AZCHQN.exe DLPK- A .NET Compiled RemcosRAT Binary

October 26, 2023

SHA256 hash: 7e7575bfc0c9d85c561fc0c69b2bec3b985bc99a4d668f0cccc30acc4bccf686

Summary

AZCHQN.exe is a .NET compiled binary for the Windows 32 bit architecture. This executable will unpack RemcosRAT malware and reflectively load the assembly code into the running process. The malware will write itself to disk and create a scheduled task as a persistence mechanism. It will log keys, events, and attempt to connect to its C2 server at 194.147.140.158:1998 to create a reverse shell and exfiltrate data.

Analysis

Contained within the binary is a long string of hex encoded data that is ultimately converted into a byte array and reflectively loaded as assembly. What is unpacked is executed within the running process.

Within the running process you can see the injected executable with RWX privileges.

The malware copies itself into C:\Users\username\AppData\Roaming as HnungLFHsNIx.exe. It then creates a temporary file tmp795A.tmp in C:\Users\username\AppData\Local\Temp and creates a scheduled task under Updates\HnungLFHsNIx as a persistence mechanism that will execute upon user logon.

Command: “C:\Windows\System32\schtasks.exe” /Create /TN “Updates\HnungLFHsNIx” /XML “C:\Users\analyst\AppData\Local\Temp\tmp795A.tmp”

The malware writes several registry keys to allow execution and traffic to its C2 server. It also creates a log file logs.dat in the directory C:\ProgramData\remcos. This log file will ultimately collect user activity and keystrokes.

RemcosRAT will attempt to reach its C2 server at 194.147.140.158:1998 creating a reverse shell and exfiltrating collected data.

IOCs

SHA256 File Hash:

7e7575bfc0c9d85c561fc0c69b2bec3b985bc99a4d668f0cccc30acc4bccf68

Files:

C:\Users\analyst\AppData\Local\Temp\tmp795A.tmp

C:\ProgramData\remcos\logs.dat

C:\Users\username\AppData\Roaming\HnungLFHsNIx.exe

AZCHQN.exe

BO2UH23ED23.exe

Commands:

“C:\Windows\System32\schtasks.exe” /Create /TN “Updates\HnungLFHsNIx” /XML “C:\Users\analyst\AppData\Local\Temp\tmp795A.tmp”

IP Traffic:

194.147.140.158:1998

HTTP Requests:

hxxp://geoplugin[.]net/json.gp

DNS:

geoplugin[.]net

Strings

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t
REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
ZipFiles
UnzipFiles
Browsing directory:
Executing file:
Downloading file:
Downloaded file:
Failed to download file:
Deleted file:
Unable to delete:
Unable to rename file!
Uploaded file:
Failed to upload file:
Uploading file to Controller:
SetFilePointerEx error
ReadFile error
Offline Keylogger Started
Keylogger initialization failure: error
minutes }
{ User has been idle for
Online Keylogger Started
Online Keylogger Stopped
Offline Keylogger Stopped
\AppData\Local\Google\Chrome\User Data\Default\Login Data
\AppData\Local\Google\Chrome\User Data\Default\Cookies
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
license_code.txt
Remcos Agent initialized
Access Level:
Administrator
Remcos restarted by watchdog!
Watchdog module activated
Watchdog launch failed!
FoxMailRecovery
Shlwapi.dll
\Software\Microsoft\Windows\CurrentVersion\Uninstall
Remcos
MsgWindowClass
TLS13-AES128-GCM-SHA256
/serialNumber=
/emailAddress=
CreateDirectoryW
WriteFile
CreateFileW
GetModuleFileNameW
WaitForSingleObject
CreateEventW
URLDownloadToFileW
URLOpenBlockingStreamW
Elevation:Administrator!new:
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
%04i/%02i/%02i %02i:%02i:%02i
\Mozilla\Firefox\Profiles\
\cookies.sqlite
\AppData\Local\Google\Chrome\
\AppData\Local\Microsoft\Edge\
\Opera Software\Opera Stable\
User Data\Default\Network\Cookies
User Data\Profile ?\Network\Cookies
Network\Cookies
User Data\Local State
Software\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
Set fso = CreateObject(“Scripting.FileSystemObject”)
On Error Resume Next
while fso.FileExists(“
fso.DeleteFile “
fso.DeleteFolder “
fso.DeleteFile(Wscript.ScriptFullName)
\update.vbs
CreateObject(“WScript.Shell”).Run “cmd /c “”
CreateObject(“Scripting.FileSystemObject”).DeleteFile(Wscript.ScriptFullName)
C:\Program Files(x86)\Internet Explorer\
hxxp://geoplugin[.]net/json.gp
cmd.exe
\sysinfo.txt
dxdiag
image/jpeg
wnd_%04i%02i%02i_%02i%02i%02i
time_%04i%02i%02i_%02i%02i%02i
d alias audio
http\shell\open\command