RemcosRAT "raw" config decryptor.

remcosConfigExtractor.py

'''
output will be in format of list, was lazy to play with regex, 
if you want to see regex fetching, check RussianPanda95 extractor:
https://github.com/RussianPanda95/Configuration_extractors/blob/main/remcos_rat_config_extractor.py
'''
import pefile
import struct
from Crypto.Cipher import ARC4
import binascii

REMCOS_PATH = '' #path to remcos payload
DATA = open(REMCOS_PATH, 'rb').read()

def ret_data(dir_entry):
    data_rva = dir_entry.directory.entries[0].data.struct.OffsetToData #retrieve the offset to the resource 
    size = dir_entry.directory.entries[0].data.struct.Size #retrieve the size of the resource
    data = pe.get_memory_mapped_image()[data_rva:data_rva+size] #retrieve the resource data 
    return data

def fromHex(dec_data):
    return bytes.fromhex(binascii.hexlify(dec_data).decode('utf-8')).decode('utf-8')

pe = pefile.PE(data=DATA)
resource_data = None
if hasattr(pe,'DIRECTORY_ENTRY_RESOURCE'):
    for section in pe.DIRECTORY_ENTRY_RESOURCE.entries:
        if str(section.directory.entries[0].name) == 'SETTINGS':
            resource_data = ret_data(section.directory.entries[0])
# size(CHAR) | KEY | DATA
key_length = int(binascii.hexlify(struct.unpack('<c', resource_data[:1])[0]), 16) #<c because we are looking for a single byte key length
key = resource_data[1:1 + key_length]
encrypted_data = resource_data[1 + key_length:]                        
cipher = ARC4.new(key)
decrypted_data = cipher.decrypt(encrypted_data).split(b'|')
print(decrypted_data)