Derin Analiz - RemcosRAT | Tehdit: KRITIK

Файл Kimligi

SHA25640079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1
Размер514,188 byte PE32 x86, TLS found, 6 section
UreticiBreakingSecurity.net (Remcos resmi satici sitesi)

RemcosRAT Kimlik Dogrulama

REMCOS: BreakingSecurity.net tarafindan satilan uzaktan erisim araci. Kriminal aktörler tarafindan yaygin kullanim!
Remcos v[surum]        <- surum bilgisi\nRemcos Agent initialized ( <- ajan baslangic mesaji\nRemcos restarted by watchdog! <- watchdog surecu\nBreakingSecurity.net   <- resmi Remcos gelistirici/satici sitesi

Yetenekler

KEYLOGGER:\n  Keylogger initialization failure: error\n  GetAsyncKeyState / SetWindowsHookEx\n\nCLIPBOARD:\n  GetClipboardData / EmptyClipboard\n  [End of clipboard]\n\nSES YAKALAMA:\n  d alias audio   <- MCI WinMM ses komutlari\n  close audio\n\nSCREENSHOT:\n  BitBlt          <- ekran goruntulu alma

Process Hollowing (Enjeksiyon)

NtUnmapViewOfSection  <- process memory bosalt (process hollowing)\nWriteProcessMemory    <- payload yaz\nSetThreadContext      <- thread baslangic noktasini degistir\n\n=> Process Hollowing ile mesbru surecler (svchost.exe vb.) icine gizlenir

UAC Atlatma + Persistence

UAC Bypass:\n  reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\n  /v EnableLUA /t REG_DWORD /d 0 <- UAC tamamen devre disi!\n\nPersistence:\n  HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\n  Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\\n\nC2 Sifrelemesi:\n  BCryptGenRandom / TLS13-AES128-GCM-SHA256\n  RSA Private Key embed -> C2 iletisimi TLS 1.3 ile sifrelenir\n  pro.ip-api.com/line/?key=QPVvv1rHQJD2pd2 <- coğrafi konum API

Tarayici Kimlik Bilgisi Hirsizligi

\AppData\Local\Google\Chrome\User Data\Default\Login Data\nRecoverCookies <- tarayici cerez kurtarma\nCookies        <- web oturumu calma

IOC

SHA25640079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1
RATRemcosRAT (BreakingSecurity.net)
EnjeksiyonProcess Hollowing (NtUnmapViewOfSection)
UACEnableLUA=0 Registry bypass
YeteneklerKeylogger, Clipboard, Audio, Screenshot, Chrome cookies

RemcosRAT — Профиль вредоносного ПО

RemcosRAT - BreakingSecurity.net tarafindan lisansli satilan uzaktan erisim araci. Mesbru pentesting araci olarak satilsa da kriminal aktörler tarafindan yaygin kullanilir. Process hollowing, keylogger, clipboard/audio/screenshot izleme, Chrome kimlik bilgisi hirsizligi, UAC bypass, TLS 1.3 sifreli C2.

Тип вредоносного ПО
RAT
Язык программирования
C++
C2 Протокол
TCP/RC4
Целевые системы
Windows
Другие названия (AKA)
Remcos, Breaking-Security

Технические детали

TCP port 2404 (varsayilan), RC4 veya XOR sifreleme, C++ ile gelistirilmis, PE injection, UAC bypass (CMSTPLUA), AMSI bypass, Anti-debug (GetTickCount/RDTSC), DGA destekli C2, Keylogger, Screenshot, Audio

Атрибуция / Актор угрозы

Breaking Security firmasinin isvicre tabanli olmasi nedeniyle ilk gelistirme AB'de gerceklestirilmistir; ancak surekli dunya genelinde siber suclu topluluklari tarafindan kullanilmaktadir.

Возможности и поведение

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

Список IOC (1 индикаторов)

IOC — RemcosRAT
# SHA256 40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1
ТипЗначениеПримечание
sha256 40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1

C2 Серверы (8 зарегистрированных серверов для этого семейства)

Адрес Тип Порт Протокол Статус Страна
breakingsecurity.net domain &mdash; TCP active &mdash;
breakingsecurity.net domain &mdash; TCP active &mdash;
breakingsecurity.net domain &mdash; TCP active &mdash;
paint.net domain &mdash; TCP active &mdash;
americanshippingline.com domain &mdash; TCP active &mdash;
purl.org domain &mdash; TCP active &mdash;
adobe.com domain &mdash; TCP active &mdash;
paint.net domain &mdash; TCP active &mdash;

Адреса C2 предоставляются только на основе образцов вредоносного ПО, вручную проверенных командой KEYDAL. Коммерческое использование запрещено.

Теги
remcos-rat-breakingsecurity-net-sellerprocess-hollowing-ntunmapviewofsectionuac-bypass-enablelua-registrykeylogger-getasynckey-hookclipboard-getclipboarddata-monitoraudio-capture-winmm-mci-aliasscreenshot-bitblt-capturechrome-login-data-cookie-thefttls13-aes128-gcm-sha256-c2bcryptgenrandom-rsa-private-keypro-ip-api-com-geolocationwatchdog-restart-persistence