Chapter 3:Analysis of a RAT: Remcos

Below is an analysis of a Word document that used macros to download a RAT (Remote Access Trojan) known as Remcos.

A RAT is a type of malware that allows outsiders to monitor and control your computer or network. RATs, like most types of malware, often piggyback on legitimate-looking files like documents in an email or within a large software package.

This type of malware can be difficult to detect once installed as they generally don’t slow down a computer and the malware operator can often fly below the computer operator’s radar. Sometimes users can be infected by a RAT for years without noticing anything wrong.

 

 

Automated noise-filtering in action

Looking to the IOC tab in the VMRay analysis of the code sample, the user can see there were 130 artifacts in all, of which 12 were IOCs. One of the IOCs, highlighted in the screenshot below, was a mutex.

 

This file is helpful as some malware families tend to use recurring name patterns which helps to identify the family and detect an infected system. In the mutex file below the name is prefixed with “Remcos” which is a well-known RAT.

 

Another assist for identification of the code sample is in the IP section of the IOC tab, users can see the code sample downloads and executes Remcos using PowerShell.

 

The payload is hosted on grupo-omega[.]com[.]ar which is an artifact with a suspicious verdict.

 

 

In the File section of the IOC tab, users can see the three files that were IOCs labeled malicious. The section at the bottom of the screenshot on the right shows meta-information about the highlighted “PO.exe” file (downloaded in Figure 2 above):

 

 

And the screenshot on the right shows the related VTIs (malicious behavior) of the PO.exe file:

 

Turning complexity into clarity

As one can see from the analysis above, VMRay’s unique IOC filtering system allows users to not only identify code samples as malware but also identify the specific actions and files modified by the malware.

Armed with this information, security teams are well equipped to enact a swift and effective response.

 

Days
Hours
Minutes
Seconds

Ready to stress-test your malware sandbox? Join us for a no-fluff, all-demo webinar that shows you real techniques to evaluate and optimize your sandboxing solution!