{
	"id": "0f806b01-4090-4914-b4ef-6beb285118e2",
	"created_at": "2026-04-06T01:32:36.650582Z",
	"updated_at": "2026-04-10T03:30:57.295607Z",
	"deleted_at": null,
	"sha1_hash": "792bc1c1f5b2e85ae8c1613dc51e547d48799a12",
	"title": "Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Three",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1207719,
	"plain_text": "Dissecting REMCOS RAT: An in-depth analysis of a widespread\r\n2024 malware, Part Three\r\nBy Cyril François, Samir Bousseaden\r\nPublished: 2024-05-03 · Archived: 2026-04-06 00:56:00 UTC\r\nIn previous articles in this multipart series, malware researchers on the Elastic Security Labs team analyzed\r\nREMCOS execution flow, detailing its recording capabilities and its communication with C2. In this article, you’ll\r\nlearn more about REMCOS configuration structure and its C2 commands.\r\nThe configuration\r\nIn this section, we provide a comprehensive overview of the configuration fields of the malware.\r\nConfiguration Table\r\nResearchers successfully recovered approximately 80% of the configuration structure (45 out of 56 fields). We\r\nprovide detailed configuration information in the following table:\r\nIndex Name Description\r\n0x0 c2_list\r\nString containing\r\n“domain:port:enable_tls“ separated by\r\nthe “\\x1e” character\r\n0x1 botnet Name of the botnet\r\n0x2 connect_interval\r\nInterval in second between connection\r\nattempt to C2\r\n0x3 enable_install_flag Install REMCOS on the machine host\r\n0x4 enable_hkcu_run_persistence_flag\r\nEnable setup of the persistence in the\r\nregistry\r\n0x5 enable_hklm_run_persistence_flag\r\nEnable setup of the persistence in the\r\nregistry\r\n0x7 keylogger_maximum_file_size\r\nMaximum size of the keylogging data\r\nbefore rotation\r\n0x8 enable_hklm_policies_explorer_run_flag\r\nEnable setup of the persistence in the\r\nregistry\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-three\r\nPage 1 of 16\n\nIndex Name Description\r\n0x9 install_parent_directory\r\nParent directory of the install folder.\r\nInteger mapped to an hardcoded path\r\n0xA install_filename\r\nName of the REMCOS binary once\r\ninstalled\r\n0xC enable_persistence_directory_and_binary_hidding_flag\r\nEnable super hiding the install\r\ndirectory and binary as well as setting\r\nthem to read only\r\n0xD enable_process_injection_flag\r\nEnable running the malware injected in\r\nanother process\r\n0xE mutex\r\nString used as the malware mutex and\r\nregistry key\r\n0xF keylogger_mode\r\nSet keylogging capability. Keylogging\r\nmode, 0 = disabled, 1 = keylogging\r\neverything, 2 = keylogging specific\r\nwindow(s)\r\n0x10 keylogger_parent_directory\r\nParent directory of the keylogging\r\nfolder. Integer mapped to an hardcoded\r\npath\r\n0x11 keylogger_filename Filename of the keylogged data\r\n0x12 enable_keylogger_file_encryption_flag\r\nEnable encryption RC4 of the\r\nkeylogger data file\r\n0x13 enable_keylogger_file_hidding_flag\r\nEnable super hiding of the keylogger\r\ndata file\r\n0x14 enable_screenshot_flag Enable screen recording capability\r\n0x15 screenshot_interval_in_minutes\r\nThe time interval in minute for\r\ncapturing each screenshot\r\n0x16 enable_screenshot_specific_window_names_flag\r\nEnable screen recording for specific\r\nwindow names\r\n0x17 screenshot_specific_window_names\r\nString containing window names\r\nseparated by the “;” character\r\n0x18 screenshot_specific_window_names_interval_in_seconds The time interval in second for\r\ncapturing each screenshot when a\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-three\r\nPage 2 of 16\n\nIndex Name Description\r\nspecific window name is found in the\r\ncurrent foreground window title\r\n0x19 screenshot_parent_directory\r\nParent directory of the screenshot\r\nfolder. Integer mapped to an hardcoded\r\npath\r\n0x1A screenshot_folder Name of the screenshot folder\r\n0x1B enable_screenshot_encryption_flag Enable encryption of screenshots\r\n0x23 enable_audio_recording_flag Enable audio recording capability\r\n0x24 audio_recording_duration_in_minutes\r\nDuration in second of each audio\r\nrecording\r\n0x25 audio_record_parent_directory\r\nParent directory of the audio recording\r\nfolder. Integer mapped to an hardcoded\r\npath\r\n0x26 audio_record_folder Name of the audio recording folder\r\n0x27 disable_uac_flag Disable UAC in the registry\r\n0x28 logging_mode\r\nSet logging mode: 0 = disabled, 1 =\r\nminimized in tray, 2 = console logging\r\n0x29 connect_delay_in_second\r\nDelay in second before the first\r\nconnection attempt to the C2\r\n0x2A keylogger_specific_window_names\r\nString containing window names\r\nseparated by the “;” character\r\n0x2B enable_browser_cleaning_on_startup_flag\r\nEnable cleaning web browsers’ cookies\r\nand logins on REMCOS startup\r\n0x2C enable_browser_cleaning_only_for_the_first_run_flag\r\nEnable web browsers cleaning only on\r\nthe first run of Remcos\r\n0x2D browser_cleaning_sleep_time_in_minutes\r\nSleep time in minute before cleaning\r\nthe web browsers\r\n0x2E enable_uac_bypass_flag Enable UAC bypass capability\r\n0x30 install_directory Name of the install directory\r\n0x31 keylogger_root_directory Name of the keylogger directory\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-three\r\nPage 3 of 16\n\nIndex Name Description\r\n0x32 enable_watchdog_flag Enable watchdog capability\r\n0x34 license License serial\r\n0x35 enable_screenshot_mouse_drawing_flag\r\nEnable drawing the mouse on each\r\nscreenshot\r\n0x36 tls_raw_certificate\r\nCertificate in raw format used with tls\r\nenabled C2 communication\r\n0x37 tls_key Key of the certificate\r\n0x38 tls_raw_peer_certificate C2 public certificate in raw format\r\nInteger to path mapping\r\nREMCOS utilizes custom mapping for some of its \"folder\" fields instead of a string provided by the user.\r\nWe provide details of the mapping below:\r\nValue Path\r\n0 %Temp%\r\n1 Current malware directory\r\n2 %SystemDrive%\r\n3 %WinDir%\r\n4 %WinDir%//SysWOW64\r\n5 %ProgramFiles%\r\n6 %AppData%\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-three\r\nPage 4 of 16\n\nValue Path\r\n7 %UserProfile%\r\n8 %ProgramData%\r\nConfiguration extraction, an inside perspective\r\nWe enjoy building tools, and we'd like to take this opportunity to provide some insight into the type of tools we\r\ndevelop to aid in our analysis of malware families like REMCOS.\r\nWe developed a configuration extractor called \"conf-tool\", which not only extracts and unpacks the configuration\r\nfrom specific samples but can also repackage it with modifications.\r\nconf-tool help screen\r\nFirst, we unpack the configuration.\r\nUnpacking the configuration\r\nThe configuration is saved to the disk as a JSON document, with each field mapped to its corresponding type.\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-three\r\nPage 5 of 16\n\nDumped configuration in JSON format\r\nWe are going to replace all the domains in the list with the IP address of our C2 emulator to initiate\r\ncommunication with the sample.\r\nSetting our IP in the C2 list\r\nWe are also enabling the logging mode to console (2):\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-three\r\nPage 6 of 16\n\nSetting logging mode to console in the configuration\r\nOnce we're done, repack everything:\r\nRepacking the configuration in the REMCOS sample\r\nAnd voilà, we have the console, and the sample attempts to connect to our emulator!\r\nREMCOS console\r\nWe are releasing a REMCOS malware configuration extractor that includes some of these features.\r\nC2 commands\r\nIn this section, we present a list of all the commands we've reversed that are executable by the Command and\r\nControl (C2). Furthermore, we provide additional details for a select subset of commands.\r\nCommand table\r\nResearchers recovered approximately 95% of the commands (74 out of 78). We provide information about the\r\ncommands in the following table:\r\nFunction Name\r\n0x1 HeartBeat\r\n0x2 DisableKeepAlive\r\n0x3 ListInstalledApplications\r\n0x6 ListRunningProcesses\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-three\r\nPage 7 of 16\n\nFunction Name\r\n0x7 TerminateProcess\r\n0x8 ListProcessesWindows\r\n0x9 CloseWindow\r\n0xA ShowWindowMaximized\r\n0xB ShowWindowRestore\r\n0xC TerminateProcessByWindowHandleAndListProcessesWindows\r\n0xD ExecuteShellCmd\r\n0xE StartPipedShell\r\n0xF ExecuteProgram\r\n0x10 MaybeUploadScreenshots\r\n0x11 GetHostGeolocation\r\n0x12 GetOfflineKeyloggerInformation\r\n0x13 StartOnlineKeylogger\r\n0x14 StopOnlineKeylogger\r\n0x15 MaybeSetKeyloggerNameAndUploadData\r\n0x16 UploadKeyloggerData\r\n0x17 DeleteKeyloggerDataThenUploadIfAnythingNewInbetween\r\n0x18 CleanBrowsersCookiesAndLogins\r\n0x1B StartWebcamModule\r\n0x1C StopWebcamModule\r\n0x1D EnableAudioCapture\r\n0x1E DisableAudioCapture\r\n0x1F StealPasswords\r\n0x20 DeleteFile\r\n0x21 TerminateSelfAndWatchdog\r\n0x22 Uninstall\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-three\r\nPage 8 of 16\n\nFunction Name\r\n0x23 Restart\r\n0x24 UpdateFromURL\r\n0x25 UpdateFromC2\r\n0x26 MessageBox\r\n0x27 ShutdownOrHibernateHost\r\n0x28 UploadClipboardData\r\n0x29 SetClipboardToSpecificData\r\n0x2A EmptyClipboardThenUploadIfAnythingInbetween\r\n0x2B LoadDllFromC2\r\n0x2C LoadDllFromURL\r\n0x2D StartFunFuncModule\r\n0x2F EditRegistry\r\n0x30 StartChatModule\r\n0x31 SetBotnetName\r\n0x32 StartProxyModule\r\n0x34 ManageService\r\n0x8F SearchFile\r\n0x92 SetWallpaperFromC2\r\n0x94 SetWindowTextThenListProcessesWindow\r\n0x97 UploadDataFromDXDiag\r\n0x98 FileManager\r\n0x99 ListUploadScreenshots\r\n0x9A DumpBrowserHistoryUsingNirsoft\r\n0x9E TriggerAlarmWav\r\n0x9F EnableAlarmOnC2Disconnect\r\n0xA0 DisableAlarmOnC2Disconnect\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-three\r\nPage 9 of 16\n\nFunction Name\r\n0xA2 DownloadAlarmWavFromC2AndOptPlayIt\r\n0xA3 AudioPlayer\r\n0xAB ElevateProcess\r\n0xAC EnableLoggingConsole\r\n0xAD ShowWindow\r\n0xAE HideWindow\r\n0xB2 ShellExecuteOrInjectPEFromC2OrURL\r\n0xC5 RegistrySetHlightValue\r\n0xC6 UploadBrowsersCookiesAndPasswords\r\n0xC8 SuspendProcess\r\n0xC9 ResumeProcess\r\n0xCA ReadFile\r\n0xCB WriteFile\r\n0xCC StartOfflineKeylogger\r\n0xCD StopOfflineKeylogger\r\n0xCE ListProcessesTCPandUDPTables\r\nListInstalledApplications command\r\nTo list installed applications, REMCOS iterates over the\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Uninstall registry key. For each subkey, it queries the following\r\nvalues:\r\nDisplayName\r\nPublisher\r\nDisplayVersion\r\nInstallLocation\r\nInstallDate\r\nUninstallString\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-three\r\nPage 10 of 16\n\n0x41C68F REMCOS listing installed applications\r\nExecuteShellCmd command\r\nShell commands are executed using the ShellExecuteW API with cmd.exe /C {command} as arguments.\r\nExecuting a shell command using ShellExecuteW with cmd.exe\r\nGetHostGeolocation command\r\nTo obtain host geolocation, REMCOS utilizes the geoplugin.net API and directly uploads the returned JSON data.\r\nRequesting geolocation information from geoplugin.net\r\nStartOnlineKeylogger command\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-three\r\nPage 11 of 16\n\nThe online keylogger employs the same keylogger structure as the offline version. However, instead of writing the\r\ndata to the disk, the data is sent live to the C2.\r\n0x40AEEE Initialization of the online keylogger\r\nStartWebcamModule command\r\nREMCOS uses an external module for webcam recording. This module is a DLL that must be received and loaded\r\nfrom its C2 as part of the command parameters.\r\n0x404582 REMCOS loading the webcam module from C2\r\nOnce the module is loaded, you can send a sub-command to capture and upload a webcam picture.\r\n0x4044F5 Sub-command handler for capturing and uploading pictures\r\nStealPasswords command\r\nPassword stealing is likely carried out using 3 different Nirsoft binaries, identified by the \"/sext\" parameters.\r\nThese binaries are received from the C2 and injected into a freshly created process. Both elements are part of the\r\ncommand parameters.\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-three\r\nPage 12 of 16\n\n0x412BAA REMCOS injects one of the Nirsoft binary into a freshly created process\r\nThe /sext parameter instructs the software to write the output to a file, each output filename is randomly\r\ngenerated and stored in the malware installation folder. Once their contents are read and uploaded to the C2, they\r\nare deleted.\r\n0x412B12 Building random filename for the Nirsoft output file\r\nRead and delete the output file\r\nAn additional DLL, with a FoxMailRecovery export, can also be utilized. Like the other binaries, the DLL is\r\nreceived from the C2 as part of the command parameters. As the name implies the DLLis likely to be used to\r\ndump FoxMail data\r\nLoading additional dll with FoxMailRecovery export\r\nUninstall command\r\nThe uninstall command will delete all Remcos-related files and persistence registry keys from the host machine.\r\nFirst, it kills the watchdog process.\r\n0x040D0A0 Killing the watchdog process\r\nThen, it deletes all the recording files (keylogging, screenshots, and audio recordings).\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-three\r\nPage 13 of 16\n\n0x40D0A5 Deleting * recording files\r\nThen, it deletes its registry persistence keys.\r\n0x40D0EC Deleting * persistence keys\r\nFinally, it deletes its installation files by creating and executing a Visual Basic script in the %TEMP% folder with\r\na random filename, then terminates its process.\r\n0x40D412 Executing the delete visual basic script and exit\r\nBelow the generated script with comments.\r\n' Continue execution even if an error occurs\r\nOn Error Resume Next\r\n' Create a FileSystemObject\r\nSet fso = CreateObject(\"Scripting.FileSystemObject\")\r\n' Loop while the specified file exists\r\nwhile fso.FileExists(\"C:\\Users\\Cyril\\Desktop\\corpus\\0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284\r\n' Delete the specified file\r\nfso.DeleteFile \"C:\\Users\\Cyril\\Desktop\\corpus\\0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5.e\r\n' End of the loop\r\nwend\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-three\r\nPage 14 of 16\n\n' Delete the script itself\r\nfso.DeleteFile(Wscript.ScriptFullName)\r\nRestart command\r\nThe Restart command kills the watchdog process and restarts the REMCOS binary using a generated Visual Basic\r\nscript.\r\nBelow is the generated script with comments.\r\n' Create a WScript.Shell object and run a command in the command prompt\r\n' The command runs the specified .exe file\r\n' The \"0\" argument means the command prompt window will not be displayed\r\nCreateObject(\"WScript.Shell\").Run \"cmd /c \"\"C:\\Users\\Cyril\\Desktop\\corpus\\0af76f2897158bf752b5ee258053215a6de198\r\n' Create a FileSystemObject and delete the script itself\r\nCreateObject(\"Scripting.FileSystemObject\").DeleteFile(Wscript.ScriptFullName)\r\nDumpBrowserHistoryUsingNirsoft command\r\nLike the StealPasswords command, the DumpBrowserHistoryUsingNirsoft command steals browser history using\r\nlikely another Nirsoft binary received from the C2 as part of the command parameter. Again, we identify the\r\nbinary as part of Nirsoft because of the /stext parameter.\r\n0x40404C Dumping browsers history using likely Nirsoft binary\r\nElevateProcess command\r\nThe ElevateProcess command, if the process isn’t already running with administrator privileges, will set the\r\nHKCU/SOFTWARE/{mutex}/elev registry key and restart the malware using the same method as the Restart\r\ncommand.\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-three\r\nPage 15 of 16\n\n0x416EF6 Set the elev registry key and restart\r\nUpon restart, the REMCOS checks the elev value as part of its initialization phase. If the value exists, it'll delete\r\nit and utilize its UAC bypass feature to elevate its privileges.\r\n0x40EC39 Forced UAC bypass if the elev key exists in the registry\r\nThat’s the end of the third article. In the final part we’ll cover detection and hunt strategies of REMCOS using\r\nElastic technologies.\r\nSource: https://www.elastic.co/security-labs/dissecting-remcos-rat-part-three\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-three\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/security-labs/dissecting-remcos-rat-part-three"
	],
	"report_names": [
		"dissecting-remcos-rat-part-three"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439156,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/792bc1c1f5b2e85ae8c1613dc51e547d48799a12.pdf",
		"text": "https://archive.orkl.eu/792bc1c1f5b2e85ae8c1613dc51e547d48799a12.txt",
		"img": "https://archive.orkl.eu/792bc1c1f5b2e85ae8c1613dc51e547d48799a12.jpg"
	}
}