2024-01-14 Remcos RAT Infection

Summary ========= The last time I “published” anything was about a 1.8 years or so ago. So in the spirit of New Years resolutions to myself it really has come time for me to get back on the horse and get back into some sort of posting again. So let’s jump into an alert that I came across for what looks to be Remcos RAT. Link to the artifacts from this investigation can be found over at my Github here which also includes the output from the two URLs seen in the VB script. The memory dump of the Remcos…

Continue reading

2020-05-27 Netsupport RAT Malspam

Summary ======== Yesterday when reviewing the spam filters I found an email with a malicious attachment (.slk file) that setups the system to be infected with what looks to be a NetSupport RAT (based on the information found in the PCAP). I Checked the usual OSINT resources (ie: Hybrid Analysis, Malshare, MalwareBazaar, Anyrun, URLHaus, VT) for the hash of the attachment. Unfortunately there were no hits or results found. The initial link also had no hits yesterday either. The only hit from this malware was for the IP address 207.148.12.140 but that was in the forms of passive DNS results….

Continue reading

2019-08-23 WSHRat Javascript de-obfuscation

Special thanks to one of my colleagues and @nazywam on Twitter that helped me with this. The Twitter thread about this can be found here. To obtain the Javascript file, see the Any.Run link here. The other day (2019-08-20) while looking at caught emails in the SPAM folder, I came across this malspam that was referencing a request for quote (ala: RFQ). The email had an attachment to it that was Gzipped. Unzipping it I saw there was a nicely obfuscated Javascript file. Opening it up and looking through it, there was some clear text code that follows after a…

Continue reading

2019-07-17 AveMaria InfoStealer/RAT with interesting UAC bypass

I came across this sample yesterday via my usual method – the email filters. The email is your pretty standard stuff acting as a proposal for an order. Once you open the zip file, there is an executable. From here, the fun began. For the artifacts/logs/PCAP from this analysis, please see my Github repo for this here. IOCs: ===== respainc.duckdns.org / 79.134.225.51:28 (TCP) 8.8.8.8:53 (TCP) Artifacts: ========== Microsoft.exe/Quotation.exe a07a5a3100544aceeade42e743218e6a http://www.virustotal.com/gui/file/a52f455f897f54af3e3d1505e686d391171d2f981ba7971b63cc491708b12fee/detection First Submission 2019-07-16 10:12:09 28/67 engines detected this file Path: C:\Users%USERNAME%\AppData\Roaming | %TEMP% dismcore.dll 6b906764a35508a7fd266cdd512e46b1 http://www.virustotal.com/gui/file/fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c/detection First Submission 2018-10-24 20:23:05 51/70 engines detected this file Path: %TEMP% ellocnak.xml 427eb7374887305b72f5c552837c9036 http://www.virustotal.com/gui/file/b3f421780a49cbe680a317259d4df9ce1d0cdaca3020b4df0dc18cc01d68ccbb/detection…

Continue reading

2018-02-17 Remcos RAT from malspam

Earlier this morning I came across some emails that had a subject line that caught my attention. They were all from the same sender and all of them had the same maldoc attached to them. From what I can tell this looks to be related to the REMCOS RAT as documented by Fortinet here. The interesting tidbit with this one was the fact that it was keylogging and also taking screenshots of my desktop as well from time to time. As usual, for any of the PCAPs, ProcMon logs, and artifacts that I managed to capture, check out the Github…

Continue reading