IOC’s

Filename: ApiUpdater

Family: RemcosRAT

SHA256: 7422bc2c77e70c2e90c27d030a13eb3adf0bcfc1ef2bc55b62871181af5cd955

MD5: ebf341ab1088ab009a9f9cf06619e616

Static Analysis

VirusTotal

VirusTotal

Strings

<http://geoplugin.net/json.gp>
http\\shell\\open\\command
CreateObject("WScript.Shell").Run "cmd /c ""
/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f

Reverse Engeneering

• wNetwork Operations: It opens an internet connection, sends an HTTP GET request to http://geoplugin.net/json.gp, and reads the response in chunks.