{
	"id": "b849efdc-8cd6-4177-b9a6-9b85a57362ca",
	"created_at": "2026-04-06T00:20:07.728919Z",
	"updated_at": "2026-04-10T03:30:57.014614Z",
	"deleted_at": null,
	"sha1_hash": "0532b386f427f1605c6299baf47fb54b1a0b1d33",
	"title": "Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2085735,
	"plain_text": "Dissecting REMCOS RAT: An in-depth analysis of a widespread\r\n2024 malware, Part Four\r\nBy Cyril François, Samir Bousseaden\r\nPublished: 2024-05-10 · Archived: 2026-04-05 20:22:55 UTC\r\nDetections, hunts using ES|QL, and conclusion\r\nIn previous articles in this multipart series [1] [2] [3], malware researchers on the Elastic Security Labs team\r\ndecomposed the REMCOS configuration structure and gave details about its C2 commands. In this final part,\r\nyou’ll learn more about detecting and hunting REMCOS using Elastic technologies.\r\nDetection and Hunt\r\nThe following Elastic Defend detections trigger on those techniques:\r\nPersistence (Run key)\r\nStartup Persistence by a Low Reputation Process\r\nProcess Injection\r\nWindows.Trojan.Remcos, shellcode_thread (triggers multiple times on both watchdog and main REMCOS\r\ninjected processes)\r\nPotential Masquerading as SVCHOST (REMCOS watchdog default to an injected svchost.exe child\r\ninstance)\r\nRemote Process Injection via Mapping (triggers on both watchdog and injecting C:\\Program Files\r\n(x86)\\Internet Explorer\\iexplore.exe)\r\nPrivilege Escalation (UAC Bypass)\r\nUAC Bypass via ICMLuaUtil Elevated COM Interface\r\nEvasion (Disable UAC)\r\nDisabling User Account Control via Registry Modification (REMCOS spawns cmd.exe that uses reg.exe to\r\ndisable UAC via registry modification)\r\nCommand and Control\r\nConnection to Dynamic DNS Provider by an Unsigned Binary (although it’s not a requirement but most of\r\nthe observed samples use dynamic DNS)\r\nFile Deletion\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-four\r\nPage 1 of 9\n\nRemcos RAT INETCookies File Deletion\r\nModify Registry\r\nRemcos RAT ExePath Registry Modification\r\nThe ExePath registry value used by the REMCOS watchdog process can be used as an indicator of compromise.\r\nBelow is a KQL query example :\r\nevent.category:\"registry\" and event.action:\"modification\" and\r\nregistry.value:\"EXEpath\" and not process.code_signature.trusted:true\r\nREMCOS includes three options for clearing browser data, possibly in an attempt to force victim users to re-enter\r\ntheir web credentials for keylogging:\r\nenable_browser_cleaning_on_startup_flag\r\nenable_browser_cleaning_only_for_the_first_run_flag\r\nbrowser_cleaning_sleep_time_in_minutes\r\nThis results in the deletion of browser cookies and history-related files. The following KQL query can be used to\r\nhunt for such behavior by an unsigned process:\r\nevent.category:file and event.action:deletion and file.name:container.dat and\r\nfile.path:*INetCookies* and not process.code_signature.trusted:true\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-four\r\nPage 2 of 9\n\nREMCOS also employs three main information collection methods. The first one is keylogging via\r\nSetWindowsHookEx API. The following ES|QL can be used to hunt for rare or unusual processes performing this\r\nbehavior:\r\nfrom logs-endpoint.events.api*\r\n/* keylogging can be done by calling SetwindowsHook to hook keyboard events */\r\n| where event.category == \"api\" and process.Ext.api.name == \"SetWindowsHookEx\" and process.Ext.api.parameters.ho\r\n/* normalize process paths to ease aggregation by process path */\r\n| eval process_path = replace(process.executable, \"\"\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4\r\n| eval process_path = replace(process_path, \"\"\"[cC]:\\\\[uU][sS][eE][rR][sS]\\\\[a-zA-Z0-9\\.\\-\\_\\$~]+\\\\\"\"\", \"C:\\\\\\\\u\r\n/* limit results to those that are unique to a host across the agents fleet */\r\n| stats occurrences = count(*), agents = count_distinct(host.id) by process_path\r\n| where occurrences == 1 and agents == 1\r\nBelow is an example of matches on iexplore.exe (injected by REMCOS):\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-four\r\nPage 3 of 9\n\nES|QL hunt for rare processes calling SetWindowsHoook to hook keyboard events\r\nThe second method takes multiple screenshots and saves them as jpg files with a specific naming pattern starting\r\nwith time_year-month-day_hour-min-sec.jpb (e.g. time_20240308_171037.jpg ). The following ES|QL hunt\r\ncan be used to identify suspicious processes with similar behavior :\r\nfrom logs-endpoint.events.file*\r\n/* remcos screenshots naming pattern */\r\n| where event.category == \"file\" and host.os.family == \"windows\" and event.action == \"creation\" and file.extensi\r\n| stats occurrences = count(*), agents = count_distinct(host.id) by process.name, process.entity_id\r\n \r\n /* number of screenshots i more than 5 by same process.pid and this behavior is limited to a unique host/proces\r\n| where occurrences \u003e= 5 and agents == 1\r\nThe following image shows both REMCOS and the injected iexplore.exe instance (further investigation can be\r\ndone by pivoting by the process.entity_id):\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-four\r\nPage 4 of 9\n\nES|QL hunt for rare processes creating JPG files similar to REMCOS behavior\r\nThe third collection method is an audio recording saved as WAV files. The following ES|QL hunt can be used to\r\nfind rare processes dropping WAV files:\r\nfrom logs-endpoint.events.file*\r\n| where event.category == \"file\" and host.os.family == \"windows\" and event.action == \"creation\" and file.extensi\r\n/* normalize process paths to ease aggregation by process path */\r\n| eval process_path = replace(process.executable, \"\"\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4\r\n| eval process_path = replace(process_path, \"\"\"[cC]:\\\\[uU][sS][eE][rR][sS]\\\\[a-zA-Z0-9\\.\\-\\_\\$~]+\\\\\"\"\", \"C:\\\\\\\\u\r\n| stats wav_files_count = count(*), agents = count_distinct(host.id) by process_path\r\n/* limit results to unique process observed in 1 agent and number of dropped wav files is less than 20 */\r\n| where agents == 1 and wav_files_count \u003c= 10\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-four\r\nPage 5 of 9\n\nES|QL hunt for rare processes creating WAV files\r\nThe following ES|QL hunt can also look for processes that drop both JPG and WAV files using the same\r\nprocess.pid :\r\nfrom logs-endpoint.events.file*\r\n| where event.category == \"file\" and host.os.family == \"windows\" and event.action == \"creation\" and file.extensi\r\n/* excluding privileged processes and limiting the hunt to unsigned\r\nprocess or signed by untrusted certificate or signed by Microsoft */\r\nnot user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and (process.code_signature.trusted == false or process.code\r\n| eval wav_pids = case(file.extension == \"wav\", process.entity_id, null), jpg_pids = case(file.extension == \"jpg\r\n/* number of jpg and wav files created by unique process identifier */\r\n| stats count_wav_files = count(wav_pids), count_jpg_files = count(jpg_pids), other_files = count(others) by pro\r\n/* limit results to same process dropping both file extensions */\r\n| where count_jpg_files \u003e= 1 and count_wav_files \u003e= 1\r\nExamples of matches on both REMCOS and the injected iexplore.exe process:\r\nES|QL hunts for unique processes dropping image and audio files\r\nPivoting by process.entity_id to further investigate suspicious processes, installers, browsers, and decompression\r\nutilities are often the most observed false positives.\r\nYARA rule\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-four\r\nPage 6 of 9\n\nThe REMCOS version 4.9.3 is detected statically using the following YARA rule produced by Elastic Security\r\nLabs\r\nMalware and MITRE ATT\u0026CK\r\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that\r\nadvanced persistent threats use against enterprise networks.\r\nTactics\r\nTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for\r\nperforming an action.\r\nExecution\r\nPersistence\r\nPrivilege Escalation\r\nDefense Evasion\r\nCredential Access\r\nDiscovery\r\nCommand and Control\r\nTechniques\r\nTechniques represent how an adversary achieves a tactical goal by performing an action.\r\nWindows Command Shell\r\nVisual Basic\r\nRegistry Run Keys / Startup Folder\r\nProcess Injection\r\nCredentials from Web Browsers\r\nEncrypted Channel\r\nSystem Binary Proxy Execution: CMSTP\r\nBypass User Account Control\r\nConclusion\r\nAs the REMCOS continues to rapidly evolve, our in-depth analysis of version 4.9.3 offers critical insights that can\r\nsignificantly aid the malware research community in comprehending and combatting this pervasive threat.\r\nBy uncovering its features and capabilities in this series, we provide essential information that enhances\r\nunderstanding and strengthens defenses against this malicious software.\r\nWe've also shown that our Elastic Defend product can detect and stop the REMCOS threat. As this article\r\ndemonstrates, our new query language, ES|QL, makes hunting for threats simple and effective.\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-four\r\nPage 7 of 9\n\nElastic Security Labs remains committed to this endeavor as part of our open-source philosophy, which is\r\ndedicated to sharing knowledge and collaborating with the broader cybersecurity community. Moving forward, we\r\nwill persist in analyzing similar malware families, contributing valuable insights to bolster collective defense\r\nagainst emerging cyber threats.\r\nSample hashes and C2s\r\n(Analysis reference) 0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5\r\nremchukwugixiemu4.duckdns[.]org:57844\r\nremchukwugixiemu4.duckdns[.]org:57846\r\nremchukwugix231fgh.duckdns[.]org:57844\r\nremchukwugix231fgh.duckdns[.]org:57846\r\n3e32447ea3b5f07c7f6a180269f5443378acb32c5d0e0bf01a5e39264f691587\r\n122.176.133[.]66:2404\r\n122.176.133[.]66:2667\r\n8c9202885700b55d73f2a76fbf96c1b8590d28b061efbadf9826cdd0e51b9f26\r\n43.230.202[.]33:7056\r\n95dfdb588c7018babd55642c48f6bed1c281cecccbd522dd40b8bea663686f30\r\n107.175.229[.]139:8087\r\n517f65402d3cf185037b858a5cfe274ca30090550caa39e7a3b75be24e18e179\r\nmoney001.duckdns[.]org:9596\r\nb1a149e11e9c85dd70056d62b98b369f0776e11b1983aed28c78c7d5189cfdbf\r\n104.250.180[.]178:7902\r\nba6ee802d60277f655b3c8d0215a2abd73d901a34e3c97741bc377199e3a8670\r\n185.70.104[.]90:2404\r\n185.70.104[.]90:8080\r\n185.70.104[.]90:465\r\n185.70.104[.]90:80\r\n77.105.132[.]70:80\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-four\r\nPage 8 of 9\n\n77.105.132[.]70:8080\r\n77.105.132[.]70:2404\r\n77.105.132[.]70:465\r\nResearch references\r\nhttps://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\r\nhttps://www.jaiminton.com/reverse-engineering/remcos\r\nhttps://breakingsecurity.net/wp-content/uploads/dlm_uploads/2018/07/Remcos_Instructions_Manual_rev22.pdf\r\nSource: https://www.elastic.co/security-labs/dissecting-remcos-rat-part-four\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-four\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/security-labs/dissecting-remcos-rat-part-four"
	],
	"report_names": [
		"dissecting-remcos-rat-part-four"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434807,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0532b386f427f1605c6299baf47fb54b1a0b1d33.pdf",
		"text": "https://archive.orkl.eu/0532b386f427f1605c6299baf47fb54b1a0b1d33.txt",
		"img": "https://archive.orkl.eu/0532b386f427f1605c6299baf47fb54b1a0b1d33.jpg"
	}
}