Is THIS a VIRUS? Finding a Remcos RAT - Malware Analysis

that runs on any Windows encrypts the connections

this

is unreal guys I'm glad we got here like in an hour remote control the remote chat control center screen

this

is what maybe I'm exaggerating this too much, you know, maybe, maybe, maybe, my inner youtuber is getting too excited about things that aren't that exciting, but I mean, look at this, my inner youtuber, shut up, John John, what the hell? Are you talking about shut up? You are not a youtuber. Apparently there is nothing more interesting here. Copyright, though Dinkumware. I'm pretty sure I've seen it. I think it's just part of a module.

Isn't that Dinkumware? yeah these are the c libraries to be able to do quirky things not even that i think i'm pretty sure they have a genuine purpose dinkumware yeah oh no they're just the main provider of c in real c.plus plus libraries so you know that there is that padding padding padding padding padding what is there something more peculiar and interesting in this or do we just find that the irrefutable proof is like no?, that is remote control, that is

remcos

or remkos, I like it, oh, that has to be i know what the purchase is for eg go buy the real program instead of using this cracked software you found on the creepy dark web wookie

remcos

is another rat 40 nets has some stuff in 2017 here they are using it with a dock macro I like it's called remy.exe and the screenshot and it also got a little obfuscated oh, it's full of empress or maybe the previous version I didn't see as an upx chain, although I hadn't actually heard of empress before so I'll have to add that to my mental repertoire,

malware

obfuscation pretty much ended after the two pack yeah and then at that point we just stopped obfuscating, we thought it was good enough according to their website breaking security , this version was released last time. month regarding that article wow what a wild ride guys now that we diagnosed this as remcos we have come a long way to get here look at these uses even though we have all these machines that are we are monitoring the event logs for you, you can start oh, you can start all the other programs if you want oh no, no other software, sorry ok, I thought it would be like just putting the keylogger in place, more and more applications like Remcos are getting publicly launching attracting new perpetrators with its easy use.

Yeah, that's like some ircs here. Oh, we have some IOCs from this video than that original URL we saw earlier, what else do we see here, I'm leaving, thank you. TrendMicro. some good things this is in december 2019 germany based security company breaking security germany based companies breaking security i don't know if i could know uh corona

virus

bam that was in 2019 though wait what the hell is this April 3 email? 2020 and this article was published in 2019. Can you see the micro future trend? I know you guys were good, but I didn't know you were that good. Startup persistence of course bypasses av maintain persistence is injected into a legitimate Windows process like notepad.exe as we saw information theft stealing the full potential of those Firefox and Windows caches etc. backdoor commands creepy holy cow i want to learn more about remcos 3.1 3.10 this is the one that came out yesterday although i optimize and improve it to be faster fix the agent failure ip address wow did you say the version?

Did it say when we were running strings there that let's say the version remcos remcos remcos v oh, it cuts it from the code v something that needs to be completed with the real no, you know what we're going to do a little bit? Hopper guys, you know what we could do, we're up to here. Did I really open hopper or just open my virtual machine again? Hopper, please, oh, I'm sorry, I'm fine. We want to go to notepad. .js with our stage6.exe, I think that's where we are, we'll go to our entry point here and try to understand this sub, that thing, that thing, that thing, I want to find the strings where you ended up saying remco version, rem version. and you can see even more policy system enablement, oh oh, that's just trying to add things like rdp.

I want to see this version number, where can you put rimcote version 3.10 pro for me? Oh my gosh, it was literally released yesterday. That's crazy, I can't. I don't even want to edit this video because I want to post it right away and show people some of this cool stuff. Wow, it was a wild ride for everyone. I think that's as far as I want to go. I think we've diagnosed that okay, this is a remote access Trojan with remote control through layers and layers of payloads and obfuscation. I hope you had fun on that safari trip through javascript or jscript through powershell through c-sharp through an executable that is.

I'm not going to end up being a dot-net assembly and doing some of that detective work to discover this on the Internet. I think, to tell you the truth, and I'll be honest, I didn't. This was not organized beforehand. I saw this jscript and I thought it would be a really cool video so I dove in and recorded it and I literally hadn't seen it before and honestly it's been really cool. I don't know what else to say or do. this video, but I hope it was a lot of fun and I hope this even takes it further than what we did in that last soft

analysis

video.

I know a lot of people love or will love that video and hopefully we can do a lot more, but we did some cool things in this and I think it was great. I think it was fun if you haven't done all the YouTube algorithm stuff and enjoyed this video. Please leave a comment. say what you want, hopefully something nice, maybe you'll like the video, I would really appreciate it if you could subscribe and I've been doing my homework. I've been learning a little about the whole YouTube subscription thing. Something about the youtube algorithm and ringing the bell actually means that you will receive the notifications for real, not only will you be totally absorbed and lost in the abyss of the youtube machine and that way you will be able to receive notifications when I post new videos, so yes you like this stuff and you want to keep coming back, I would really appreciate it and this has been a lot of fun for everyone, so thank you, thank you, thank you for coming to hang out, I will.

See you in the next video. I wish we could do more things like this, but I love you, take care. I'll see it in the next video. There is no video output because I am going to upload this directly. I love you, bye.