Remcos is a sold as a legitimate remote management tool but is more typically observed as part of a widespread exploitation campaign, such as this reported by CERT Ukraine.
rule MAL_Remcos_strings {
meta:
description = "Matches strings found in Remcos RAT samples."
last_modified = "2024-03-20"
author = "@petermstewart"
DaysofYara = "80/100"
sha256 = "b3d7fad59a0ae75ffef9e05f47fc381b4adb716c498106482492e56c1b4370a7"
sha256 = "9046b2e6ce92647474048c30439ab21ee69a46f6067dbaff67de729644120fad"
strings:
$a = "Remcos_Mutex_Inj"
$b1 = "Uploading file to C&C: "
$b2 = "Unable to delete: "
$b3 = "Unable to rename file!"
$b4 = "Browsing directory: "
$b5 = "Offline Keylogger Started"
$b6 = "Online Keylogger Started"
$b7 = "[Chrome StoredLogins found, cleared!]"
$b8 = "[Firefox StoredLogins cleared!]"
$b9 = "Cleared all browser cookies, logins and passwords."
$b10 = "[Following text has been pasted from clipboard:]"
$b11 = "[End of clipboard text]"
$b12 = "OpenCamera"
$b13 = "CloseCamera"
condition:
uint16(0) == 0x5a4d and
$a and
10 of ($b*)
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 