Created
July 22, 2023 20:07
-
-
Save 0xToxin/27cb0420f2c6dc1bff75f45800d3be4c to your computer and use it in GitHub Desktop.
RemcosRAT "raw" config decryptor.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
''' | |
output will be in format of list, was lazy to play with regex, | |
if you want to see regex fetching, check RussianPanda95 extractor: | |
https://github.com/RussianPanda95/Configuration_extractors/blob/main/remcos_rat_config_extractor.py | |
''' | |
import pefile | |
import struct | |
from Crypto.Cipher import ARC4 | |
import binascii | |
REMCOS_PATH = '' #path to remcos payload | |
DATA = open(REMCOS_PATH, 'rb').read() | |
def ret_data(dir_entry): | |
data_rva = dir_entry.directory.entries[0].data.struct.OffsetToData #retrieve the offset to the resource | |
size = dir_entry.directory.entries[0].data.struct.Size #retrieve the size of the resource | |
data = pe.get_memory_mapped_image()[data_rva:data_rva+size] #retrieve the resource data | |
return data | |
def fromHex(dec_data): | |
return bytes.fromhex(binascii.hexlify(dec_data).decode('utf-8')).decode('utf-8') | |
pe = pefile.PE(data=DATA) | |
resource_data = None | |
if hasattr(pe,'DIRECTORY_ENTRY_RESOURCE'): | |
for section in pe.DIRECTORY_ENTRY_RESOURCE.entries: | |
if str(section.directory.entries[0].name) == 'SETTINGS': | |
resource_data = ret_data(section.directory.entries[0]) | |
# size(CHAR) | KEY | DATA | |
key_length = int(binascii.hexlify(struct.unpack('<c', resource_data[:1])[0]), 16) #<c because we are looking for a single byte key length | |
key = resource_data[1:1 + key_length] | |
encrypted_data = resource_data[1 + key_length:] | |
cipher = ARC4.new(key) | |
decrypted_data = cipher.decrypt(encrypted_data).split(b'|') | |
print(decrypted_data) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment