IOC’s

Filename: ApiUpdater

Family: RemcosRAT

SHA256: 7422bc2c77e70c2e90c27d030a13eb3adf0bcfc1ef2bc55b62871181af5cd955

MD5: ebf341ab1088ab009a9f9cf06619e616

Static Analysis

VirusTotal

VirusTotal

Strings

<http://geoplugin.net/json.gp>
http\shell\open\command
CreateObject("WScript.Shell").Run "cmd /c ""
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Reverse Engeneering

• wNetwork Operations: It opens an internet connection, sends an HTTP GET request to http://geoplugin.net/json.gp, and reads the response in chunks.