Page 93 - Cyber Defense eMagazine October 2023
P. 93

Configuration Extraction:

            We have extracted the configuration from the binary. As shown below, the configuration is saved in
            resource section of the binary with name “SETTINGS” similar to earlier versions of the Remcos RAT and
            it is encrypted with RC4 algorithm.








            The first byte tells us the length of the key which is “4F” in hexadecimal (highlighted with green) and “79”
            in decimal which tells us that the next 79 bytes is the key (highlighted in red). The code highlighted in
            purple section is the encrypted configuration data.
































            We extracted the configuration data from the binary and that gives us following details (highlighted in
            below screenshot):

























            Cyber Defense eMagazine – October 2023 Edition                                                                                                                                                                                                          93
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.
   88   89   90   91   92   93   94   95   96   97   98