Remcos Malware Analysis

sha256: 369adb906e16ea8074f400e3ec40e8eb1a0ff15064fd885a69ef73092563d511

https://app.any.run/tasks/adc543b9-fe88-46df-a979-decbd0f1d4fe/

Let’s analyze a sample which are ranked 1st for this week in any.run, where last attack 2/26

../_images/Screenshot_129.png

We get Vbs code where goal was to run a powershell command, using cmd watchcer we get the powershell command

../_images/Screenshot_320.png

Cleaning the code and formatting it in VS code

../_images/Screenshot_425.png

In the script an deobfuscator function , and an invoke command iex for the deobfuscated text

../_images/Screenshot_523.png

Where the scipt goal is to download http://constructumllc.sa.com/.well-known/vb/Wrapperer.ttf into appdata

../_images/Screenshot_619.png ../_images/Screenshot_89.png

Then base64 it, to string and take only a part from that string then invokes it

../_images/Screenshot_717.png

Outputting the result into a file, We get another powershell code

../_images/Screenshot_98.png

That uses also deobfuscator , and deobfuscated strings then invokes it

../_images/Screenshot_109.png