{
	"id": "f61bdb7e-8f07-496c-9916-741e908e489f",
	"created_at": "2026-04-06T00:11:57.526985Z",
	"updated_at": "2026-04-10T03:20:52.830596Z",
	"deleted_at": null,
	"sha1_hash": "8504264bd89498fded629a650167eaa2f286f6c2",
	"title": "Detecting Malware Script Loaders using Remcos: Threat Research Release December 2021 | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8637334,
	"plain_text": "Detecting Malware Script Loaders using Remcos: Threat Research\r\nRelease December 2021 | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2022-01-10 · Archived: 2026-04-05 16:06:45 UTC\r\nSplunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we\r\nno longer use. For more information on our updated terminology and our stance on biased language, please visit\r\nour blog post. We appreciate your understanding as we work towards making our community more inclusive for\r\neveryone.\r\nThis particular sample makes the detection and analysis of the adversary behavior more challenging. The most\r\nprevalent loaders seen in the wild are window scripting languages, JScript (.js), and VBScript (.vbs). These scripts\r\nare easy to obfuscate and encrypt in order to bypass detection and preventative controls, therefore many\r\nadversaries use this methodology. In this blog, Splunk Threat Research (STRT) will discuss a Remcos loader that\r\nutilizes DynamicWrapperX (dynwrapx.dll) to execute shellcode and inject Remcos RAT into the target process.\r\nUltimately STRT covers what Splunk Security Content detections find behaviors and TTPs that apply to the\r\nDynamicWrapperX Loader.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html\r\nPage 1 of 16\n\nThe Initial Downloader\r\nThis Remcos sample loader starts with a simple VBScript that attempts to download the second VBScript from\r\npaste.ee. The script on paste.ee is the main loader of Remcos. Below is the screenshot of the initial downloader\r\nscript. STRT has witnessed the script stay online up to a few weeks between major campaign changes. Paste.ee\r\noffers multiple options to automatically take down code between hours up to a year. The full VBScript loader may\r\nbe found here.\r\nThe VBScript Main Remcos Loader\r\nDetection Evasion\r\nhttps://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html\r\nPage 2 of 16\n\nSTRT found the script loader interesting in how it tries to evade inspection by preventative controls by embedding\r\na large amount of normal script code and comments at the beginning and end of the loader. For example, the\r\nscreenshot below shows its code in lines 120-150 pertains to Microsoft “pubprn.vbs”, a script designed to publish\r\nprinters within active directory domain services. Skimming over the code quickly gives it away that shellcode is\r\nembedded inside.\r\nPreparation of Payload\r\nNow that the loader has downloaded the next stage from paste.ee, this VBScript will prepare several payloads and\r\neventually load the actual Remcos malicious software. First, it will decode the actual Remcos RAT, then extract\r\nthe dynwrapx.dll (used to load the shellcode), and finally the shellcode. It will also initialize the file path of\r\n(c:\\windows\\winhlp32.exe) which is the target process to inject Remcos RAT.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html\r\nPage 3 of 16\n\nBelow is a screenshot of each payload decoded:\r\nhttps://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html\r\nPage 4 of 16\n\nVBScript Execution in x64 Bit\r\nThis script also has a function to check what OS architecture type the infected host has using WMI (Windows\r\nManagement Instrumentation - T1047) if it is an x64 host, it will run the VBScript using the following command\r\nformat “wscript /b /e:vbscript \u003cvbscript filename\u003e” like what is shown in the screenshot below. Also you can find\r\nthe raw attack data sysmon.log for this technique.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html\r\nPage 5 of 16\n\nThe Shellcode - Process Injection\r\nThe decoded shellcode uses pre-computed API hashes to dynamically resolve its API import in order to inject the\r\nRemcos malware into a targeted process on the host. The screenshot below shows the last WriteProcessMemory\r\nAPI and the ResumeThread API calls get used to write and subsequently execute the Remcos RAT in the target\r\nprocess where it injects its code.\r\nDynamicWrapperX - ShellCode Execution\r\nhttps://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html\r\nPage 6 of 16\n\nTo execute the shellcode for Remcos via process injection, it first decodes and drops “dynwrapx.dll” in the\r\n%temp% folder and loads/installs it using Regsvr32 install silent parameter (“regsvr32 /I /S”). This DLL will give\r\nthe VBScript access to the “DynamicWrapperX'' Object to load 2 more windows DLL modules named user32.dll\r\nand kernel32.dll to allocate memory and execute the shellcode.\r\nUsing VirtualAlloc API call, it will allocate a region of memory for the Remcos malware and shellcode. This\r\nmemory address will be passed as an argument in CallWindowProcW API to load the shellcode to inject Remcos\r\nRAT to the target process, which is WinHlp32.exe. The screenshot below shows the code of this technique.\r\nWhere is Remcos Going?\r\nUsing VirusTotal behavior to analyze this sample further STRT searched for a pattern of behavior that spawned\r\nwinhlp32.exe and used regsvr32.exe to load dynwrapx.dll. STRT crafted this VirusTotal behavior query:\r\nbehavior:\"\\\"%windir%\\\\System32\\\\regsvr32.exe\\\" /I /S \\\"%TEMP%\\\\dynwrapx.dll\\\"\" behavior:\"\\\"%windir%\\\\winhlp32.e\r\nThis uncovered an interesting pattern that began 9/12/2021 from Argentina which matched the same behavior as\r\nour original sample. Each upload contained a different section of the final sample (reviewed above). STRT\r\nspeculates the adversary was testing their code against antivirus engines. After the first few “testing” uploads\r\noccurred, it was followed up with actual active campaigns with complete Remcos loaders.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html\r\nPage 7 of 16\n\nThe pattern of behavior we queried for looks like this in VTI -\r\nhttps://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html\r\nPage 8 of 16\n\nFollowing using winhlp32.exe, STRT noticed it shifted to using installutil.exe. With installutil.exe, the pattern is\r\nvery similar. The biggest difference STRT noticed was, during the VBScript execution, unlike winhlp32.exe,\r\ninstallutil.exe did not load dynwrapx.dll.\r\nVirusTotal behavior query:\r\nbehavior:\"\\\"%windir%\\\\System32\\\\regsvr32.exe\\\" /I /S \\\"%TEMP%\\\\dynwrapx.dll\\\"\" behavior:\"\\\\installutil.exe\\\"\"\r\nhttps://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html\r\nPage 9 of 16\n\nSTRT, generated a few additional queries that helped us to holistically look for other samples, these provided\r\ninsight into further behaviors, but also the visibility into how much interaction and changes go into each\r\ncampaign.\r\nbehaviour_processes:\"\\\"%windir%\\\\SYSWOW64\\\\WSCRIPT.EXE\\\" //b //e:vbscript \\\"%SAMPLEPATH%\\\"\"\r\ncontent:{5365742044796e577261704f626a203d204372656174654f626a656374282244796e616d696357726170706572582229}\r\nVT Correlation Graph of Remcos:\r\nThe following VT Correlation Graph shows us the affected countries by this Remcos campaign, the number of C2\r\nservers connections it made to download other malware or its components. Even some interesting infection chain\r\nvectors like dropping .lnk file and downloading components from its C2.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html\r\nPage 10 of 16\n\nRemcos Analytic Story\r\nThe update on the analytic story introduced 21 new and 5 modified detections. In this section, we describe some\r\nof these analytics.\r\nSuspicious Process DNS Query Known Abuse Web Services\r\nDetects a suspicious process making a DNS query via known abuse text paste web services, or VoIP, instant\r\nmessaging, and digital distribution platform to use to download external files. This technique is abused by\r\nadversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP\r\nindicator for possible initial access techniques. A user will experience false positives if the following instant\r\nmessaging is allowed or common applications like telegram, discord are allowed in the corporate network.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html\r\nPage 11 of 16\n\n`sysmon` EventCode=22 QueryName IN (\"*pastebin*\", \"*discord*\", \"*telegram*\", \"*t.me*\") process_name IN (\"cmd.ex\r\n| stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryR\r\n| `security_content_ctime(firstTime)`\r\n| `security_content_ctime(lastTime)`\r\nLoading Of Dynwrapx Module\r\nDynamicWrapperX is an ActiveX component that can be used in a VBScript to call Windows API functions, but it\r\nrequires the dynwrapx.dll to be installed and registered. With that, registering or loading dynwrapx.dll to a host is\r\nhighly suspicious. In most instances when it is maliciously used the best way to triage is to review parallel\r\nprocesses and pivot on the process_guid. Review the registry for any suspicious modifications meant to load\r\ndynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This detection will return and identify the\r\nprocesses that invoke vbs/wscript/cscript.\r\n`sysmon` EventCode=7 (ImageLoaded = \"*\\\\dynwrapx.dll\" OR OriginalFileName = \"dynwrapx.dll\" OR Product = \"Dynam\r\nhttps://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html\r\nPage 12 of 16\n\n| stats count min(_time) as firstTime max(_time) as lastTime\r\nby Image ImageLoaded OriginalFileName Product process_name Computer EventCode Signed ProcessId\r\n| `security_content_ctime(firstTime)`\r\n| `security_content_ctime(lastTime)`\r\nSystem Info Gathering Using Dxdiag Application\r\nDetects a suspicious dxdiag.exe process command-line execution. Dxdiag is used to collect the system info of the\r\ntarget host. This technique was seen used by Remcos RATS, various actors, and other malware to collect\r\ninformation as part of the recon or collection phase of an attack. This behavior should be rarely seen in a corporate\r\nnetwork, but this command line can be used by a network administrator to audit host machine specifications. Thus\r\nin some rare cases, this detection will contain false positives in its results. To triage further, analyze what\r\ncommands were passed after it pipes out the result to a file for further processing. Examples of anyrun remcos\r\nanalysis that shows its behavior before and after this technique was executed.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)\r\n as lastTime from datamodel=Endpoint.Processes where `process_dxdiag` AND Processes.process\r\n = \"* /t *\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process\r\n Processes.process_name Processes.process Processes.process_id Processes.parent_process_id\r\nhttps://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html\r\nPage 13 of 16\n\n| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`\r\nPossible Browser Pass View Parameter\r\nDetects a suspicious process that contains command-line parameters related to a web browser credential dumper.\r\nThis technique is used by Remcos RAT malware where it uses the Nirsoft webbrowserpassview.exe application to\r\ndump web browser credentials. Remcos use the \"/stext\" command line to dump the credential in text format. This\r\nHunting query is a good indicator of hosts suffering from possible Remcos RAT infection. Since the hunting query\r\nis based on the parameter command and the possible path where it will save the text credential information, It may\r\ncatch normal tools that are using the same command and behavior.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)\r\n as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*/stext*\", \"*/shtml *\", \"*/LoadPa\r\nby Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name\r\n| `drop_dm_object_name(Processes)`\r\n| `security_content_ctime(firstTime)`\r\n| `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html\r\nPage 14 of 16\n\nAutomating with SOAR Playbooks\r\nThe following community Splunk SOAR playbooks mentioned below can be used in conjunction with some of the\r\npreviously described analytics:\r\nWhy Should You Care?\r\nThis blog shows how vbscript and jscript are leveraged by all sorts of offensive actors including penetration\r\ntesting consultants, cybercrime actors, and cyber espionage actors in process injection and shellcode execution.\r\nUnlike binary malware loaders, malware loader scripts are very flexible in terms of updates, encryption and also\r\ncode obfuscation to bypass detections. According to unit42’s 2020 article, Script base malware is one of the new\r\nattacker trends and it keeps on evolving and improving as part of the malware tooling ecosystem. Cyber\r\nDefenders need to design and deploy effective monitoring capabilities that allow them to detect and respond to:\r\nsuspicious script execution, process injection and suspicious use of text paste web service in their corporate or\r\nserver networks.\r\nLearn More\r\nYou can find the latest content about security analytic stories on research.splunk.com. For a full list of security\r\ncontent, check out the release notes on Splunk Docs.\r\n3.32.0\r\nFeedback\r\nAny feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the\r\nSlack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on\r\nSlack.\r\nContributors\r\nWe would like to thank the following for their contributions to this post.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html\r\nPage 15 of 16\n\nTeoderick Contreras\r\nMichael Haag\r\nJose Hernandez\r\nLou Stella\r\nSource: https://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.ht\r\nml\r\nhttps://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html\r\nPage 16 of 16\n\n https://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html   \nThe pattern of behavior we queried for looks like this in VTI \n   Page 8 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html"
	],
	"report_names": [
		"detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434317,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8504264bd89498fded629a650167eaa2f286f6c2.pdf",
		"text": "https://archive.orkl.eu/8504264bd89498fded629a650167eaa2f286f6c2.txt",
		"img": "https://archive.orkl.eu/8504264bd89498fded629a650167eaa2f286f6c2.jpg"
	}
}