{
	"id": "1ae61cd2-3af5-4087-b9ad-f2cbb17fb12d",
	"created_at": "2026-04-10T03:21:21.588474Z",
	"updated_at": "2026-04-10T03:22:17.183113Z",
	"deleted_at": null,
	"sha1_hash": "3caa5f517805597225acde7d525f8018bdb3b1a2",
	"title": "Analysis: New Remcos RAT Arrives Via Phishing Email",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2443602,
	"plain_text": "Analysis: New Remcos RAT Arrives Via Phishing Email\r\nBy Aliakbar Zahravi ( words)\r\nPublished: 2019-08-15 · Archived: 2026-04-10 02:39:20 UTC\r\nIn July, we came across a phishing email purporting to be a new order notification, which contains a malicious attachment\r\nthat leads to the remote access tool Remcos RAT (detected by Trend Micro as BKDR_SOCMER.SM). This attack delivers\r\nRemcos using an AutoIt wrapper that incorporates various obfuscation and anti-debugging techniques to evade detection,\r\nwhich is a common method for distributing known malware.\r\nRemcos RAT emerged in 2016 being peddled as a service in hacking forums — advertised, sold, and offered cracked on\r\nvarious sites and forums. The RAT appears to still be actively pushed by cybercriminals. In 2017, we reported spotting\r\nRemcos being delivered via a malicious PowerPoint slideshow, embedded with an exploit for CVE-2017-0199. Recently, the\r\nRAT has made its way to phishing emails.\r\nThe malicious actor behind the phishing email appears to use the email address rud-division@alkuhaimi[.]com (with a\r\nlegitimate domain) and the subject \"RE: NEW ORDER 573923\". The email includes the malicious attachment using the\r\nACE compressed file format, Purchase order201900512.ace, which has the loader/wrapper Boom.exe.\r\nAnalyzing the wrapper/loader\r\nAfter converting the executable to AutoIt script, we found that the malicious code was obfuscated with multiple layers,\r\npossibly to evade detection and make it difficult for researchers to reverse. The top layer of obfuscation is shown in the\r\nfollowing:\r\nFigure 1. Obfuscated core functions\r\nhttps://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html\r\nPage 1 of 13\n\nFigure 2. Functions used for deobfuscation\r\nThe main goal of the Boom.exe file is to achieve persistence, perform anti-analysis detection, and drop/execute Remcos RAT\r\non an affected system. The above snippet code first calculates the value inside the array and then uses the ChrW() function\r\nto convert the Unicode number to the character.\r\nFigure 3. Sample of string decoding\r\nIn some cases after decryption, the malware uses the AutoIt function called BinaryToString() to deobfuscate the next layer.\r\nThe following code snippet demonstrates this behavior:\r\nFigure 4. AutoIt Binary to String decoding\r\nhttps://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html\r\nPage 2 of 13\n\nAfter deobfuscation, the AutoIt code can be seen containing large amounts of junk code meant to throw analysts off the\r\ntrack.\r\nFigure 5. Sample of junk code\r\nThe malware then creates a copy of itself in %AppData%\\Roaming\\appidapi\\UevTemplateBaselineGenerator.exe and loads\r\nthe main payload (Remcos RAT) from its resource section. The malware then prepares the environment to execute the main\r\npayload. It achieves this by executing the following Shellcode (frenchy_shellcode version 1).\r\nFigure 6. Frenchy_ShellCode_001\r\nFigure 7. Executing and decoding Frenchy Shellcode\r\nFigure 8. Frenchy Shellcode Mutant\r\nDecoding and loading Remcos from resources\r\nThe DecData() function loads the data from its resource then reverses all data and replaces “%$=” with “/”.\r\nhttps://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html\r\nPage 3 of 13\n\nFigure 9. AutoIt decoding the main payload: Code + encoded resource (Remcos RAT)\r\nFigure 10. AutoIt decoding the main payload: Code only\r\nThen it uses the following to decode the base64 PE file, which is the main payload:\r\n$a_call = DllCall(\"Crypt32.dll\", \"int\", \"CryptStringToBinary\", \"str\", $sData, \"int\", 0, \"int\", 1, \"ptr\", 0,\r\n\"ptr\", DllStructGetPtr($struct, 1), \"ptr\", 0, \"ptr\", 0)\r\nFigure 11. Decoding Remcos from AutoIt\r\nLoader features\r\nAnti-VM\r\nThis AutoIt loader is capable of detecting a virtual machine environment by checking vmtoolsd.exe and vbox.exe in the list\r\nof running processes. However, it should be noted that this feature is not invoked in this sample.\r\nFigure 12. AutoIt loader’s Anti-VM\r\nhttps://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html\r\nPage 4 of 13\n\nBypass UAC\r\nDepending on the Windows version, the malware uses either the built-in Event Viewer utility (eventvwr) or fodhelper to\r\nbypass the User Account Control (UAC).\r\nFigure 13. UAC bypass\r\nAnti-Debugging\r\nIf the loader detects IsdebuggerPresent in the system, it will display the message, “This is a third-party compiled AutoIt\r\nscript.” and exits the program.\r\nFigure 14. AutoIt loader checks for a debugger\r\nExamining the main payload, Remcos RAT\r\nOriginally marketed as a remote access tool that legitimately lets a user control a system remotely, Remcos RAT has since\r\nbeen used by cybercriminals. Once the RAT is executed, a perpetrator gains the ability to run remote commands on the\r\nuser’s system. In a past campaign, for instance, the tool was seen with a variety of capabilities, which includes downloading\r\nand executing commands, logging keys, logging screens, and capturing audio and video using the microphone and webcam.\r\nFor the analysis of this payload, we looked into the sample Remcos Professional version 1.7.\r\nFigure 15. Remcos version\r\nUpon execution, depending on the configuration, the malware creates a copy of itself in %AppData%\\remcos\\remcos.exe,\r\nuses install.bat to execute remcos.ex$ from the %APPDATA% directory, and finally deletes itself. It then creates the\r\nfollowing Run key in the Registry to maintain persistence on the system.\r\nhttps://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html\r\nPage 5 of 13\n\nFigure 16. Install.bat dropped by Remcos\r\nFigure 17. Remcos RAT changes the Registry entry to maintain persistence\r\nFigure 18. Reflected Remcos RAT change in the Registry\r\nThe malware retrieves the configuration called “SETTING” from its resource section.\r\nhttps://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html\r\nPage 6 of 13\n\nFigure 19. Remcos loads the encrypted settings from its resources\r\nThe content of the configuration is encrypted using the RC4 algorithm, as seen below:\r\nFigure 20. Remcos encrypted configuration\r\nThe following, on the other hand, is the RC4 algorithm used to decrypt the above configuration:\r\nhttps://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html\r\nPage 7 of 13\n\nFigure 21. RC4 algorithm to decrypt the configuration\r\nFigure 22. Decrypted configuration\r\nThe malware then creates the following mutex to mark its presence on the system:\r\nFigure 23. Remcos RAT mutex\r\nIt then starts to collect system information such as username, computer name, Windows version, etc., which it sends to the\r\ncommand and control (C\u0026C) server. The malware encrypts the collected data using the RC4 algorithm with the password\r\n“pass” from the configuration data.\r\nhttps://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html\r\nPage 8 of 13\n\nFigure 24. Remcos collecting system information\r\nhttps://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html\r\nPage 9 of 13\n\nFigure 25. Clear text data collected by Remcos, where “|cmd|” is the delimiter\r\nFigure 26. Data is encrypted and sent to C\u0026C server\r\nhttps://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html\r\nPage 10 of 13\n\nFigure 27. Encrypted data\r\nThe following list shows some of the commands supported by the malware:\r\nCommands Description\r\nClipboarddata Getclipboard Setclipboard Emptyclipboard Clipboard manager\r\ndeletefile Delete file(s)\r\ndownloadfromurltofile\r\nDownload a file from specified URL and execute it\r\non an infected system\r\nexeccom Execute a shell command\r\nfilemgr File manager\r\ngetproclist List the running processes\r\ninitremscript Execute remote script from C\u0026C\r\nkeyinput Keylogger\r\nmsgbox Display a message box on an infected system\r\nopenaddress Open a specified website\r\nOSpower Shutdown, restart, etc.\r\nping Ping an infected system (used for network check)\r\nprockill Kill a specific process\r\nregopened   regcreatekey regeditval  regdelkey   regdelval  \r\nregopen     initregedit\r\nAdd, edit, rename, or delete registry values and keys\r\nscrcap Screen capture\r\nsendfiledata Upload data to C\u0026C server\r\nuninstall Uninstall itself from an infected system\r\nTable 1. Remcos RAT commands\r\nhttps://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html\r\nPage 11 of 13\n\nThe “consolecmd” command shown in the next figure, for instance, is used to execute shell commands on an infected\r\nsystem:\r\nFigure 28. Some examples of Remcos RAT’s commands\r\nFigure 29. Browser/cookie-stealing feature\r\nAfter analyzing this Remcos variant — its configuration data, communication mechanism, and functionalities — we saw\r\nthat it had many similarities with its older variant (detected as Backdoor.Win32.Remcosrat.A). However, this particular\r\ncampaign delivers Remcos using an AutoIt wrapper, which incorporates different obfuscation and anti-debugging techniques\r\nto avoid detection.\r\nPrevention and Trend Micro Solutions\r\nTo defend against threats like Remcos RAT that use email-based attacks, we advise users to refrain from opening unsolicited\r\nemails — especially those with attachments — from unknown sources. Users should also exercise caution before clicking on\r\nURLs to avoid being infected with malware. For enterprises, if an anomaly is suspected in the system, report the activity to\r\nthe network administrator immediately. We also recommend these best practices for added protection:\r\nLearn how to identify phishing emails and spot indicators of unwanted emails (i.e., misspellings, odd vocabulary)\r\nhttps://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html\r\nPage 12 of 13\n\nUpdate applications and systems regularly\r\nApply whitelisting, block unused ports, and disable unused components\r\nMonitor traffic in the system for any suspicious behavior\r\nImplementing security solutions with anti-spam filtering should weed out spam messages such as the one discussed here.\r\nThe use of a multilayered solution such as Trend Micro™ Deep Discovery™ will help provide detection, in-depth analysis,\r\nand proactive response to today’s stealthy malware such as Remcos RAT, and targeted attacks in real-time. It provides a\r\ncomprehensive defense tailored to protect organizations against targeted attacks and advanced threats through specialized\r\nengines, custom sandboxing, and seamless correlation across the entire attack lifecycle. Trend Micro™ Deep Discovery™\r\nInspector prevents malware from reaching end users. For a more comprehensive security suite, organizations can consider\r\nthe Trend Micro™ Cloud App Security™ solution, which employs machine learning (ML) in web reputation and URL\r\ndynamic analysis. The solution can also detect suspicious content in the message body and attachments as well as provide\r\nsandbox malware analysis and document exploit detection.\r\nIndicators of Compromise (IoCs)\r\nFile Name and Email\r\nAddress\r\nNote SHA-256 Hash Trend Micro Pattern Det\r\nPurchase\r\norder201900512.ace\r\nEmail\r\nattachment\r\n(ACE)\r\ncf624ccc3313f2cb5a55d3a3d7358b4bd59aa8de7c447cdb47b70e954ffa069b Backdoor.Win32.REMCO\r\nBoom.exe\r\n(Loader/Wrapper)\r\nACE file\r\ncontent\r\n(Win32\r\nEXE)\r\n1108ee1ba08b1d0f4031cda7e5f8ddffdc8883db758ca978a1806dae9aceffd1 Backdoor.Win32.REMCO\r\nremcos.ex$\r\nRemcos\r\nRAT\r\n(Win32\r\nEXE)\r\n6cf0a7a74395ee41f35eab1cb9bb6a31f66af237dbe063e97537d949abdc2ae9 BKDR_SOCMER.SM\r\nrud-division@alkuhaimi[.]com\r\nSender ID    \r\nSource: https://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html\r\nhttps://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html\r\nPage 13 of 13\n\nhttps://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html   \nFigure 16. Install.bat dropped by Remcos  \nFigure 17. Remcos RAT changes the Registry entry to maintain persistence\nFigure 18. Reflected Remcos RAT change in the Registry \nThe malware retrieves the configuration called “SETTING” from its resource section.\n  Page 6 of 13\n\nhttps://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html   \nFigure 25. Clear text data collected by Remcos, where “|cmd|” is the delimiter\nFigure 26. Data is encrypted and sent to C\u0026C server  \n  Page 10 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html"
	],
	"report_names": [
		"analysis-new-remcos-rat-arrives-via-phishing-email.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775791281,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3caa5f517805597225acde7d525f8018bdb3b1a2.pdf",
		"text": "https://archive.orkl.eu/3caa5f517805597225acde7d525f8018bdb3b1a2.txt",
		"img": "https://archive.orkl.eu/3caa5f517805597225acde7d525f8018bdb3b1a2.jpg"
	}
}