Is THIS a VIRUS? Finding a Remcos RAT

Is THIS a VIRUS? Finding a Remcos RAT - Malware Analysis

Рет қаралды 356,795

3 жыл бұрын

If you would like to support the channel and I, check out Kite! Kite is a coding assistant that helps you code faster, on any IDE offer smart completions and documentation. www.kite.com/get-kite/?... (disclaimer, affiliate link)
For more content, subscribe on Twitch! / johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
PayPal: paypal.me/johnhammond010
E-mail: johnhammond010@gmail.com
Discord: johnhammond.org/discord
Twitter: / _johnhammond
GitHub: github.com/JohnHammond

Пікірлер: 901

@johnjohnerd6921 3 жыл бұрын

"This is just 75 lines of code" *Half hour later* "201 thousand characters selected"

@AlucardNoir 3 жыл бұрын

that's how they get you man, that's how they get you.

@geist453 3 жыл бұрын

@@AlucardNoir AND YOU BUT GUESS WHO NOT?! ME AND JOHN

@GuyMassicotte 3 жыл бұрын

Majorly loaded by a fake jpg ;)

@bansku570 2 жыл бұрын

@@geist453 l

@nojusnojus8015 2 жыл бұрын

@@bansku570 I

@DenyardTV 3 жыл бұрын

Ngl, never thought it would be so much fun watching someone analyse and breakdown a virus.

@KrakenPipe 3 жыл бұрын

I was thinking the same thing! I might have just discovered my new rabbit hole lol

@AmbitionErudition 2 жыл бұрын

Woow

@richie7425 3 жыл бұрын

Times must be hard, Ed Sheeran is writing python.

@batmanasdasd 3 жыл бұрын

Lmaooo💀💀

@HiramSalinas 3 жыл бұрын

he looks like an unscuffed burgerplanet

@realitynowassigned 3 жыл бұрын

This is ed sheerhan and Seth rogans kid.

@HaxorBird 3 жыл бұрын

You are the hacker version of pewdiepie. Very entertaining to watch.

@lusthetics 3 жыл бұрын

Nah he looks like a de deobfuscated Ed Sheeran

@0xRalu 3 жыл бұрын

Love this malware analysis series!

@ismhdez 3 жыл бұрын

Me too! Amazing series

@syverlunde9622 3 жыл бұрын

I love it too!

@jbgaud 2 жыл бұрын

me too, this guy is really good.

@s.broyal5128 Жыл бұрын

Sir. Can I use remcos rat to hack Android...

@slygamer01 3 жыл бұрын

The REMCOS developer "discourages malicious use". For sure, everyone will use solely for legitimate purposes.

@aliencatmeow 3 жыл бұрын

'sure if you say so' meanwhile no one uses it legitimately

@karimmohamed3744 3 жыл бұрын

Malicious actors: amma head out

@garethevans9789 3 жыл бұрын

Ethical hackers don't sell hacking toolkits, ethics and all that... 🤷‍♂️

@technoturnovers7072 3 жыл бұрын

@@garethevans9789 Pentesting tools are released open source because not only is open source more effective, but it makes sure that the developers are not potentially profiting off of malicious actors, intentionally or not.

@cyber1377 3 жыл бұрын

Meh, skids are gonna find a way anyway. With our without this program.

@bennettpalmer1741 3 жыл бұрын

I love how they went through six stages of obsfuscation, and a lot of effort into hiding what they were doing.... but their payload was literally called "Attack.jpg" like surely they could have named it something at least slightly less blatant.

@FilliamPL 3 жыл бұрын

Perhaps they didn't care to hide it at that point? I know that obfuscation helps to counter analysts, but when the code is downloading data from a URL, then I suppose it wouldn't've been worth their effort to obscure the name of the download. Then again, they could've made a second download with totally unnecessary data. Either way - this thing is bad (for you)! xD

@andmo90 3 жыл бұрын

Content like this is why I don't have to pay for cable, satellite, or netflix!

@garethevans9789 3 жыл бұрын

But then he would have been on 8-12 screens and typed those 200k characters (hacking is typing fast), it's all hard to follow. It would be like watching the Matrix.

@viv_2489 3 жыл бұрын

Yeah

@SiveenO Жыл бұрын

Okay, but consider this: TOS and TNG are on Netflix.

@NickyPuff 3 жыл бұрын

I love when John is laughing over the Attack.jpg url

@livroz454 3 жыл бұрын

best part

@ultimate8673 3 жыл бұрын

The guy that wrote the script watching this video rn must be like 👁️👄👁️

@TracyNorrell 3 жыл бұрын

Scheduling this to start at the same time as the new mars rover is landing... Bold move cotton, let's see how it works out

@_JohnHammond 3 жыл бұрын

Bah, totally didn't even realize xD Ah well!

@originalgaming9062 3 жыл бұрын

@@_JohnHammond I’d prefer watching this over some rover landing

@originalgaming9062 3 жыл бұрын

@@tripplefives1402 isn’t the rover automatically controlled because the delay would be 10 minutes long?

@baremetalHW 3 жыл бұрын

Damn that was fun to watch!! Thanks and keep them coming!!!!!!

@uniquechannelnames 3 жыл бұрын

Algorithm, give this man the recs.

@TexasTimelapse 3 жыл бұрын

It worked. That's why I'm here.

@donaldduck6198 3 жыл бұрын

John, as you are very good, you should stand this comment: In Powershell a "split (..)" is a regular expression splitten in string in portione of two characters, ie "4142" becomes "41", "42", in Hex AB

@pumpkin7976 3 жыл бұрын

Plottwist: this is all just an advertisement for BreakingSecurity

@dustinjohnson7635 3 жыл бұрын

Amazing work, you deserve the money from the KZfaq overlords. Literally only commented to help boost those algos.

@whamer100 3 жыл бұрын

"is this the newest version? because that would be pretty slick" *immediately scrolls past the version number 3.1.0 showing it is the latest version*

@vedritmathias9193 3 жыл бұрын

Remcos: "We specialize in ethical hacking" Also Remcos: *is used in malicious code*

@darkdagger032 3 жыл бұрын

This is one of the best educational videos i've seen

@randallsalyer 3 жыл бұрын

I love John’s response when the light bulb goes off and all the hard work comes together. Great video as always.

@willo7734 2 жыл бұрын

Whatever that quality is that great teachers have, you have it. Never change the format of your videos. I love seeing you troubleshoot and reason through everything live.

@ayayron9452 3 жыл бұрын

"guys, you might think i'm dumb" LOL exact opposite.

@ycoihmn6388 3 жыл бұрын

This style of video really helps me with my start in forensics and malware analysis. I love liveoverflow and other CTF summary channels but they often feel like magic in the way they present their findings. Keep up the great work :3

@whatnowsami9225 3 жыл бұрын

Nobody: Virus Code: * Does malicious stuff* John: Is it trying to do something bad? HAHAHA Us: Duhhh John. wtf

@vannialora3476 3 жыл бұрын

the evolving of rat is so amazing, i remember in late 90's where sub7, netbus and back orifice was so popular and inspired me into hacking. IRC was the channel to go to before and dial up is your connection.

@vargnaar 3 жыл бұрын

"Can I get anything out of Melons?" You can get juice, John. Juice.

@rccservice 3 жыл бұрын

that url has to be the greatest thing ive ever seen

@patchbyte6856 3 жыл бұрын

this is gonna be good

@AnthonyBlakley 3 жыл бұрын

Indeed Indeed :D

@TheSeakr 3 жыл бұрын

I'm just finding this channel and its quickly becoming my favorite content. Im fascinated with all of this. Really inspires me to get started with basic coding to get my feet wet.

@mbowler05 3 жыл бұрын

Hands down one of the best malware analysis walkthroughs I’ve seen. Watched it twice.

@britishpiperygo 3 жыл бұрын

Loving this series. Would like to see some disassembling malware analysis.

@md123180 3 жыл бұрын

Where have you been all my CS degree? This is awesome watching this stuff in action as you do it. I love the content! Definitely going to keep watching!

@waytoofarianism 3 жыл бұрын

That was freaking wild, man. You're sharp at this stuff

@auto117666 3 жыл бұрын

In the next episode... John rewrites the kernel for more efficient find and replace..... STONKS!

@eliasgamezgarcia3414 3 жыл бұрын

Dude you are simply awesome...it's so enriching for all of your viewers to see your hard work and all your skills, and the best of all is that we can see you enjoying so we enjoy and learn too. Regards from Spain!

@ThomasGabrielsen 3 жыл бұрын

What a great catch! This is by far the most interesting video I've watched on KZfaq for a very long time. I love this of unedited video.

@PerfectEn3my 2 жыл бұрын

Great video, I love this series. Also special thanks for zooming in this much, watching code-related stuff on phone is usually a pain, but not in your case. Keep up the good work!

@mechanicalfluff 3 жыл бұрын

i missed the premiere, but this is definitely a blast to watch. Would love to see this more

@fragrenader1 3 жыл бұрын

So far this is the most fun I've had watching hacking videos. Your analysis is fantastic and I enjoy seeing your process. Keep it up!

@Dilipkumar-ur9zx 3 жыл бұрын

After watching this, gained a keen interest in Malware Analysis. Thanks for the awesome content.

@zamant88 2 жыл бұрын

This was actually fun to watch and go on this journey with you! Loving these videos

@m1rz 3 жыл бұрын

Pretty sure you need to run the obfuscated version of the AMSI bypass. Great video, would love to see more of these!

@wazoozastoob1234567 3 жыл бұрын

THOSE DOWNVOTES....GTFO...this dude is a legend

@thedemonlord9232 3 жыл бұрын

you got my sub for this. its 3am in the morning and I've watched the entire thing having so much fun. keep on with the good stuff

@mattgwalker 3 жыл бұрын

John - This is great content. I really am learning a lot watching you work these out. Keep it up! The masses demand more of this!

@definesigint2823 3 жыл бұрын

I've taken apart stuff like this (when I worked in large enterprise) but the samples were rarely more than 3-4 levels deep. This actually looks a lot more like a challenge you'd get at a CTF competition _(perhaps they're getting ideas from each other)_ ?

@kitrodriguez992 3 жыл бұрын

I was watching some scam baiting videos and also doing some deep dives into RATs and just... CyberSec/CompSci things in general and found this video. I'm glad I bumped into your channel. Really good stuff you have going on here

@Cinual 2 жыл бұрын

You make easy to understand videos as you break things down. i really enjoy them. I have a vague understanding of coding and the way you work is easy to follow.

@uimstar5254 3 жыл бұрын

Wow, that was awesome video. It is so nice to see you go through all the steps and thinking while deobfuscing. This RAT is kind of really scary for everything it can do. I would like to see more of this in the future! Keep up the good work

@shawnio 3 жыл бұрын

every single line "I don't exactly know what is going on here" so basically this guy is just us trying to understand code. got it.

@MikeKirkpatrick 3 жыл бұрын

Well worth the watch. This is a great video. Please do more. :)

@georgehammond867 3 жыл бұрын

how do you copy and paste into VirtualBox in Windows 10

@h4wk_n377 3 жыл бұрын

Keep on doing those Malware Analysis. It's really fun to watch and it's quite educative too!

@nilanjana25 2 жыл бұрын

Totally enjoyed the video. It was an absolute rollercoaster ride. I love the way you present and explain the details in all your videos. And also none of your videos ever seem to be monotonous even when we are dealing with such mind boggling stuff because of the way you laugh and get excited when you crack/deobfuscate a piece of code. 😁 Thank you so much for taking the effort and sharing the awesome work😊

@tears_falling 3 жыл бұрын

Attack.jpg, that was hilarious

@CristiNeagu 3 жыл бұрын

59:31 No. That's the noun "licence" as opposed to the verb "license". It's a British thing.

@facekickr 3 жыл бұрын

That was a great video. I don't know a whole lot about what you do, but it was super fun watching you do it. Thanks so much!

@ihatethesensors 3 жыл бұрын

Awesome awesome video John! I have followed these de-obfuscation things and when I get to the PE32 I usually say f-it and give up and upload it to virustotal. I'm so glad you went further with this. Thanks so much man!

@bradlad1574 3 жыл бұрын

That's a rabbit hole if I've ever seen one haha great stuff man!

@definesigint2823 3 жыл бұрын

If only it (the rabbit holes) were rare. 😥

@ulbed 3 жыл бұрын

Follow the white rabbit!

@1XXXJoker 3 жыл бұрын

I have basically no connection to it-sec, but this stuff is addictive ... love the videos

@rubenolguin2180 2 жыл бұрын

Wow, that was a crazy ride! Thanks for taking us on the journey.

@Krampfey 2 жыл бұрын

Damn, I just watched over an hour of stuff I have no clue of and I still feel educated and entertained. It even kinda makes sense, when you talk about it and explain some stuff. Thank you very much! :)

@HBTwardy 3 жыл бұрын

John: releases a video with malware analysis Me after watching a video: *Lemme check real quick whether notepad.exe is running in the background or not in Task Manager*

@benricok 3 жыл бұрын

Imagine using windows 🤔

@Reelix 3 жыл бұрын

@@benricok Imagine thinking that exploit-db had 0 results for Linux 🤔

@benricok 3 жыл бұрын

@@Reelix I didn't even mention an OS? I am aware that Linux isn't perfect as so with every software product (opensource or not). The worst thing you can do to your security is to be over confident in your defense.

@theluckyscav3487 3 жыл бұрын

@@benricok Imagine being a pompous asshole. Some people want to, you know, play normal games on their computer.

@jixs4v 2 жыл бұрын

@@theluckyscav3487 I mean linux gaming has come a long way, but it still needs some time to flourish

@Zachucks 3 жыл бұрын

"I don't like these advertisements..." "You didn't see this here folks!" "Not in a John Hammond video!"

@DarkFaken Жыл бұрын

I love these malware analysis videos. You break stuff down to a fairly easy to understand level for most technical people. I'm just getting into cyber security and I'm really enjoying your content, thank you.

@cwlancaster979 3 жыл бұрын

Fantastically enjoyable to watch you solve problems as always . Thanks John

@kingknight100 3 жыл бұрын

The Title is like Asking if water is wet LOL

@picocode 3 жыл бұрын

Waiting for it :)

@crazymonkeyVII 2 жыл бұрын

Absolutely brilliant! I've discovered your channel yesterday and I can't stop watching. This stuff makes me want to give it a shot as well. Never knew that deconstructing programs/scripts (especially ones with malicious intent) could be this much fun! Subbed+bell.

@christianf21 3 жыл бұрын

This is crazy. I've learned more about malwares in a few vids I saw from you, than the time I spent trying to get into the field years ago. I'm a fulltime dev now and have been working for over 7 years. Reminds me of my recent grad days where all I wanted was to understand this. Much easier to follow now, and damn, learning so much so quick now. Props to you.

@nickyfranshel1210 3 жыл бұрын

I have no idea what I'm watching but I'm enjoying it :)

@internetuser8922 3 жыл бұрын

It's actually not a bad way to learn, at least starting out - if you're interested. I have a background in software engineering, but I only understand maybe 75% of what's going on.

@AhmedAbbas-hp5ej 3 жыл бұрын

Legend

@sgtfatboy1 2 жыл бұрын

Your knowledge is very impressive! Love learning from guys like you!

@JackAllpikeMusic 3 жыл бұрын

This was fabulous! I hope to see more!

@temitopehardhekheyhe7359 3 жыл бұрын

Please mahn ... we need more malware analysis like this!! ... and also ... C source code analysis (something like that)

@tomriddle2427 3 жыл бұрын

That was more than a safari ride! It's awsm

@musingmuse9064 3 жыл бұрын

Watched the whole thing from start to finish - loved it! Make more!

@Seluj78 3 жыл бұрын

Really interesting video, thanks !! I'm impressed at the obfuscation job done on this malware it's impressive

@testingstuff6111 3 жыл бұрын

was great :)

@azurnxo2134 3 жыл бұрын

Amazing stuff. Learned a lot from this video. I have a question: how did you come across this script? Did someone give it to you? Anything like that? Loving these malware analysis videos, John. Keep 'em coming!

@snuffy6449 3 жыл бұрын

I binge your videos every day all day at work. Gets me through the day and I learn some new/cool stuff.

@SuperBryantheman 3 жыл бұрын

Dope analysis! The streets need this type of content. Keep it coming.

@bigp3t3_cpt 3 жыл бұрын

so where did you get the jscript if it was only released so recently...

@victorhmg8080 3 жыл бұрын

i wanna know too

@ExcludedLayman 3 жыл бұрын

The actual payload was hosted remotely, so that can be updated separately.

@gabrote42 2 жыл бұрын

I honestly never appreciated Search and Replace until today. Everything is so clear now! 19:35 One learns more every day 33:44 What the hell this is hilarious 44:00 I hope you saved 56:13 I judt read a Online Keylogger Started so I guess yes 1:01:52 Oh so test hacks? Was this retrofitted to be malicious or you just were smart? 1:03:08 Imagine if Jim's Scammers used this crap. My god 1:10:00 Fresh off the oven and unobfudcated

@executor31 3 жыл бұрын

Found you on the recommanded page , love it !

@syverlunde9622 3 жыл бұрын

Pls keep up the malware analysis videos! Its so fun to watch!

@kerrickfanning6910 2 жыл бұрын

I just want to know how it’s humanly possible to obtain the level of programming and CS knowledge needed to be capable of doing what he does in this video

@DaCaveman84 2 жыл бұрын

It’s depressing but motivating also!

@alexcolley205 Жыл бұрын

Yeah imagine who made this

@emanuel6934 Жыл бұрын

Actually, not too much. Deobfuscating such stuff is not very complicated, but he is still doing a good job. But tbh .. most parts could be much faster by debugging functions step by step instead of trying to deobfuscating every var and func.

@KlaypexDelusion 3 жыл бұрын

BTW... next thing. Do remcos guide, analysis and stuff

@andresecre5428 3 жыл бұрын

Really fun to watch ! Looking forward to see more !

@4akat 3 жыл бұрын

that was wild. these new malware videos are great. thanks John!

@thedosiusdreamtwister1546 3 жыл бұрын

Where do you get such fresh samples? That hash isn't even on VT yet.

@Anonymous-vh6kp 3 жыл бұрын

Plot twist: John actually wrote it

@SaeedAlFalasi 3 жыл бұрын

Next video Stuxnet analysis :D

@forthewubwubs 3 жыл бұрын

I'm learning to program in college rn and I just ran across your channel and my God man the length people go to, to scoot around anti-virus software and download shit on your computer is insane. Although seeing how all these functions are working together is awesome! Keep up the good work!!!👍

@sannyboi7298 2 жыл бұрын

Brilliant. You make malware reversing so fun to watch.

@petersva 3 жыл бұрын

1:07:15 coronavirus was around at that time, it started spreading as soon as 17 dec. in china, possibly even sooner

@dieSpinnt 3 жыл бұрын

Thanks Peter, I wanted to comment also on this. COVID-19 after the temporary name “2019-nCoV”. In mid-February it was also known in many countries (including Germany ... Trend Micro), the WHO had warned (January 30, 2020). Unfortunately, it wasn't taken very seriously. We all know what happened next ... see also: www.euro.who.int/en/health-topics/health-emergencies/coronavirus-covid-19/novel-coronavirus-2019-ncov