{
	"id": "58518e85-87c6-49e2-b77c-ddb67c9498d4",
	"created_at": "2026-04-10T03:20:06.750345Z",
	"updated_at": "2026-04-10T13:13:02.993746Z",
	"deleted_at": null,
	"sha1_hash": "821249c3b191ffe11a4f12a5b58fbb8c24447958",
	"title": "Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part One",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1937114,
	"plain_text": "Dissecting REMCOS RAT: An in-depth analysis of a widespread\r\n2024 malware, Part One\r\nBy Cyril François, Samir Bousseaden\r\nPublished: 2024-04-24 · Archived: 2026-04-10 03:00:04 UTC\r\nIn the first article in this multipart series, malware researchers on the Elastic Security Labs team give a short\r\nintroduction about the REMCOS threat and dive into the first half of its execution flow, from loading its\r\nconfiguration to cleaning the infected machine web browsers.\r\nIntroduction\r\nElastic Security Labs continues its examination of high-impact threats, focusing on the internal complexities of\r\nREMCOS version 4.9.3 Pro (November 26, 2023).\r\nDeveloped by Breaking-Security, REMCOS is a piece of software that began life as a red teaming tool but has\r\nsince been adopted by threats of all kinds targeting practically every sector.\r\nWhen we performed our analysis in mid-January, it was the most prevalent malware family reported by\r\nANY.RUN. Furthermore, it remains under active development, as evidenced by the recent announcement of\r\nversion 4.9.4's release by the company on March 9, 2024.\r\nAll the samples we analyzed were derived from the same REMCOS 4.9.3 Pro x86 build. The software is coded in\r\nC++ with intensive use of the std::string class for its string and byte-related operations.\r\nREMCOS is packed with a wide range of functionality, including evasion techniques, privilege escalation, process\r\ninjection, recording capabilities, etc.\r\nThis article series provides an extensive analysis of the following:\r\nExecution and capabilities\r\nDetection and hunting strategies using Elastic’s ES|QL queries\r\nRecovery of approximately 80% of its configuration fields\r\nRecovery of about 90% of its C2 commands\r\nSample virtual addresses under each IDA Pro screenshot\r\nAnd more!\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-one\r\nPage 1 of 16\n\nREMCOS execution diagram\r\nFor any questions or feedback, feel free to reach out to us on social media @elasticseclabs or in the Elastic\r\nCommunity Slack.\r\nLoading the configuration\r\nThe REMCOS configuration is stored in an encrypted blob within a resource named SETTINGS . This name\r\nappears consistent across different versions of REMCOS.\r\nREMCOS config stored in encrypted SETTINGS resource\r\nThe malware begins by loading the encrypted configuration blob from its resource section.\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-one\r\nPage 2 of 16\n\n0x41B4A8 REMCOS loads its encrypted configuration from resources\r\nTo load the encrypted configuration, we use the following Python script and the Lief module.\r\nimport lief\r\ndef read_encrypted_configuration(path: pathlib.Path) -\u003e bytes | None:\r\nif not (pe := lief.parse(path)):\r\n return None\r\nfor first_level_child in pe.resources.childs:\r\n if first_level_child.id != 10:\r\n continue\r\n for second_level_child in first_level_child.childs:\r\n if second_level_child.name == \"SETTINGS\":\r\n return bytes(second_level_child.childs[0].content)\r\nWe can confirm that version 4.9.3 maintains the same structure and decryption scheme as previously described by\r\nFortinet researchers:\r\nFortinet reported structure and decryption scheme\r\nWe refer to the “encrypted configuration” as the structure that contains the decryption key and the encrypted data\r\nblob, which appears as follows:\r\nstruct ctf::EncryptedConfiguration\r\n{\r\nuint8_t key_size;\r\nuint8_t key[key_size];\r\nuint8_t data\r\n};\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-one\r\nPage 3 of 16\n\nThe configuration is still decrypted using the RC4 algorithm, as seen in the following screenshot.\r\n0x40F3C3 REMCOS decrypts its configuration using RC4\r\nTo decrypt the configuration, we employ the following algorithm.\r\ndef decrypt_encrypted_configuration(\r\nencrypted_configuration: bytes,\r\n) -\u003e tuple[bytes, bytes]:\r\nkey_size = int.from_bytes(encrypted_configuration[:1], \"little\")\r\nkey = encrypted_configuration[1 : 1 + key_size]\r\nreturn key, ARC4.ARC4Cipher(key).decrypt(encrypted_configuration[key_size + 1 :])\r\nThe configuration is used to initialize a global vector that we call g_configuration_vector by splitting it with\r\nthe string \\x7c\\x1f\\x1e\\x1e\\x7c as a delimiter.\r\n0x40EA16 Configuration string is split to initialize g_configuration_vector\r\nWe provide a detailed explanation of the configuration later in this series.\r\nUAC Bypass\r\nWhen the enable_uac_bypass_flag (index 0x2e ) is enabled in the configuration, REMCOS attempts a UAC\r\nbypass using a known COM-based technique.\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-one\r\nPage 4 of 16\n\n0x40EC4C Calling the UAC Bypass feature when enabled in the configuration\r\nBeforehand, the REMCOS masquerades its process in an effort to avoid detection.\r\n0x40766D UAC Bypass is wrapped between process masquerading and un-masquerading\r\nREMCOS modifies the PEB structure of the current process by replacing the image path and command line with\r\nthe explorer.exe string while saving the original information in global variables for later use.\r\n0x40742E Process PEB image path and command line set to explorer.exe\r\nThe well-known technique exploits the CoGetObject API to pass the Elevation:Administrator!new: moniker,\r\nalong with the CMSTPLUA CLSID and ICMLuaUtil IID, to instantiate an elevated COM interface. REMCOS then\r\nuses the ShellExec() method of the interface to launch a new process with administrator privileges, and exit.\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-one\r\nPage 5 of 16\n\n0x407607 calling ShellExec from an elevated COM interface\r\n0x4074FD instantiating an elevated COM interface\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-one\r\nPage 6 of 16\n\nThis technique was previously documented in an Elastic Security Labs article from 2023: Exploring Windows\r\nUAC Bypasses: Techniques and Detection Strategies.\r\nBelow is a recent screenshot of the detection of this exploit using the Elastic Defend agent.\r\nUAC bypass exploit detection by the Elastic Defend agent disabling UAC\r\nDisabling UAC\r\nWhen the disable_uac_flag is enabled in the configuration (index 0x27 ), REMCOS disables UAC in the\r\nregistry by setting the HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\SystemEnableLUA value to\r\n0 using the reg.exe Windows binary.\"\r\nInstall and persistence\r\nWhen enable_install_flag (index 0x3 ) is activated in the configuration, REMCOS will install itself on the\r\nhost machine.\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-one\r\nPage 7 of 16\n\n0x40ED8A Calling install feature when the flag is enabled in configuration\r\nThe installation path is constructed using the following configuration values:\r\ninstall_parent_directory (index 0x9 )\r\ninstall_directory ( 0x30 )\r\ninstall_filename ( 0xA )\r\nThe malware binary is copied to {install_parent_directory}/{install_directory}/{install_filename} . In\r\nthis example, it is %ProgramData%\\Remcos\\remcos.exe .\r\nSample detected in its installation directory\r\nIf the enable_persistence_directory_and_binary_hiding_flag (index 0xC ) is enabled in the configuration, the\r\ninstall folder and the malware binary are set to super hidden (even if the user enables showing hidden files or\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-one\r\nPage 8 of 16\n\nfolders the file is kept hidden by Windows to protect files with system attributes) and read-only by applying read-only, hidden, and system attributes to them.\r\n0x40CFC3 REMCOS applies read-only and super hidden attributes to its install folder and files\r\nInstall files set as read-only and super hidden\r\nAfter installation, REMCOS establishes persistence in the registry depending on which of the following flags are\r\nenabled in the configuration:\r\nenable_hkcu_run_persistence_flag (index 0x4 )\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\r\nenable_hklm_run_persistence_flag (index 0x5 )\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\r\nenable_hklm_policies_explorer_run_flag (index 0x8 )\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-one\r\nPage 9 of 16\n\n0x40CD0D REMCOS establishing persistence registry keys\r\nThe malware is then relaunched from the installation folder using ShellExecuteW , followed by termination of the\r\ninitial process.\r\n0x40D04B Relaunch of the REMCOS process after installation\r\nProcess injection\r\nWhen the enable_process_injection_flag (index 0xD ) is enabled in the configuration, REMCOS injects itself\r\ninto either a specified or a Windows process chosen from an hardcoded list to evade detection.\r\n0x40EEB3 Calling process injection feature if enabled in the configuration\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-one\r\nPage 10 of 16\n\nREMCOS running injected into iexplore.exe\r\nThe enable_process_injection_flag can be either a boolean or the name of a target process. When set to true\r\n(1), the injected process is chosen in a “best effort” manner from the following options:\r\niexplorer.exe\r\nieinstal.exe\r\nielowutil.exe\r\nNote: there is only one injection method available in REMCOS, when we talk about process injection we are\r\nspecifically referring to the method outlined here\r\nREMCOS uses a classic ZwMapViewOfSection + SetThreadContext + ResumeThread technique for process\r\ninjection. This involves copying itself into the injected binary via shared memory, mapped using\r\nZwMapViewOfSection and then hijacking its execution flow to the REMCOS entry point using\r\nSetThreadContext and ResumeThread methods.\r\nIt starts by creating the target process in suspended mode using the CreateProcessW API and retrieving its thread\r\ncontext using the GetThreadContext API.\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-one\r\nPage 11 of 16\n\n0x418217 Creation of target process suspended mode\r\nThen, it creates a shared memory using the ZwCreateSection API and maps it into the target process using the\r\nZwMapViewOfSection API, along with the handle to the remote process.\r\n0x418293 Creating of the shared memory\r\n0x41834C Mapping of the shared memory in the target process\r\nThe binary is next loaded into the remote process by copying its header and sections into shared memory.\r\n0x41836F Mapping the PE in the shared memory using memmove\r\nRelocations are applied if necessary. Then, the PEB ImageBaseAddress is fixed using the WriteProcessMemory\r\nAPI. Subsequently, the thread context is set with a new entry point pointing to the REMCOS entry point, and\r\nprocess execution resumes.\r\n0x41840B Hijacking process entry point to REMCOS entry point and resuming the process\r\nBelow is the detection of this process injection technique by our agent:\r\nProcess injection alert\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-one\r\nPage 12 of 16\n\nProcess injection process tree\r\nSetting up logging mode\r\nREMCOS has three logging mode values that can be selected with the logging_mode (index 0x28 ) field of the\r\nconfiguration:\r\n0: No logging\r\n1: Start minimized in tray icon\r\n2: Console logging\r\n0x40EFA3 Logging mode configured from settings\r\nSetting this field to 2 enables the console, even when process injection is enabled, and exposes additional\r\ninformation.\r\nREMCOS console displayed while injected into iexplore.exe\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-one\r\nPage 13 of 16\n\nCleaning browsers\r\nWhen the enable_browser_cleaning_on_startup_flag (index 0x2B ) is enabled, REMCOS will delete cookies\r\nand login information from the installed web browsers on the host.\r\n0x40F1CC Calling browser cleaning feature when enabled in the configuration\r\nAccording to the official documentation the goal of this capability is to increase the system security against\r\npassword theft:\r\nCurrently, the supported browsers are Internet Explorer, Firefox, and Chrome.\r\n0x40C00C Supported browsers for cleaning features\r\nThe cleaning process involves deleting cookies and login files from browsers' known directory paths using the\r\nFindFirstFileA , FindNextFileA , and DeleteFileA APIs:\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-one\r\nPage 14 of 16\n\n0x40BD37 Cleaning Firefox cookies 1/2\r\n0x40BD37 Cleaning Firefox cookies 2/2\r\nWhen the job is completed, REMCOS prints a message to the console.\r\nREMCOS printing success message after cleaning browsers\r\nIt's worth mentioning two related fields in the configuration:\r\nenable_browser_cleaning_only_for_the_first_run_flag (index 0x2C )\r\nbrowser_cleaning_sleep_time_in_minutes (index 0x2D )\r\nThe browser_cleaning_sleep_time_in_minutes configuration value determines how much time REMCOS will\r\nsleep before performing the job.\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-one\r\nPage 15 of 16\n\n0x40C162 Sleeping before performing browser cleaning job\r\nWhen enable_browser_cleaning_only_for_the_first_run_flag is enabled, the cleaning will occur only at the\r\nfirst run of REMCOS. Afterward, the HKCU/SOFTWARE/{mutex}/FR registry value is set.\r\nOn subsequent runs, the function directly returns if the value exists and is set in the registry.\r\nThat’s the end of the first article. The second part will cover the second half of REMCOS' execution flow, starting\r\nfrom its watchdog to the first communication with its C2.\r\nSource: https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-one\r\nPage 16 of 16\n\n https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one  \n0x407607 calling ShellExec from an elevated COM interface\n0x4074FD instantiating an elevated COM interface \n   Page 6 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one"
	],
	"report_names": [
		"dissecting-remcos-rat-part-one"
	],
	"threat_actors": [],
	"ts_created_at": 1775791206,
	"ts_updated_at": 1775826782,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/821249c3b191ffe11a4f12a5b58fbb8c24447958.pdf",
		"text": "https://archive.orkl.eu/821249c3b191ffe11a4f12a5b58fbb8c24447958.txt",
		"img": "https://archive.orkl.eu/821249c3b191ffe11a4f12a5b58fbb8c24447958.jpg"
	}
}