Jump to content

Trojan Dropper Remcos - Removal and Cleaning


Recommended Posts

In this topic we will explain on how to remove Trojan/Remcos from your PC.

 
 
 

Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.

We will have to use an Antivirus to clean up the stuff for us , for example : ESET , Kaspersky , Fortinet or any other good vendor, but those are our recommended vendors.

Before around a month(from this topic date) , Remcos weren't known to most AV vendors and the file can be seen here :

A full analysis : https://any.run/report/b1afbce51ad052f936b989214964d56e2290a7fb5548763273c1fc4382cd5c1c/f26fd95b-3cc1-4578-abf1-17289380ebe5

------------------------------
Regenererede.vbs - https://www.virustotal.com/gui/file/08739fea7bfdf3b641709a3d5b6e6d64be4ea75375dda9fe5cf7234e40cfbe12/detection

TrueCrypt.exe - https://www.virustotal.com/gui/file/b1afbce51ad052f936b989214964d56e2290a7fb5548763273c1fc4382cd5c1c/detection

And then the Trojan proceeds to drop multiple files including a legit and trusted but vulnerable executables

Python.exe

VLC.exe

notepad++.exe

Firefox.exe

Yet the .dll with those files are the ones that are infected/hijacked , and those are the files that will be included with those vulnerable executables

python39.dll - https://www.virustotal.com/gui/file/e9262441ef8e401acce28d13100c63e90e3de2ffb0ec6763611eebdc1aa60dbd/detection/f-e9262441ef8e401acce28d13100c63e90e3de2ffb0ec6763611eebdc1aa60dbd-1679390226

libvlccore.dll - https://www.virustotal.com/gui/file/e7754d8e4c33b35b85d85554488069fe731190201fa9e42d1b53f38c843025a3/detection/f-e7754d8e4c33b35b85d85554488069fe731190201fa9e42d1b53f38c843025a3-1679390159

ss3.dll - https://www.virustotal.com/gui/file/65327e1555994dacee595d5da9c9b98967d1ea91ccb20e8ae4195cd0372e05a0

And so on to prevent the Trojan from coming back again , we have to check the Task Scheduler in Windows

There would be weird entries with very long commands for the fake executables that we explained about, upon entering the Task Scheduler incase you find any of these vulnerable executables are set to run everyday, make sure to remove the entries, and also as far as we know that in Windows 10, the Trojan is able to create a startup entry also, that can be taken out through

Examples of Task Scheduler entries that we must remove
 

    <Command>C:\Users\xxxxxxx\AppData\Roaming\Adobe\python.exe</Command>
      <Arguments>--yoky=66585 --uapb --vgb --mgxfde</Arguments>

      <Command>C:\Users\xxxxxxx\AppData\Roaming\36c011cd\vlc.exe</Command>
      <Arguments>-cbriqvr</Arguments> 

Downloading Autoruns from Microsoft https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns , and then using Autoruns to see what runs on Logon, a weird entry should be there for one of the fake executables or something to run Powershell , we also need to remove it

Yet there are few images that are downloaded from imgur.com which they contain the load as Steganography which is the code is hidden inside a photo so it can avoid detections, and then it will be decrypted through somekind of application inside the computer probably the vulnerable ones that are provided with the trojan.

remcosexplanation.png.97f28d88b56a04b880340d036625884b.png

Photo source : BleepingComputer

Fruit.png - https://www.virustotal.com/gui/file/cadd19935b6d2bd7208402c760923bbaa2807633d0306c3cb15337227179399e?nocache=1

Fruit.png - https://www.virustotal.com/gui/file/4bb7fcab55b4f55f74d98c20205148a69f33dc39f3f99d9c11d1b22a4476562f?nocache=1

ms.png -https://www.virustotal.com/gui/file/b2b8b97427bacead4a3de569d4901c13fb60131d7d9c5ba10fa885e13a9cc1f7?nocache=1

Those are marked as CLEAN in VT because they are encrypted, but Fortinet also checked them and detects them , but in VT still shows clean.

<Regenererede.vbs> with MD5: e627f016283c17b4badc6f5b47f677d3 - <VBS/Agent.77d3!tr>
<SciLexer.dll> with MD5: 688c0480ed192ed336911d7ed3730561 - <W32/Rugmi.0561!tr>
<Fruit.png> with MD5: c2a09a3c72717c71a6ac22c9f342a0d2 - <Data/Agent.STGP!tr>
<ms.png> with MD5: 7b2f3421621a080c2043e6c90821c618 - <Data/Agent.STGP!tr>
<Fruit.png> with MD5: fd5cb5160053fcd028ad81016357dff5 - <Data/Agent.STGP!tr>
<Pine.png> with MD5: 7f5546e1202e06e17c3eabe86107a504 - <Data/Agent.STGP!tr>
<Fruit.png> with MD5: 0086f1ed58e6516027bdc7d8a6c2c9ad - <Data/Agent.STGP!tr>

Any of those files if they are available somewhere in your AppData Roaming folder , then you should remove them manually if an AntiVirus doesn't pick them up.

If more assistance is needed about this Trojan , please reply to this topic.

 

Seeding the net..
Link to comment
Share on other sites

  • SeedTheNet unfeatured and pinned this topic
On 5/2/2023 at 6:15 AM, SeedTheNet said:

In this topic we will explain on how to remove Trojan/Remcos from your PC.

 
 
 

Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.

We will have to use an Antivirus to clean up the stuff for us , for example : ESET , Kaspersky , Fortinet or any other good vendor, but those are our recommended vendors.

Before around a month(from this topic date) , Remcos weren't known to most AV vendors and the file can be seen here :

A full analysis : https://any.run/report/b1afbce51ad052f936b989214964d56e2290a7fb5548763273c1fc4382cd5c1c/f26fd95b-3cc1-4578-abf1-17289380ebe5

------------------------------
Regenererede.vbs - https://www.virustotal.com/gui/file/08739fea7bfdf3b641709a3d5b6e6d64be4ea75375dda9fe5cf7234e40cfbe12/detection

TrueCrypt.exe - https://www.virustotal.com/gui/file/b1afbce51ad052f936b989214964d56e2290a7fb5548763273c1fc4382cd5c1c/detection

And then the Trojan proceeds to drop multiple files including a legit and trusted but vulnerable executables

Python.exe

VLC.exe

notepad++.exe

Firefox.exe

Yet the .dll with those files are the ones that are infected/hijacked , and those are the files that will be included with those vulnerable executables

python39.dll - https://www.virustotal.com/gui/file/e9262441ef8e401acce28d13100c63e90e3de2ffb0ec6763611eebdc1aa60dbd/detection/f-e9262441ef8e401acce28d13100c63e90e3de2ffb0ec6763611eebdc1aa60dbd-1679390226

libvlccore.dll - https://www.virustotal.com/gui/file/e7754d8e4c33b35b85d85554488069fe731190201fa9e42d1b53f38c843025a3/detection/f-e7754d8e4c33b35b85d85554488069fe731190201fa9e42d1b53f38c843025a3-1679390159

ss3.dll - https://www.virustotal.com/gui/file/65327e1555994dacee595d5da9c9b98967d1ea91ccb20e8ae4195cd0372e05a0

And so on to prevent the Trojan from coming back again , we have to check the Task Scheduler in Windows

There would be weird entries with very long commands for the fake executables that we explained about, upon entering the Task Scheduler incase you find any of these vulnerable executables are set to run everyday, make sure to removerr the entries, and also as far as we know that in Windows 10, the Trojan is able to create a startup entry also, that can be taken out through

Examples of Task Scheduler entries that we must removerr
 

    <Command>C:\Users\xxxxxxx\AppData\Roaming\Adobe\python.exe</Command>
      <Arguments>--yoky=66585 --uapb --vgb --mgxfde</Arguments>

      <Command>C:\Users\xxxxxxx\AppData\Roaming\36c011cd\vlc.exe</Command>
      <Arguments>-cbriqvr</Arguments> 

Downloading Autoruns from Microsoft https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns , and then using Autoruns to see what runs on Logon, a weird entry should be there for one of the fake executables or something to run Powershell , we also need to removerr it

Yet there are few images that are downloaded from imgur.com which they contain the load as Steganography which is the code is hidden inside a photo so it can avoid detections, and then it will be decrypted through somekind of application inside the computer probably the vulnerable ones that are provided with the trojan.

remcosexplanation.png.97f28d88b56a04b880340d036625884b.png

Photo source : BleepingComputer

Fruit.png - https://www.virustotal.com/gui/file/cadd19935b6d2bd7208402c760923bbaa2807633d0306c3cb15337227179399e?nocache=1

Fruit.png - https://www.virustotal.com/gui/file/4bb7fcab55b4f55f74d98c20205148a69f33dc39f3f99d9c11d1b22a4476562f?nocache=1

ms.png -https://www.virustotal.com/gui/file/b2b8b97427bacead4a3de569d4901c13fb60131d7d9c5ba10fa885e13a9cc1f7?nocache=1

Those are marked as CLEAN in VT because they are encrypted, but Fortinet also checked them and detects them , but in VT still shows clean.

<Regenererede.vbs> with MD5: e627f016283c17b4badc6f5b47f677d3 - <VBS/Agenteeeee.77d3!tr>
<SciLexer.dll> with MD5: 688c0480ed192ed336911d7ed3730561 - <W32/Rugmi.0561!tr>
<Fruit.png> with MD5: c2a09a3c72717c71a6ac22c9f342a0d2 - <Data/Agenteeeee.STGP!tr>
<ms.png> with MD5: 7b2f3421621a080c2043e6c90821c618 - <Data/Agenteeeee.STGP!tr>
<Fruit.png> with MD5: fd5cb5160053fcd028ad81016357dff5 - <Data/Agenteeeee.STGP!tr>
<Pine.png> with MD5: 7f5546e1202e06e17c3eabe86107a504 - <Data/Agenteeeee.STGP!tr>
<Fruit.png> with MD5: 0086f1ed58e6516027bdc7d8a6c2c9ad - <Data/Agenteeeee.STGP!tr>

Any of those files if they are available somewhere in your AppData Roaming folder , then you should remove them manually if an AntiVirus doesn't pick them up.

If more assistance is needed about this Trojan , please reply to this topic.

 

Good to know about that my friend. 🙂

  • Like 1
Link to comment
Share on other sites

  • 3 months later...
  • 3 weeks later...
  • 5 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...