dfirhub

Remcos

Appsv1

Author: CERT CWATCH - ALMOND

description

Remcos RAT

paths

10 paths
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: Remcos
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. Remco RAT Default path
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\remcos" -FileMask "logs*.dat*" -FolderName "Remco_RAT_Default_path"

# 2. Remco RAT custom path - AppData screenshots folder
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\screenshots" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_screenshots_folder"

# 3. Remco RAT custom path - AppData notess folder
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\notess" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_notess_folder"

# 4. Remco RAT custom path - AppData micrecords folder
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\micrecords" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_micrecords_folder"

# 5. Remco RAT custom path - AppData hpsupport
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\hpsupport" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_hpsupport"

# 6. Remco RAT custom path
Collect-Artifact -SourceDir "C:\ProgramData\remcos" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path"

# 7. Remco RAT custom path - AppData notess
Collect-Artifact -SourceDir "C:\ProgramData\notess" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_notess"

# 8. Remco RAT custom path - AppData screenshots
Collect-Artifact -SourceDir "C:\ProgramData\screenshots" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_screenshots"

# 9. Remco RAT custom path  - AppData micrecords
Collect-Artifact -SourceDir "C:\ProgramData\micrecords" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_micrecords"

# 10. Remco RAT custom path  - AppData hpsupport
Collect-Artifact -SourceDir "C:\ProgramData\hpsupport" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_hpsupport"

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

notes

Remcos RAT is a lightweight, fast, and highly customizable Remote Administration Tool with a wide array of functionalities.

This tool permits keylogging and surveillance (including audio recording and screenshots) and is frequently used by threat actors such as FIN7.

This target collects all known path where this tool was installed during previous campaigns.

included in collections

SANS_Triage KapeTriage RemoteAdmin