win.remcos (Back to overview)

Remcos

Actor(s): APT33, The Gorgon Group

URLhaus          

There is no description at this point.

References
https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/
https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/
http://malware-traffic-analysis.net/2017/12/22/index.html
https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2
https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/
https://www.vmray.com/cyber-security-blog/smart-memory-dumping/
https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/
https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html
https://secrary.com/ReversingMalware/RemcosRAT/
Yara Rules
[TLP:WHITE] win_remcos_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_remcos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 394508 7418 56 57 }
            // n = 4, score = 8000
            //   394508               | cmp                 dword ptr [ebp + 8], eax
            //   7418                 | je                  0x40e6ea
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_1 = { c1ea10 660910 eb11 0138 }
            // n = 4, score = 8000
            //   c1ea10               | shr                 edx, 0x10
            //   660910               | or                  word ptr [eax], dx
            //   eb11                 | jmp                 0x405709
            //   0138                 | add                 dword ptr [eax], edi

        $sequence_2 = { f7fb 3bc7 7348 8b4508 }
            // n = 4, score = 8000
            //   f7fb                 | idiv                ebx
            //   3bc7                 | cmp                 eax, edi
            //   7348                 | jae                 0x40e5eb
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_3 = { 0f87e9fdffff 385dfe 740a 53 }
            // n = 4, score = 8000
            //   0f87e9fdffff         | ja                  0x410214
            //   385dfe               | cmp                 byte ptr [ebp - 2], bl
            //   740a                 | je                  0x41043a
            //   53                   | push                ebx

        $sequence_4 = { 4a 7420 4a 7419 }
            // n = 4, score = 8000
            //   4a                   | dec                 edx
            //   7420                 | je                  0x4056fc
            //   4a                   | dec                 edx
            //   7419                 | je                  0x4056f8

        $sequence_5 = { 8d45dc 53 50 53 }
            // n = 4, score = 8000
            //   8d45dc               | lea                 eax, dword ptr [ebp - 0x24]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_6 = { ff7508 6a10 e813000000 59 }
            // n = 4, score = 8000
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a10                 | push                0x10
            //   e813000000           | call                0x401c4c
            //   59                   | pop                 ecx

        $sequence_7 = { ff750c 03c1 51 ffd0 }
            // n = 4, score = 8000
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   03c1                 | add                 eax, ecx
            //   51                   | push                ecx
            //   ffd0                 | call                eax

        $sequence_8 = { 8b4d08 8d45ff 50 8d45fc }
            // n = 4, score = 8000
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8d45ff               | lea                 eax, dword ptr [ebp - 1]
            //   50                   | push                eax
            //   8d45fc               | lea                 eax, dword ptr [ebp - 4]

        $sequence_9 = { 8bce 8945fc 53 50 }
            // n = 4, score = 8000
            //   8bce                 | mov                 ecx, esi
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   53                   | push                ebx
            //   50                   | push                eax

    condition:
        7 of them
}
Download all Yara Rules