{
	"id": "e4662b38-aa3b-47fa-8a09-5eb6ab939f12",
	"created_at": "2026-04-06T00:21:39.206609Z",
	"updated_at": "2026-04-10T13:11:46.191072Z",
	"deleted_at": null,
	"sha1_hash": "5e05fb47c81a471d255a86336e1fdef5958a0fa8",
	"title": "Distribution of Remcos RAT Disguised as Tax Invoice",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 777042,
	"plain_text": "Distribution of Remcos RAT Disguised as Tax Invoice\r\nBy ATCP\r\nPublished: 2022-02-27 · Archived: 2026-04-05 22:31:12 UTC\r\nThe ASEC analysis team has discovered Remcos RAT being distributed under the disguise of a tax invoice. The\r\ncontent and the type of phishing email are similar to the type that has been consistently discussed in previous\r\nblogs. Within the email, it has a short message written in awkward grammar. As users who are doing tax-related\r\nwork may run the executable without a second thought about what’s written within the email, caution is advised.\r\nhttps://asec.ahnlab.com/en/32376/\r\nPage 1 of 6\n\nUpon decompressing the attachment ‘Tax.gz’, an executable named ‘Tax.com’ is shown to exist, and code below\r\nis shown when debugged. If the execution environment is a 64-bit environment, it downloads and executes the\r\nmalware (1df2bf9313decafd0249d6a4556010bc) that is appropriate for the environment from\r\n‘hxxp://zhost.polycomusa[.]com/Chrimaz.exe’, and if not a 64-bit environment, it downloads a powershell file\r\nnamed ‘3xp1r3Exp.ps1’ and performs additional malicious behaviors.\r\nhttps://asec.ahnlab.com/en/32376/\r\nPage 2 of 6\n\nThe powershell script (see Figure 4) consists of content that downloads an additional file (version.dll) for UAC\r\nBypass. UAC Bypass is a privilege escalation technique that uses various tricks to execute malware as\r\nadministrator without UAC prompt pop-up. Detailed analysis on UAC Bypass can be found in AhnLab’s TI report\r\npublished last year in July, and the following is an excerpt from the report.\r\nExcerpt from ATIP – Analysis Report on Privilege Escalation Using UAC Bypass ‘Abstract’\r\nThere are features among the behaviors of malware that do not require admin privilege, however, if the\r\nadmin privilege does exist, it can perform more malicious behaviors. Simply put, depending on the\r\nprivilege, the encryption target paths of ransomware (files that can be encrypted) differ. Because of this,\r\nmalware aims to be executed with admin privilege, but when configured to do so, the UAC prompt\r\npops up, which could allow the user to recognize it.\r\nAttackers have created various techniques to bypass UAC since its introduction and these techniques\r\nare referred to as UAC Bypass.\r\nExcerpt from ATIP – Analysis Report on Privilege Escalation Using UAC Bypass ‘Basic Concept’\r\nProcesses such as sysprep.exe, cliconfg.exe are examples of autoElevate programs, and programs with\r\nsuch property are automatically executed with admin privilege without the UAC prompt. Most UAC\r\nBypass techniques abuse these kinds of autoElevate programs. For example. attackers can change the\r\nsettings of the registry that is used by such programs and execute it as a child process or use the DLL\r\nhijacking method to make the programs load the malicious DLL.\r\nhttps://asec.ahnlab.com/en/32376/\r\nPage 3 of 6\n\nAmong the various UAC Bypass techniques, the powershell script above creates a trick folder (Mock Directory)\r\nand uses the DLL hijacking method. For a more detailed explanation about this method, upon looking at line 15 of\r\nthe powershell script (see Figure 4), a powershell command that creates a certain path is found as shown below.\r\nNew-Item “\\?\\C:\\Windows \\System32” -ItemType Directory\r\nThe meaning of ‘Mock (fake) Directory’ that refers to a trick folder is as follows: Although the command appears\r\nto be a command that creates a System32 folder in the C drive Windows subfolder, upon a close look, it is not the\r\n‘Windows’ folder but ‘Windows folder ‘ with a whitespace at the end. It is impossible to create a folder with a\r\nwhitespace at the back in its filename via Windows UI Explorer, and it is also not possible to create ‘C:\\Windows\r\n‘ via command. However, the attacker used the fact that creating ‘C:\\Windows \\System32’ with an existing\r\nsubdirectory is possible via command.\r\nOne of the conditions that determine whether or not privilege escalation is needed upon file execution is checking\r\nif it was executed in a trusted folder (E.g. C:\\Windows\\System32). This is a method that abuses the fact that the\r\ndirectory validation logic that judges the conditions for automatic privilege escalation (autoElevate) scans\r\n“\\System32” first, in which it automatically deletes the whitespace if there is one at the end of a filename in the\r\nprocessing procedure via GetLongPathNameW API of AIS(Application Information Service: AppInfo.dll). On the\r\ncontrary, if the attacker can bypass this condition, it means that they can escalate their privilege without asking the\r\nuser and execute the file.\r\nThe relevant operation method of WastedLocker ransomware was introduced in detail in the blog post below. [2. If\r\nnot executed as administrator, performs UAC Bypass (*Privilege escalation mechanism)]\r\nhttps://asec.ahnlab.com/en/32376/\r\nPage 4 of 6\n\nUpon checking from line 17 of the powershell script, it shows that it copies winsat.exe within the normal\r\nSystem32 folder into the fake System32 folder, then executes the winsat.exe file via hidden window property in\r\nthe copied directory. As the winsat.exe (Windows System Assessment Tool) is one of the AIS Whitelist files, the\r\nUAC prompt does not pop up when it is executed, which is a reason why it is often used in UAC Bypass\r\ntechniques.\r\nAs a result, the whitespace at the back of the Windows filename in the directory (C:\\Windows \\System32) is\r\ndeleted and is thus considered as a trusted directory. With the trick folder changed to a trusted directory, the DLL\r\nhijacking method where a normal program loads a malicious DLL (version.dll) can be used.\r\nAdditional malicious behaviors cannot be confirmed as access to the transit point is currently unavailable,\r\nhowever, when version.dll was loaded and executed when access was still available, ‘Chrimaz.exe’ file execution\r\ncommand of the directory that refers to ‘C:\\ProgramData\\Chrimaz\\Chrimaz.exe’ was found (see below). Upon\r\nanalyzing the relevant file via AhnLab and external infrastructure, it was confirmed that this file is Remcos RAT.\r\npowershell.exe -windowstyle hidden -NoProfile -ExecutionPolicy bypass -Command $mydir =\r\n[System.Environment]::GetFolderPath(‘CommonApplicationData’);\r\n$bitdir = ‘\\Chrimaz’;\r\n$fulldir = $mydir+$bitdir; Add-MpPreference -ExclusionPath $fulldir;\r\nUpon checking related files via AhnLab’s infrastructure, it was found that around February 24th, a similar\r\npowershell script and files similar to version.dll were distributed via various external URLs. It is worth noting that\r\nthere are more and more distribution methods that go through various steps with the purpose of UAC Bypass.\r\nUAC Bypass is a typical method used to escalate privilege, and malware attempts at privilege escalation with\r\nvarious purposes. Users must patch their Windows OS to the latest version to prevent UAC Bypass attacks. At the\r\nbasic level, users should refrain from opening attachments in emails from unknown sources and update the anti-malware program to the latest version to prevent malware infection in advance.\r\nAhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.\r\n[File Detection]\r\nTrojan/Win.MSIL.R472890\r\nTrojan/Win.BitMin.C4970105\r\nDownloader/PowerShell.Generic\r\nTrojan/Win.UACByPass.C4970059\r\nTrojan/Win.RemcosRAT.R475423\r\nMD5\r\n150744df32e4a57bb169f91cba45697c\r\n1df2bf9313decafd0249d6a4556010bc\r\n824a79fc5bebeb7b508247619eca82cd\r\n98cf9ab79e33c04a4934628f6aa3161d\r\nhttps://asec.ahnlab.com/en/32376/\r\nPage 5 of 6\n\n9cdcaa1c51bfa4ce6d6abb9376ba26a8\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//giraffebear[.]polycomusa[.]com/\r\nhttp[:]//zhost[.]polycomusa[.]com/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/32376/\r\nhttps://asec.ahnlab.com/en/32376/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/32376/"
	],
	"report_names": [
		"32376"
	],
	"threat_actors": [],
	"ts_created_at": 1775434899,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5e05fb47c81a471d255a86336e1fdef5958a0fa8.pdf",
		"text": "https://archive.orkl.eu/5e05fb47c81a471d255a86336e1fdef5958a0fa8.txt",
		"img": "https://archive.orkl.eu/5e05fb47c81a471d255a86336e1fdef5958a0fa8.jpg"
	}
}