{ "id": "1e49ff3e-a28c-488b-80e0-5e9119a2cb9a", "created_at": "2026-04-06T00:11:05.896125Z", "updated_at": "2026-04-10T03:30:33.819176Z", "deleted_at": null, "sha1_hash": "378c38d43a95f4fe6e9e05b9be2a68381b53045b", "title": "RomCom RAT: Not Your Typical Love Story", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 403055, "plain_text": "RomCom RAT: Not Your Typical Love Story\r\nPublished: 2023-09-08 · Archived: 2026-04-05 15:53:58 UTC\r\nRemote Access Trojan (RAT) is a type of malware that, as the name suggests, can remotely access a victims’\r\nsystem after successful infection. This blog is about one such RAT, RomCom RAT which can take complete\r\ncontrol of a compromised system by spoofing and deploying fake versions of legitimate applications on the\r\nvictims’ system to gain initial trust. \r\nLet us get into the details of one of the samples which drops a malicious RomCom RAT binary. This sample was\r\ndigitally signed by Noray Consulting Ltd. On further analysis, we observed that Noray Consulting Ltd had a\r\ndummy LinkedIn page and a dubious website to deceive the victims.\r\nFigure 1-Digital signature of the sample\r\nFigure 1 shows the digital sign and the name of the signer. \r\nhttps://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/\r\nPage 1 of 11\n\nFigure 2-File payloads of our sample\r\nIt was observed that the setup file drops RomCom files in C:\\Users\\Public\\Libraries. We observed that all DLLs\r\ndropped were VMProtect’ed files.\r\nFigure 3-VMProtect packed payload file\r\nFrom Figure 3, we can see that the dropped file netid7*.dll0 has high entropy and is a VMProtect’ed file.\r\nhttps://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/\r\nPage 2 of 11\n\nFigure 4-Malicious binary accessing PEB\r\nHere we can observe that the malware accesses the Process Environment Block (PEB) using gs:60h, after getting\r\naccess to which, it checks for the OS Build number using rax+120h \r\nFigure 5-Is the process being debugged check\r\nThen the current process is checked if it is being run under a debugger.\r\nhttps://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/\r\nPage 3 of 11\n\nFigure 6-IsProcessorFeaturePresent\r\nIt then uses IsProcessorFeaturePresent, the argument 0x17 is passed to check if the __fastfail option is available or\r\nnot.\r\nFigure 7-Anti Debug Check\r\nHere, QueryPerformanceCounter is being used for anti-debug techniques. When a process is being debugged there\r\nis a delay between instruction and execution. By using QueryPerformanceCounter we can measure the delay taken\r\nto run each instruction.\r\nhttps://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/\r\nPage 4 of 11\n\nFigure 8-Calling GetOEMCP\r\nIn the above figure, we can see that GetOEMCP is used, which returns the OEM code page identifier of the\r\nOperating System.\r\nFigure 9-Locale based exclusion\r\nThe malware then checks if the code page identifier is one of zh-CN, zh-TW, ko-KR, ja-JP. This is done to check\r\nif there is any clipboard data related to Chinese, Japanese or Korean language. If it is in one of these locales, the\r\nmalware process throws an exception and terminates.\r\nFigure 10-Environment variable\r\nThe sample under consideration has the ability to set an Environment Variable, it has been observed that malware\r\ntends to bypass the normal order of loading a DLL and loading it from another location.\r\nhttps://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/\r\nPage 5 of 11\n\nFigure 11-Decrypting Function\r\nThe malware keeps all the static data like url, client header, registry value, filename encrypted, which is decrypted\r\nas shown in Figure 11.\r\nFor example \r\nEncrypted filename –\r\n3B 20 54 18 7E 4F 8C 7F 70 20 5D 18 22 4F 86 7F 70 20 41 18 0C 4F \r\nDecryption key –\r\n08 20 24 18 0C 4F E3 7F\r\nThe decrypted filename –\r\n3proxy.exe\r\nEncrypted Rundll32 path – \r\n1B 5A 05 49 6F 95 80 90 2F 13 05 4D 7F 88 90 9A 35 53 6B 42 74 8E 8A 9B 34 0C 6A 2C 28 9E 9C 9A 78 \r\nDecryption key –\r\n58 60 59 1E 06 FB E4 FF\r\nDecrypted Rundll32 path –\r\nC:\\Windows\\System32\\rundll32.exe\r\nEncrypted string –\r\nhttps://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/\r\nPage 6 of 11\n\n7B 20 2C 16 67 FF 92 7F 7C 20 34 16 63 FF 81 7F 6F 20 2D 16 63 FF CE 7F 66 20 3D 16 72 FF E0 7F\r\nDecryption key-08 20 58 16 06 FF E0 7F\r\nDecrypted string – s.t.a.r.t.l.e.a.g.u.e…n.e.t\r\nBasic XOR encryption/decryption is at play here.\r\nFigure 12-Obtaining proxy configuration if any\r\nWinHttpGetIEProxyConfigForCurrentUser API is used to get the Internet Explorer proxy configuration for the\r\ncurrent user. Then using this the malware can exfiltrate data gathered from the victim.\r\nFigure 13-Establishing C2 connection\r\nHere, we can observe that it’s decrypting “startleauge.net” using the decryption function mentioned in Figure 11.\r\nhttps://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/\r\nPage 7 of 11\n\nFigure 14-File download\r\nRomCom RAT uses WinHttpReadData API to download any file which is pushed by the C2. \r\nFigure 15-RDP connection check\r\nThe malware tries to check if any active RDP session is live using the API  ProcessIdToSessionId then proceeds to\r\nuse the retrieved session ID to establish connection.\r\nhttps://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/\r\nPage 8 of 11\n\nFigure 16-C2 Connection\r\nIn Figure 16 we can observe that this RomCom RAT is trying to connect to C2. However, if the connection is not\r\nestablished then there is a sleep time before checking again.\r\nFigure 17-Performing local reconnaissance\r\nIt traverses the file system using FindFirstFileA, FindNextFileA and collects a list of filenames and sends it to C2.\r\nhttps://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/\r\nPage 9 of 11\n\nFigure 18-Eyeing list of running processes\r\nIt uses CreateToolHelp32Snapshot and then iterates through the process using Process32FirstW and\r\nProcess32NextW which is used to list all the running processes.\r\nIt has been observed that in a number of instances RomCom threat actors have used fake websites and\r\napplications to do its malicious activity.\r\nWe at K7 Labs provide detection for RomCom RAT and all the latest threats. Users are advised to use a reliable\r\nsecurity product such as “K7 Total Security” and keep it up-to-date to safeguard their devices.\r\nIndicators of Compromise (IOCs)\r\nHash Detection Name\r\n007A67BFA732084B3F8278B302BEF49E Trojan ( 005a54be1 )\r\n6F47723E5FC6E96AB5E9F96F6BC585FA Trojan ( 00566ad51 )\r\n46AC4B26D35F619D8A1415B5E4365A52 Trojan ( 005a3e761 )\r\nC2\r\nstartleauge.net\r\nReferences\r\nhttps://www.trendmicro.com/en_in/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nhttps://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit\r\nhttps://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/\r\nPage 10 of 11\n\nSource: https://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/\r\nhttps://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/" ], "report_names": [ "romcom-rat-not-your-typical-love-story" ], "threat_actors": [ { "id": "fecc0d5a-3654-425d-9290-b6d0b4105463", "created_at": "2023-10-17T02:00:08.330061Z", "updated_at": "2026-04-10T02:00:03.37711Z", "deleted_at": null, "main_name": "Void Rabisu", "aliases": [ "Tropical Scorpius" ], "source_name": "MISPGALAXY:Void Rabisu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "4f56bb34-098d-43f6-a0e8-99616116c3ea", "created_at": "2024-06-19T02:03:08.048835Z", "updated_at": "2026-04-10T02:00:03.870819Z", "deleted_at": null, "main_name": "GOLD FLAMINGO", "aliases": [ "REF9019 ", "Tropical Scorpius ", "UAC-0132 ", "UAC0132 ", "UNC2596 ", "Void Rabisu " ], "source_name": "Secureworks:GOLD FLAMINGO", "tools": [ "Chanitor", "Cobalt Strike", "Cuba", "Meterpreter", "Mimikatz", "ROMCOM RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434265, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/378c38d43a95f4fe6e9e05b9be2a68381b53045b.pdf", "text": "https://archive.orkl.eu/378c38d43a95f4fe6e9e05b9be2a68381b53045b.txt", "img": "https://archive.orkl.eu/378c38d43a95f4fe6e9e05b9be2a68381b53045b.jpg" } }