{
	"id": "9120d4f1-099a-4542-a33b-4b7c9de07352",
	"created_at": "2026-04-06T00:14:30.598026Z",
	"updated_at": "2026-04-10T03:24:29.955251Z",
	"deleted_at": null,
	"sha1_hash": "569f2e517010664cc011396549a81584c1724009",
	"title": "Remcos Downloader Analysis - Manual Deobfuscation of Visual Basic and Powershell",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5186812,
	"plain_text": "Remcos Downloader Analysis - Manual Deobfuscation of Visual\r\nBasic and Powershell\r\nBy Matthew\r\nPublished: 2023-10-27 · Archived: 2026-04-05 22:49:48 UTC\r\nIn this post, we'll demonstrate a process for decoding a visual basic (.vbs) script, which contains an encoded\r\nPowershell Script used to download Remcos malware from a Google Drive.\r\nWe'll manually analyse and deobfuscate both the vbs and powershell, and develop a decoder to obtain IOCs and\r\ndecoded values.\r\nFile Link\r\nHash b632a2ab492dbe0f71c18cab99b61bded82cbb66696f2d30c9bc354605ebb136\r\nMalware Bazaar Link\r\nInitial Analysis and Cleaning Up The Script\r\nWe can begin by moving the file into a safe analysis machine and unzipping it with the password infected .\r\nAs the file is a .vbs script, we can directly open it inside of a text editor.\r\nhttps://embee-research.ghost.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/\r\nPage 1 of 13\n\nFrom here, we can immediately see a large number of comments with junk text. We can also take note that each of\r\nthese comments begins with a single quote of '\r\nThese comments do not provide any value to the script. So we can go ahead and remove them straight away using\r\nregex. You could also manually highlight and remove them if regex is not your thing.\r\nI will go ahead and remove the comments with a regex of ^'.*\\s+ .\r\n^ - Only match at the start of each line (this avoids removing any quotes that are used in strings or\r\n\"legitimate\" places)\r\n' - Look for a single quote (at the start of each line)\r\n.* - Grab everything after the single quote\r\n\\s+ - Grab any spacing at the end of the line (useful for removing newlines)\r\nAfter hitting \"Replace All\", this regex was able to remove 1516 lines from the code.\r\nThe script now has 80 lines remaining (from a previous 1609).\r\nhttps://embee-research.ghost.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/\r\nPage 2 of 13\n\nWe can now begin to see some functionality related to grabbing the local time from the system using WMI\r\nobjects. This doesn't look super interesting so I'll scroll down and come back later.\r\nThere are some seemingly random variables being created. Some contain integers, and some contain junk text.\r\nThese don't seem to provide any value, but they also don't take up too much space. I'll go ahead and leave them\r\nand move on.\r\nScrolling down more, we can see a reference to WScript.Shell , as well as a partial reference to Powershell .\r\nFollowing the PowerShell reference, there appears to be a PowerShell script that has been broken up into multiple\r\npieces.\r\nI will go ahead and focus on the \"broken\" script, assuming that the aim of the initial obfuscated piece is to use\r\nWScript.Shell to execute the obfuscated PowerShell command.\r\nhttps://embee-research.ghost.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/\r\nPage 3 of 13\n\nBy temporarily disabling Word Wrapping, you can obtain a clearer overview of the obfuscated Powershell script.\r\nIdentifying the Embedded PowerShell Script\r\nHere we can see that the script is broken up into about 20 strings which are all concatenated together.\r\nNow you could manually take each line and add them together, but instead, I will use regex again to clean\r\neverything up.\r\nI will begin by copying the PowerShell strings into a new file and removing the \"Randomize\" line seen in the\r\nprevious screenshot on line 69.\r\nhttps://embee-research.ghost.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/\r\nPage 4 of 13\n\nA new file allows me to attempt decoding without \"breaking\" the original .vbs script. This also allows\r\nme to return to the previous script if I need additional context on the decoded content.\r\nI will go ahead and remove the string concatenation at the beginning of each line. This can be done manually or\r\nwith a regex.\r\nThe results should look something like this.\r\nI will also go ahead and remove the quotes at the beginning and end of each line.\r\nThis can be done manually or with a regex, whichever is preferred. I personally used the regex of \"\\s+\" , which\r\nwill remove any quotes with only whitespace \\s in-between. (Eg Quote, followed by newline, followed by\r\nquote)\r\nhttps://embee-research.ghost.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/\r\nPage 5 of 13\n\nAfter applying this regex and modifying the text highlighting from \"Visual Basic\" to \"Powershell\". We are left\r\nwith the following content.\r\nBeginning of PowerShell Script Analysis\r\nWe can see that the resulting PowerShell begins with a Minimif function, followed by lots of calls to Minimif\r\nand some more encoded values.\r\nBefore proceeding, I will go ahead and run the script through a generic beautifier. This is to add newlines and\r\nspacing that will make the script much easier to read.\r\nNote that Generic Beautifier has a tendency to break PowerShell scripts, but this is fine since we don't\r\nintend on executing it.\r\nhttps://embee-research.ghost.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/\r\nPage 6 of 13\n\nMoving the beautified script back into a text editor, we can see that consists almost entirely of obfuscated values\r\nbeing passed to Minimif\r\nAnalysing the Obfuscation Routine\r\nThe Minimif function begins to make sense if we give each variable a meaningful name.\r\nAt first glance, the script appears to take the 8th character of each encoded string. The script iterates through each\r\nstring, taking additional characters at 8,16,24 etc. All the way to the end of the string.\r\nhttps://embee-research.ghost.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/\r\nPage 7 of 13\n\nVerifying The Obfuscation\r\nWith a theory that the decoding is taking the 8th character from each string, we can go ahead and verify this with a\r\nsingle encoded string.\r\nHere is the first encoded string from the PowerShell Script.\r\nDeobfuscation With Python\r\nBy using a simple Python Script, we can test out the decoding method. Immediately the first value returns a URL\r\nto a Google Drive file.\r\nhttps://embee-research.ghost.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/\r\nPage 8 of 13\n\nInstead of using Python, we could also go ahead and use another regex to decode the encoded text.\r\nDeobfuscation With Regex\r\nThe below regex looks for blobs of 8 characters and stores the 8th value inside of a capture group. This capture\r\ngroup can be referenced using the value $1.\r\nThis regex is able to decode the text, obtaining the same value as the Python Script.\r\nWe can use this to our advantage and decode the remaining values using CyberChef.\r\nDeobfuscation Using CyberChef\r\nhttps://embee-research.ghost.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/\r\nPage 9 of 13\n\nWe can begin this by prototyping a Regular Expression that takes the original Powershell script and obtains all\r\nvalues between quotes.\r\nThe regex of '[^']+' , can achieve this. This regex looks for single quotes, followed by anything that is not a\r\nsingle quote and is ended by another single quote.\r\nHere we can use the Regular Expression and \"Highlight Matches\" functions to confirm our prototype.\r\nWith the Regular Expression working as intended, we can change \"Highlight Matches\" to \"List Matches\".\r\nThis will list only the encoded values in the script.\r\nFrom here we can go ahead and apply a \"Fork\", which means we can act on each encoded value individually. We\r\ncan also go ahead and remove the single quotes from each line\r\nhttps://embee-research.ghost.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/\r\nPage 10 of 13\n\nAfter applying the fork and removing quotes, we should have something like this. This is all of the encoded values\r\nseparated by a newline, it looks like junk but we'll fix that in a second.\r\nWith the output looking as expected, we can go ahead and apply our previous regex to the CyberChef Recipe.\r\nhttps://embee-research.ghost.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/\r\nPage 11 of 13\n\nFinal Output\r\nApplying the above recipe, each of the encoded lines will be individually decoded according to the regex we\r\nprovided.\r\nWe can now see all decoded values from the Powershell script.\r\nThis includes references to the Google Drive URL, PowerShell, BitsTransfer, AppData folder, as well as\r\nadditional base64 encoding.\r\nThe combination of these values implies that the script uses Powershell to Download a base64 encoded file to the\r\nAppData folder. The download is performed using the Bits protocol, using the BitsTransfer Powershell module.\r\nhttps://embee-research.ghost.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/\r\nPage 12 of 13\n\nAt this point, the script is now successfully decoded and IOCs obtained.\r\nConclusion\r\nWe've now successfully decoded the script and obtained all decoded values. We manually analysed a script and\r\nremoved decoy comments, identified an embedded PowerShell script, and ultimately extracted and decoded all\r\nencoded values.\r\nWe've also looked at a simple but interesting method of obfuscation and demonstrated multiple means of\r\nsuccessfully decoding (Python, Regex/CyberChef).\r\nSign up for Embee Research\r\nMalware Analysis Insights\r\nNo spam. Unsubscribe anytime.\r\nSource: https://embee-research.ghost.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/\r\nhttps://embee-research.ghost.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://embee-research.ghost.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/"
	],
	"report_names": [
		"decoding-a-remcos-loader-script-visual-basic-deobfuscation"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434470,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/569f2e517010664cc011396549a81584c1724009.pdf",
		"text": "https://archive.orkl.eu/569f2e517010664cc011396549a81584c1724009.txt",
		"img": "https://archive.orkl.eu/569f2e517010664cc011396549a81584c1724009.jpg"
	}
}