due to my limited knowledge, if you find something interesting please contact me.

That’s all. I’m new to reversing malware and any kind of feedback will be helpful for me.

Twitter: @_qaz_qaz