{
	"id": "85070525-4eec-4dc6-8193-ecf8750f1eeb",
	"created_at": "2026-04-06T00:14:34.41414Z",
	"updated_at": "2026-04-10T13:12:40.886997Z",
	"deleted_at": null,
	"sha1_hash": "70a5fe5b34e75b6bcdd3204d3a494322dc5881a3",
	"title": "Unfolding Remcos RAT- 4.9.2 Pro",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 253409,
	"plain_text": "Unfolding Remcos RAT- 4.9.2 Pro\r\nBy Osama Ellahi\r\nPublished: 2024-08-10 · Archived: 2026-04-05 23:05:37 UTC\r\nMalware Analysis of Remcos RAT: Exploitaion and Detection Explained\r\n2 min read\r\nNov 23, 2023\r\nExecutive Summary\r\nSHA256 hash:\r\n2e5c4d023167875977767da513d8889f1fc09fb18fdadfd95c66a6a890b5ca3f\r\nRemcos is a commercially available Remote Access Tool (RAT) marketed for legitimate use in surveillance and\r\npenetration testing. However, it has been leveraged in various unauthorized hacking initiatives. When deployed,\r\nRemcos establishes a backdoor, allowing comprehensive remote control over the affected system. The tool is a\r\nproduct of BreakingSecurity, a company specializing in cybersecurity solutions.\r\nHackers are getting smarter by using tricks like hiding their code and adding fake code, which makes it harder\r\nfor security experts to figure out how their attacks work. They’re using things like image files and compression to\r\nhttps://infosecwriteups.com/unfolding-remcos-rat-4-9-2-pro-dfb3cb25bbd1\r\nPage 1 of 3\n\ndisguise their activities.\r\nGet Osama Ellahi’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nYARA signature rules are attached in Appendix A. Malware sample and hashes have been submitted to VirusTotal\r\nfor further examination.\r\nHigh-Level Technical Summary\r\nRemcos is an advanced remote access tool that breaks into computers using a series of hidden codes, starting with\r\na malicious file which can be delivered from mail or dropper. It cleverly disguises its next steps within an image\r\nfile, and then uses another DLL to make sure it stays on the computer even after it’s restarted. Remcos can record\r\nkeystrokes to steal passwords and other private information, which it logs into a file. It stays in contact with the\r\nhacker’s server to send out this stolen information and to get new orders, allowing the hacker to keep a close\r\nwatch and control over the infected computer.\r\nhttps://infosecwriteups.com/unfolding-remcos-rat-4-9-2-pro-dfb3cb25bbd1\r\nPage 2 of 3\n\nMalware Composition\r\nThis composition of remcos consists of the following components:\r\n2e5c4d023167875977767da513d8889f1fc09fb18fdadfd95c66a6a890b5ca3f\r\nEmbedded_Remcos.exe\r\nThis blog is moved to personal blog website, to read full analysis on this RAT visit the following link. It will show\r\nhow this was multi staged and how it perform malicious actions.\r\nhttps://breachnova.com/blog.php?id=28\r\nSource: https://infosecwriteups.com/unfolding-remcos-rat-4-9-2-pro-dfb3cb25bbd1\r\nhttps://infosecwriteups.com/unfolding-remcos-rat-4-9-2-pro-dfb3cb25bbd1\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://infosecwriteups.com/unfolding-remcos-rat-4-9-2-pro-dfb3cb25bbd1"
	],
	"report_names": [
		"unfolding-remcos-rat-4-9-2-pro-dfb3cb25bbd1"
	],
	"threat_actors": [],
	"ts_created_at": 1775434474,
	"ts_updated_at": 1775826760,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/70a5fe5b34e75b6bcdd3204d3a494322dc5881a3.pdf",
		"text": "https://archive.orkl.eu/70a5fe5b34e75b6bcdd3204d3a494322dc5881a3.txt",
		"img": "https://archive.orkl.eu/70a5fe5b34e75b6bcdd3204d3a494322dc5881a3.jpg"
	}
}