{
	"id": "2f0e8098-5dcc-4288-b46b-07542693b303",
	"created_at": "2026-04-06T01:31:30.883698Z",
	"updated_at": "2026-04-10T13:11:28.837218Z",
	"deleted_at": null,
	"sha1_hash": "41b5183deb1e54c9e833dbb89da0e5215d77fbce",
	"title": "Remcos RAT: Network Artifacts, C2 Command Analysis \u0026 SASE Mitigation | Aryaka Threat Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6321832,
	"plain_text": "Remcos RAT: Network Artifacts, C2 Command Analysis \u0026 SASE\r\nMitigation | Aryaka Threat Research\r\nBy Varadharajan K\r\nArchived: 2026-04-06 01:11:55 UTC\r\nOverview\r\nRemcos is a remote access trojan (RAT) that was first introduced in July 2016 by the German company Breaking\r\nSecurity. Although initially marketed as a legitimate tool for remote administration of Windows systems, it has\r\nsince been widely adopted by cybercriminals for malicious purposes. The malware is typically distributed through\r\nphishing emails containing malicious attachments, such as Microsoft Office documents with embedded macros or\r\nZIP files masquerading as legitimate content. Upon execution, these attachments deploy Remcos onto the victim’s\r\nsystem. In some cases, attackers exploit known vulnerabilities to facilitate the infection process.\r\nRemcos provides attackers with extensive capabilities, including keylogging, screen capturing, audio and video\r\nrecording, and remote command execution. It can also collect system information, steal credentials, and download\r\nadditional malicious payloads. The malware’s modular architecture allows for the addition of new functionalities,\r\nmaking it adaptable to various malicious campaigns.\r\nRecent Remcos samples ( version 6.1.1 pro) have been observed spreading through spam emails that carry a\r\nmalicious 7Z archive as an attachment. This archive contains a heavily obfuscated batch file designed to evade\r\ndetection. Within the batch file are two encrypted and compressed data streams—specifically, AES-encrypted and\r\nGZIP-compressed—which are decrypted and decompressed during execution. This process ultimately results in\r\nthe Remcos payload being deployed on the victim’s machine.\r\nTechnical Details\r\nThe malicious batch file is heavily obfuscated and contains embedded Base64-encoded PowerShell code. To\r\nevade detection, attackers have inserted junk code throughout the script. For example, in the first line, replacing\r\nhttps://www.aryaka.com/blog/remcos-rat-network-c2-analysis/\r\nPage 1 of 14\n\nthe string ‘ywg’ reveals an echo command, indicating the presence of concealed functionality.\r\nFigure 1 – Obfuscated batch file\r\nUpon execution, the batch file executes embedded PowerShell script which checks for the presence of the\r\n“dwm.bat” file in the user’s profile directory. If the file exists, it reads its contents line by line, searches for a line\r\ncontaining the marker ::: and extracts the content that follows it. This content is Base64-encoded PowerShell code,\r\nwhich is then decoded and executed. If the “dwn.bat” file is not present, the script simply terminates.\r\nhttps://www.aryaka.com/blog/remcos-rat-network-c2-analysis/\r\nPage 2 of 14\n\nFigure 2 – Embedded PowerShell Script\r\nBypassing AMSI and ETW\r\nThe decoded PowerShell script defines a function called Invoke-SysRoutine, which implements a technique to\r\nbypass both Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW). It achieves this by\r\ndynamically resolving system API addresses at runtime and modifying the memory of the target functions using\r\n.NET interoperability and native Windows API calls, thereby disabling security telemetry and evading detection.\r\nIt dynamically resolves critical system functions like GetProcAddress and GetModuleHandle by decoding their\r\nnames at runtime, making static analysis difficult. The script creates custom delegates to call unmanaged code and\r\nmodifies memory protection using VirtualProtect to patch AMSI’s AmsiInitialize function.\r\nhttps://www.aryaka.com/blog/remcos-rat-network-c2-analysis/\r\nPage 3 of 14\n\nFigure 3 – AMSI Bypass\r\nIt further scans and patches multiple AMSI providers in memory to ensure complete deactivation. If the -\r\nDisableSvc flag is used, it also targets the EtwEventWrite function in ntdll.dll, effectively suppressing security\r\nevent logging. Memory protections are restored after patching to maintain system stability.’\r\nFigure 4 ETW Patching\r\nDecryption and Decompression\r\nAfter successfully bypassing AMSI and ETW, the embedded PowerShell script within the batch file locates the\r\nmarker ::, extracts the content that follows it, and then splits this data using the backslash (\\) as a delimiter. The\r\nresulting base64 encoded values are stored into an array for further processing.\r\nhttps://www.aryaka.com/blog/remcos-rat-network-c2-analysis/\r\nPage 4 of 14\n\nFigure 5: PowerShell Script Reading encrypted Elements\r\nThe extracted array elements are then passed to a decryption function that uses AES in CBC (Cipher Block\r\nChaining) mode. This function decrypts the content using a hardcoded key and initialization vector (IV), as\r\ndemonstrated in the following code snippet. The decrypted output is subsequently passed to another function that\r\nhandles GZIP decompression.\r\nFigure 6 – AES Decryption\r\nOnce both array elements are decompressed, the script extracts two executable files. The first executable contains\r\nan empty main() function, serving no active purpose, while the second is responsible for loading the Remcos\r\npayload.\r\nhttps://www.aryaka.com/blog/remcos-rat-network-c2-analysis/\r\nPage 5 of 14\n\nFigure 7 – AES Decryption and GZIP Decompression using CyberChef\r\nThe script then passes the extracted executables to a function that uses reflection loading to run the malicious\r\nbinary directly from the memory within the PowerShell process without storing the binaries in the disk. This\r\ntechnique enables in-memory execution of the payload, making detection and analysis more challenging.\r\nFigure 8 – Reflection Loading\r\nThe executable extracted from the first array element contains an empty main function, indicating that the attacker\r\nmay be using it as a decoy or evasion tactic to avoid detection.\r\nRemcos Loader\r\nThe executable extracted from the second array element acts as a loader that loads Remcos payload on the victims\r\nmachine. Upon execution, the loader loads “ntdll.dll” , retrieves the address of the “EtwEventWrite” function and\r\nhttps://www.aryaka.com/blog/remcos-rat-network-c2-analysis/\r\nPage 6 of 14\n\nchanges the memory protection of this function to PAGE_EXECUTE_READWRITE.\r\nOn 32-bit systems, it adds instructions (0xC2 0x14) that make the function return immediately, effectively\r\ndisabling ETW logging. On 64-bit systems, the script replaces the start of the EtwEventWrite function with the\r\n0xC3 instruction, which causes the function to return immediately without doing anything. This change disables\r\nevent logging. Once modified, the script restores the original memory protection to avoid further changes,\r\neffectively turning EtwEventWrite into a no-op and helping the malware evade detection by security tools.\r\nFigure 9 – ETWEventWrite Patching\r\nIn the final stage, the loader searches the embedded resources of the assembly for a specific entry named\r\n“xxxxxxxxxxxxxxxxxxxxxxxxxxxx.exe”. If the resource is present, it extracts its content using\r\nGetManifestResourceStream().\r\nThe extracted data is both GZIP-compressed and AES-encrypted. It is decrypted using a predefined key and\r\ninitialization vector. Once decrypted, the payload—identified as Remcos—is executed, allowing the attacker to\r\nremotely control the compromised system.\r\nNetwork and C\u0026C connection details\r\nAfter successful execution, Remcos RAT sends a GET request to geoplugin.net/json.gp to retrieve the victim’s\r\ngeolocation based on their public IP address. This API response includes details like country, city, region, latitude,\r\nlongitude, timezone etc.. The gathered data helps attackers profile victims and adapt their operations based on\r\ngeographical location.\r\nhttps://www.aryaka.com/blog/remcos-rat-network-c2-analysis/\r\nPage 7 of 14\n\nFigure 10 – Gathering Geolocation Details\r\nBefore gaining full control over the victim’s machine, the Remcos RAT first collects system information and\r\nsends it to the Command and Control (C\u0026C) server to register the infected device. It initiates a secure connection\r\nto the C\u0026C server using TLS to facilitate encrypted communication. Each packet contains a unique identifier byte\r\nsequence, followed by the size of the data being transferred, and a command ID that specifies the intended\r\noperation as shown below.\r\nhttps://www.aryaka.com/blog/remcos-rat-network-c2-analysis/\r\nPage 8 of 14\n\nFigure 11- Initial packet for registering the victims device\r\nRemcos utilizes Command ID 0x4B to exfiltrate detailed system and user information from the victim’s machine\r\nto the attacker’s Command and Control (C2) server. This data is used to register the compromised device and\r\nestablish control over the infected host. The following information is typically collected during this process:\r\nhttps://www.aryaka.com/blog/remcos-rat-network-c2-analysis/\r\nPage 9 of 14\n\nDevice Name \u0026 User Name\r\nLocation of the Victim’s Device\r\nOperating System Info\r\nMemory Status\r\nRemcos Version\r\nRemcos Keylogger Local File Path\r\nRemcos Full Path\r\nActive Program Title\r\nUser’s Privilege Level\r\nSystem Uptime\r\nIdle Time\r\nRemcos Assigned Name\r\nC\u0026C Server IP\r\nRemcos File Type\r\nProcessor’s Information\r\nAfter the initial registration, the Command and Control (C2) server sends a command with ID 0x01 to the Remcos\r\nclient. This command functions as a heartbeat or information beacon, prompting the infected machine to send\r\nperiodic status updates to the attacker.\r\nhttps://www.aryaka.com/blog/remcos-rat-network-c2-analysis/\r\nPage 10 of 14\n\nFigure 12 – Beacon Packet\r\nIn response, the Remcos sends information that include runtime system telemetry such as, active window title, and\r\nthe system’s uptime etc., along with the command 0x4C. This allows the attacker to monitor the infected\r\nmachine’s activity in real time and maintain persistent control over the device.\r\nFigure 13 – Response to Beacon Request\r\nAfter this, the C\u0026C server issues a request to the infected machine using command ID 0x11 to retrieve the\r\ngeolocation information that was gathered during the initial stage of infection. In response, Remcos sends back the\r\ngeolocation details using the same command ID 0x11, as shown below.\r\nhttps://www.aryaka.com/blog/remcos-rat-network-c2-analysis/\r\nPage 11 of 14\n\nFigure 14 – Exfiltration Geolocation Details\r\nIt was also observed that command ID 0x44 is used whenever a file is being downloaded from the C\u0026C server.\r\nSpecifically, when a file with an MZ header is retrieved, the communication includes command 0x44 followed by\r\nthe file content, as shown below.\r\nhttps://www.aryaka.com/blog/remcos-rat-network-c2-analysis/\r\nPage 12 of 14\n\nFigure 15 – Downloading additional payload (Source : malware-traffic-analysis.net))\r\nHow does Unified SASE as a Service help mitigate Remcos Infections?\r\nA Unified SASE framework integrates network security and zero-trust access controls to defend against threats\r\nlike Remcos RAT, which uses command-and-control (C2) channels for data exfiltration and remote operations.\r\nSASE provides centralized visibility into network traffic and enforces consistent security policies across all\r\nlocations. Our built-in security features—such as advanced IDPS, SWG, and real-time threat intelligence—can\r\ndetect indicators of Remcos activity, including specific command IDs and suspicious HTTP patterns. By\r\ninspecting outbound HTTP communications, SASE can identify attempts to exfiltrate geolocation data or deliver\r\nremote commands, automatically blocking unauthorized transmissions and minimizing the risk of compromise.\r\nhttps://www.aryaka.com/blog/remcos-rat-network-c2-analysis/\r\nPage 13 of 14\n\nMITRE ATT\u0026CK Mapping: TTPs\r\nT1566.001 – Phishing: Spearphishing Attachment\r\nT1059.001 – Command and Scripting Interpreter: PowerShell\r\nT1204.002 – User Execution: Malicious File\r\nT1027 – Obfuscated Files or Information\r\nT1055.002 – Process Injection: Portable Executable Injection\r\nT1562.001 – Impair Defenses: Disable or Modify Tools\r\nT1003 – OS Credential Dumping\r\nT1082 – System Information Discovery\r\nT1016 – System Network Configuration Discovery\r\nT1071.001 – Application Layer Protocol: Web Protocols\r\nT1056.001 – Input Capture: Keylogging\r\nT1113 – Screen Capture\r\nT1123 – Audio Capture\r\nT1125 – Video Capture\r\nT1041 – Exfiltration Over C2 Channel\r\nT1020 – Automated Exfiltration\r\nReference\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nSource: https://www.aryaka.com/blog/remcos-rat-network-c2-analysis/\r\nhttps://www.aryaka.com/blog/remcos-rat-network-c2-analysis/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.aryaka.com/blog/remcos-rat-network-c2-analysis/"
	],
	"report_names": [
		"remcos-rat-network-c2-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775439090,
	"ts_updated_at": 1775826688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/41b5183deb1e54c9e833dbb89da0e5215d77fbce.pdf",
		"text": "https://archive.orkl.eu/41b5183deb1e54c9e833dbb89da0e5215d77fbce.txt",
		"img": "https://archive.orkl.eu/41b5183deb1e54c9e833dbb89da0e5215d77fbce.jpg"
	}
}