2024-01-14 Remcos RAT Infection

Summary ========= The last time I “published” anything was about a 1.8 years or so ago. So in the spirit of New Years resolutions to myself it really has come time for me to get back on the horse and get back into some sort of posting again. So let’s jump into an alert that I came across for what looks to be Remcos RAT. Link to the artifacts from this investigation can be found over at my Github here which also includes the output from the two URLs seen in the VB script. The memory dump of the Remcos…

Continue reading

2022-02-13 Breaking out the WD40! First Stage Downloader For Remcos RAT

It has been a while since I have played with any malware or tried to RE a script of some sort. So here goes nothing… Shout out to David Ledbetter for the assist. Solid work as usual! This post will cover the downloader script from a Remcos maldoc that I was playing with from the beginning of the month. The email itself was your standard fare – a Wells Fargo phishing email that had an Excel XLSB attachment that was encrypted. The Excel XLSB can be found over at Any.Run or over at my Github here. A special shoutout to…

Continue reading

2018-07-07 Remcos Malspam

A quick write-up on this Remcos malspam. Some other previous entries that I have done aboutr Remcos can be found below: http://www.herbiez.com/?p=1106 http://www.herbiez.com/?p=1073 All the emails seem to come from the sender info@yusheng-wiremesh.com with the subject of “Returned Funds fort Invoice DFER4567 July Despatch.” The malspam also comes with an ACE attachment, that when extracted out, gives us the following binary: “Returned Funds fort Invoice DFER4567 July Despatch.exe.” A quick glance at some of the emails shows that they are all being sent from this IP address: 185.163.111.81 which shows a rDNS entry of “sv2.sendomail.eu” out of Romania. One thing…

Continue reading

2018-04-21 “TOP URGENT//: REQUEST FOR QUOTAION” Malspam Leads To CVE-2017-11882/Possible Remcos Infection

Yesterday while looking for some malspam, I came across some emails that used the CVE-2017-11882 exploit which leveraged an AutoIT script to launch the Remcos keylogger process which used some anti-sandbox techniques as well. For some more information about the CVE, please see the following links: http://researchcenter.paloaltonetworks.com/2017/12/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/ http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-without-macros-cve-2017-11882 2018-02-17 REMCOS RAT FROM MALSPAM And some similarities to this post: 2017-06-23 LOKI BOT MALWARE USING CVE 2017-0199 as well. Most of the activity from this infection was on the host and not much at the network level from what I was able to determine. All the artifacts found from this investigation…

Continue reading