{
	"id": "862c31f7-945b-4dfd-a1f2-522b54e0f879",
	"created_at": "2026-04-06T00:12:30.97952Z",
	"updated_at": "2026-04-10T03:38:06.475073Z",
	"deleted_at": null,
	"sha1_hash": "7ae227a0a6c0fbb7f211476ea8b74d24b79e6211",
	"title": "Unknown TTPs of Remcos RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2677074,
	"plain_text": "Unknown TTPs of Remcos RAT\r\nPublished: 2024-03-26 · Archived: 2026-04-05 16:44:16 UTC\r\nTypically spread through malicious attachments, drive-by downloads, or social engineering, Remcos RAT has been active\r\nsince 2016. Initially presented by BreakingSecurity, a European company, as a legitimate remote control tool, it has since\r\nbeen exploited by threat actors for nefarious purposes, despite claims of restricted access for lawful use.\r\nOn analyzing a few samples from VirusTotal, we got one interesting sample which was a .vhd file. Let’s analyze how threat\r\nactors have crafted the VHD (Virtual Hard Disk).\r\n After extracting the .vhd file we got a bundle of files shown in Figure 1. \r\nFigure 1: Extracted VHDfile\r\nThe shortcut file has the following powershell command line in target, pointing to the MacOSX.ps1 script. Its deconstructed\r\ncomponents are depicted in Figure 1,\r\n [ \\\\localhost\\C$\\Windows\\System32\\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -File \".MacOSX/MacOSX.ps1\" ]\r\n While analyzing the script we got to know it had several operations in it. Some of the functionality seems to be remnants of\r\nold TTP.\r\nDownload a PDF file as PNG file (Figure 1)\r\nCreate a Task to download and execute a powershell script. (Figure 2)\r\n We found some key functionalities for this script\r\nAMSI Bypass (Figure 3)\r\nDownload a PNG file which is a VB script. (Figure 4)\r\nhttps://labs.k7computing.com/index.php/unknown-ttps-of-remcos-rat/\r\nPage 1 of 12\n\nFigure 2: Downloading PDF\r\nFigure 3: Schedule task\r\nhttps://labs.k7computing.com/index.php/unknown-ttps-of-remcos-rat/\r\nPage 2 of 12\n\nFigure 4: AMSI Reaper\r\nAMSIReaper which is an open source tool available in GitHub.\r\nFigure 5: Downloading PNG file (elana.png)\r\nThe command in $binaryData , in Figure6, downloads a file (elana.png) from a specified URL\r\n(hxxps://bitbucket.org/openheartplayercertlover/certlover2/downloads/elana.png) . The PNG file is a VB script file base64\r\nencoded file which is decoded and saved as under %Programdata% as second.ps1.\r\nhttps://labs.k7computing.com/index.php/unknown-ttps-of-remcos-rat/\r\nPage 3 of 12\n\nOn further analyzing the png file we got to know it was actually a VB script.\r\nFigure 6: VB script in elana.png\r\nIt defines a function peopaias which creates an instance of Internet Explorer (apegadas), navigates to a blank page, and\r\nwaits until the page is fully loaded. It then sets up the browser window properties, including position and size. The function\r\nwaits until a user input element is available on the page and then retrieves the input value before quitting the browser. It also\r\ndefines a function convertibilidade which takes a string parameter cytiso containing script code and executes it using\r\nExecuteGlobal. From this URL(“hxxp://paste.ee/d/azfhe”) we are able to get the base64 encoded VB script .\r\nhttps://labs.k7computing.com/index.php/unknown-ttps-of-remcos-rat/\r\nPage 4 of 12\n\nFigure 7: Encoded VB script\r\nAfter decoding the VB script, we got a PowerShell script which was encoded with base64.\r\nFigure 8: Encoded PowerShell script in decoded VB script\r\nOn executing the script and capturing the output we realized that it was a  VB script.\r\nhttps://labs.k7computing.com/index.php/unknown-ttps-of-remcos-rat/\r\nPage 5 of 12\n\nFigure 9: VB script in decoded PowerShell script \r\nThe VB script downloads an image file from the particular URL\r\n(‘hxxps://uploaddeimagens.com.br/images/004/731/958/original/new_image.jpg?1707143673‘).\r\nFigure 10: Downloading PNG\r\nOn  analyzing this image file we found that it was a base64 encoded value. \r\nhttps://labs.k7computing.com/index.php/unknown-ttps-of-remcos-rat/\r\nPage 6 of 12\n\nFigure 11: Base64 value in PNG overlay\r\nAfter decoding it we came to know that it was a PE file.\r\nFigure 12: .net binary\r\nWhile analyzing the .NET DLL file in Dnspy we got to know how attackers are using the main payload and where they are\r\nusing it. \r\nThe DLL is used to perform the process hollowing that is injecting the Remcos payload into a newly-created “RegAsm.exe”\r\nprocess. Once the function is invoked, it finds “RegAsm.exe” from below locations on the victim’s device\r\n“C:\\Windows\\\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe”.\r\nThe following APIs are used for process hollowing: \r\nhttps://labs.k7computing.com/index.php/unknown-ttps-of-remcos-rat/\r\nPage 7 of 12\n\nCreateProcess() with CREATE_SUSPENDED flag(0x4), GetThreadContext(), ZwUnmapViewOfSection, .VirtualAllocEx(),\r\nWriteProcessMemory(),SetThreadContext(), ResumeThread().\r\n The URL, where the Final Payload is hosted, is stored in a reverse format in the VB script as shown in Figure 13.\r\nFigure 13: Reverse URL string\r\nThe main payload Remcos is a VC8 compiled binary.\r\nFigure 14: C++ binary payload\r\nIt first decrypts a RC4 encrypted blob in the resource section, named “SETTINGS”.\r\nFigure 15: Getting resource\r\nhttps://labs.k7computing.com/index.php/unknown-ttps-of-remcos-rat/\r\nPage 8 of 12\n\nFigure 16: Manipulating resource \r\nIn the blob, the first byte “3E” is the size of the RC4 key and the rest is the encrypted Remcos configuration block.\r\nFigure 17: Decoded RC4 in setting\r\nFrom this configuration block we can get the C2, malware activities etc.\r\nIt sets the “RUN” registry for the persistence.\r\nhttps://labs.k7computing.com/index.php/unknown-ttps-of-remcos-rat/\r\nPage 9 of 12\n\nFigure 18: Persistence\r\nThe designated filename for logging victim keystrokes and clipboard data, various settings instructing Remcos on how to\r\ninitiate its functionalities on the victim’s device, and the authentication details employed for establishing a connection to the\r\nC2 server were all crucial components.\r\nFigure 19: Keylogging\r\nIt also creates a mutex to avoid multiple entries of this binary. Remcos also records the audio input from the victim’s\r\nmicrophone.\r\nhttps://labs.k7computing.com/index.php/unknown-ttps-of-remcos-rat/\r\nPage 10 of 12\n\nFigure 20: Stealing audio\r\nRemcos RAT connects with a URL to collect geolocation information.\r\nFigure 21: geolocation \r\nThe other capability of Remcos RAT is \r\nCapturing screenshots of the victim’s screen upon startup.\r\nDisabling User Account Control (UAC) on the victim’s device.\r\nSending data to C2.\r\nAttackers are always finding fresh strategies to evade the Antivirus (AV) and Endpoint Detection and Response (EDR)\r\nsystem,to  secure their ongoing attacks.\r\nWe at K7 Labs provide detection for Remcos and all the latest threats. Users are advised to use a reliable security product\r\nsuch as “K7 Total Security” and keep it up-to-date to safeguard their devices.\r\nIOCs\r\nhttps://labs.k7computing.com/index.php/unknown-ttps-of-remcos-rat/\r\nPage 11 of 12\n\nMD5 Detection Name\r\n8E125841810C306790958A95D6DB EB5 Riskware ( 00584baa1 )\r\nC50DC32F0CABCF7D7B44031031026078 Trojan ( 0057ef441 )\r\nAA387BA65FF8C796CBE90FEEC010C008 Trojan ( 0001140e1 )\r\nURLs\r\nhxxps://bitbucket.org/openheartplayercertlover/certlover2/downloads/S-Corp_AUELLC1.png\r\nhxxps://bitbucket.org/openheartplayercertlover/certlover2/downloads/elana.png\r\nhxxps://uploaddeimagens.com.br/images/004/731/958/original/new_image.jpg?1707143673\r\nhxxps://bitbucket.org/!api/2.0/snippets/openheartplayercertlover/jqEMdz/87de249e540d810ba6df8cabeca4b0d89589a73b/files/elanawo\r\nhxxp://paste.ee/d/azfhe\r\nC2\r\nlora1.safesopkoco.com:2404\r\nlora2.safesopkoco.com:2404 \r\nsafesopkoco.com:2404\r\nmasterbotsbrothers.xyz:2404 \r\nmota1.masterbotsbrothers.xyz:2404\r\nmota2.masterbotsbrothers.xyz:2404\r\nlora1.safesopkoco.co:2404\r\nlora2.safesopkoco.co:2404\r\nlora2.safesopko.net:2404 \r\nlora1.safesopko.net:2404\r\nSource: https://labs.k7computing.com/index.php/unknown-ttps-of-remcos-rat/\r\nhttps://labs.k7computing.com/index.php/unknown-ttps-of-remcos-rat/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/index.php/unknown-ttps-of-remcos-rat/"
	],
	"report_names": [
		"unknown-ttps-of-remcos-rat"
	],
	"threat_actors": [
		{
			"id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e",
			"created_at": "2025-08-07T02:03:25.082908Z",
			"updated_at": "2026-04-10T02:00:03.744649Z",
			"deleted_at": null,
			"main_name": "NICKEL FOXCROFT",
			"aliases": [
				"APT37 ",
				"ATK4 ",
				"Group 123 ",
				"InkySquid ",
				"Moldy Pisces ",
				"Operation Daybreak ",
				"Operaton Erebus ",
				"RICOCHET CHOLLIMA ",
				"Reaper ",
				"ScarCruft ",
				"TA-RedAnt ",
				"Venus 121 "
			],
			"source_name": "Secureworks:NICKEL FOXCROFT",
			"tools": [
				"Bluelight",
				"Chinotto",
				"GOLDBACKDOOR",
				"KevDroid",
				"KoSpy",
				"PoorWeb",
				"ROKRAT",
				"final1stpy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9b02c527-5077-489e-9a80-5d88947fddab",
			"created_at": "2022-10-25T16:07:24.103499Z",
			"updated_at": "2026-04-10T02:00:04.867181Z",
			"deleted_at": null,
			"main_name": "Reaper",
			"aliases": [
				"APT 37",
				"ATK 4",
				"Cerium",
				"Crooked Pisces",
				"G0067",
				"Geumseong121",
				"Group 123",
				"ITG10",
				"InkySquid",
				"Moldy Pisces",
				"Opal Sleet",
				"Operation Are You Happy?",
				"Operation Battle Cruiser",
				"Operation Black Banner",
				"Operation Daybreak",
				"Operation Dragon messenger",
				"Operation Erebus",
				"Operation Evil New Year",
				"Operation Evil New Year 2018",
				"Operation Fractured Block",
				"Operation Fractured Statue",
				"Operation FreeMilk",
				"Operation Golden Bird",
				"Operation Golden Time",
				"Operation High Expert",
				"Operation Holiday Wiper",
				"Operation Korean Sword",
				"Operation North Korean Human Right",
				"Operation Onezero",
				"Operation Rocket Man",
				"Operation SHROUDED#SLEEP",
				"Operation STARK#MULE",
				"Operation STIFF#BIZON",
				"Operation Spy Cloud",
				"Operation Star Cruiser",
				"Operation ToyBox Story",
				"Osmium",
				"Red Eyes",
				"Ricochet Chollima",
				"Ruby Sleet",
				"ScarCruft",
				"TA-RedAnt",
				"TEMP.Reaper",
				"Venus 121"
			],
			"source_name": "ETDA:Reaper",
			"tools": [
				"Agentemis",
				"BLUELIGHT",
				"Backdoor.APT.POORAIM",
				"CARROTBALL",
				"CARROTBAT",
				"CORALDECK",
				"Cobalt Strike",
				"CobaltStrike",
				"DOGCALL",
				"Erebus",
				"Exploit.APT.RICECURRY",
				"Final1stSpy",
				"Freenki Loader",
				"GELCAPSULE",
				"GOLDBACKDOOR",
				"GreezeBackdoor",
				"HAPPYWORK",
				"JinhoSpy",
				"KARAE",
				"KevDroid",
				"Konni",
				"MILKDROP",
				"N1stAgent",
				"NavRAT",
				"Nokki",
				"Oceansalt",
				"POORAIM",
				"PoohMilk",
				"PoohMilk Loader",
				"RICECURRY",
				"RUHAPPY",
				"RokRAT",
				"SHUTTERSPEED",
				"SLOWDRIFT",
				"SOUNDWAVE",
				"SYSCON",
				"Sanny",
				"ScarCruft",
				"StarCruft",
				"Syscon",
				"VeilShell",
				"WINERACK",
				"ZUMKONG",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434350,
	"ts_updated_at": 1775792286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7ae227a0a6c0fbb7f211476ea8b74d24b79e6211.pdf",
		"text": "https://archive.orkl.eu/7ae227a0a6c0fbb7f211476ea8b74d24b79e6211.txt",
		"img": "https://archive.orkl.eu/7ae227a0a6c0fbb7f211476ea8b74d24b79e6211.jpg"
	}
}