{
	"id": "6d983a2b-0b10-4a7e-8bb7-1cf4580d179a",
	"created_at": "2026-04-10T03:20:48.730211Z",
	"updated_at": "2026-04-10T03:22:18.418164Z",
	"deleted_at": null,
	"sha1_hash": "4fed8ba3f26469443a731b3df535e9d3425625dd",
	"title": "Malicious ratatouille ??????",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2725847,
	"plain_text": "Malicious ratatouille 🐀\r\nBy f0wL\r\nPublished: 2019-09-07 · Archived: 2026-04-10 02:41:53 UTC\r\nSat 07 September 2019 in RATs\r\nRemcos is a commercially sold Remote Adiministration Toolkit (RAT) that is regularly distributed as Spyware\r\nDepending on the licensing model and capabilities Remcos is sold for 58$ to 389$ by the company (with the\r\npretty fitting name) Breaking Security. Feature-wise the manfacturer's website lists: Remote Administration,\r\nSupport, Surveillance, Anti-Theft and Proxy. In most cases the executable is dropped via a boobytrapped Office or\r\nXML Document. Of course I will not link to any of their webpages or products since shilling out for\r\ncybercriminals would be the last thing I'd do.\r\nInspiration for this blog post came from @wwp96 on Twitter:\r\n#remcos\r\njkharding2014.myddns[.]rocks\r\ntomharry.ddns[.]net\r\n2c8b1cca4ee54428dffc203b76c4dc30 - Dhl protected.iso\r\n06469856a9bdecae989b64daf9db09c7 - carved exehttps://t.co/YtsJYbhle9\r\n— wwp96 (@wwp96) September 7, 2019\r\nhttps://dissectingmalwa.re/malicious-ratatouille.html\r\nPage 1 of 8\n\nRemcos uses a Control instance (the C\u0026C) and the so-called Agent (the executable that is delivered to the victim).\r\nIt was first spotted in 2016 when it was being sold on HackForums. Since then it was being used in targeted\r\nattacks (mostly spear-phishing) against turkish government/military contractors or other businesses/individuals in\r\nthe European Union. The Agent is written in C++ (while the Control application is written in Borland Delphi) and\r\nis 110KB in size. Click here for the AnyRun Analysis.\r\nOf course it fiddles around in the registry as well. It uses the Key in\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run to bind to the system startup.\r\nAlthough there are versions of Remcos that are packed with UPX and MPRESS1 this sample is not obfuscated in\r\nany way.\r\nhttps://dissectingmalwa.re/malicious-ratatouille.html\r\nPage 2 of 8\n\nIn terms of network interactions it queries two Dynamic DNS URLs that both point to the same host at\r\n66.154.113[.]142\r\nWith Version 1.7 Pro we've got an old Version of the RAT in our hands which dates back to 5th of January 2017.\r\nThe most recent version of the malware according to the changelog is V2.4.7. Another thing one usually doesn't\r\nget with malware: a 31-page manual. It goes over the features and configuation points the malware has to offer\r\nand even includes a \"Terms of Service\" chapter which states that users have to be notified that there is\r\nsurveillance software in place and that the use of remcos for illegal activities is forbidden. As if they would care\r\nthat their software was probably used in \u003e95% of malicious acts. Judging by the typos and a few screenshots I'd\r\nattribute this malware to eastern european threat-actors.\r\nThe following Screenshots were captured after decompiling the executable with the retargetable Decompiler\r\nretdec by Avast. The decompiled result can be found here.\r\nhttps://dissectingmalwa.re/malicious-ratatouille.html\r\nPage 3 of 8\n\nAs a first step it runs its dropped install script called install.bat and uses a ping to localhost to stall the process and\r\nmake sure it is finished before proceding.\r\nIn terms of Evasion techniques Remcos turns up with detection methods for both Virtualbox and Sandboxie.The\r\nabove example shows the method it employs for Virtualbox via a registry key that is set if the Guest Additions are\r\nin place on the guest system. In the same manner it tries to call SbieDll.dll to check if Sandboxie is present.\r\nThe Remcos Agent also has debugging functionality via a console window, for example for the communication\r\nwith the C\u0026C Server.\r\nhttps://dissectingmalwa.re/malicious-ratatouille.html\r\nPage 4 of 8\n\nRemcos also employs Process Injection via a static Mutex. This behaviour is often used as a simple way of\r\nachieving persistence and to decrease the risk of a possible detection. Most versions of the RAT seem to inject into\r\nsvchost.exe.\r\nhttps://dissectingmalwa.re/malicious-ratatouille.html\r\nPage 5 of 8\n\nVia the command \u0026 control structure we also get a pretty good look at all the features the malware supports. In\r\nthis screenshot we can see the file operations, process manipulations and window interactions it has to offer to the\r\noperator.\r\nAnother \"standard\" feature for RATs is accessing Browser History, cache and password stores. In this case\r\nRemcos is trying to manipulate user data in Mozilla Firefox.\r\nhttps://dissectingmalwa.re/malicious-ratatouille.html\r\nPage 6 of 8\n\nWe also get a Look at the webcam capture module of the RAT which seems to support different camera modes.\r\nAdditionally it also supports audio capture via a built-in microphone.\r\nLastly the malware also has the capabilities to manipulte the system power state depending on the current\r\npriviledges.\r\nAlthough Remcos is not a \"new\" malware by today's definition it is still a serious threat to look out for. In my test\r\nit scores 53/68 on VirusTotal.\r\nIOCs\r\nRemcos RAT (SHA256)\r\n1c3a298dd32da9de457842613dd4f07e0e57131a94bc13d868ffcbbebfab6d63\r\n11535ea0ba3bf9ed0691b850955ef2613475dfdce7d8a32fa3d2d7ae066de73d\r\nC\u0026C URLs\r\nhttx://tomharry.ddns[.]net\r\nhttx://jkharding2014.myddns[.]rocks\r\nhttps://dissectingmalwa.re/malicious-ratatouille.html\r\nPage 7 of 8\n\nhttx://gratefulheart.ddns[.]net\r\nhttx://uaeoffice999.warzonedns[.]com\r\nIPs\r\n66.154.113[.]142\r\n79.134.225[.]77\r\n79.134.225[.]81\r\nModified Registry Keys\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nremcos --\u003e \"C:\\Users\\admin\\AppData\\Roaming\\remcos\\remcos.exe\"\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\r\nUNCAsIntranet --\u003e 0\r\nAutoDetect --\u003e 1\r\nSource: https://dissectingmalwa.re/malicious-ratatouille.html\r\nhttps://dissectingmalwa.re/malicious-ratatouille.html\r\nPage 8 of 8\n\n  https://dissectingmalwa.re/malicious-ratatouille.html     \nRemcos also employs Process Injection via a static Mutex. This behaviour is often used as a simple way of\nachieving persistence and to decrease the risk of a possible detection. Most versions of the RAT seem to inject into\nsvchost.exe.       \n   Page 5 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://dissectingmalwa.re/malicious-ratatouille.html"
	],
	"report_names": [
		"malicious-ratatouille.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775791248,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4fed8ba3f26469443a731b3df535e9d3425625dd.pdf",
		"text": "https://archive.orkl.eu/4fed8ba3f26469443a731b3df535e9d3425625dd.txt",
		"img": "https://archive.orkl.eu/4fed8ba3f26469443a731b3df535e9d3425625dd.jpg"
	}
}