{
	"id": "0cab0f82-5196-4050-96fa-b7d9b4e1149b",
	"created_at": "2026-04-06T00:21:01.104913Z",
	"updated_at": "2026-04-10T03:21:04.286094Z",
	"deleted_at": null,
	"sha1_hash": "9ba783a94daa38c698da0e67e8b856bc4e3d8968",
	"title": "Remcos RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 614712,
	"plain_text": "Remcos RAT\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 19:45:53 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nRemcos (Remote Control \u0026 Surveillance Software) was identified in a customer environment in the legal\r\nservices industry.\r\nRemcos is a malicious remote access tool (RAT) marketed as a legitimate remote administration tool which\r\ncan be purchased for between €58-399.\r\nThe tool can be used to control the system, capture keystrokes, webcam images, screen captures,\r\nand passwords (among other capabilities).\r\nVersion 3.3.2 Pro was identified in this incident.\r\nThe infection vector for Remcos was a password-protected, macro-enabled Excel file named “remittance\r\nadvice.xlsm”.\r\nOnce opened, PowerShell is executed to retrieve a remote script (edi.vbs/firewall.vbs) from\r\nhxxp://lbl[.]support.\r\nThe script fetches additional components, enables persistence via registry run key and ultimately\r\nexecutes Remcos within a legitimate Windows process.\r\nhttps://www.esentire.com/blog/remcos-rat\r\nPage 1 of 6\n\nFigure 1 Online purchasing form for Remcos\r\nFigure 2 Process tree showing execution stages\r\nHow did we find it?\r\nBlueSteel, our machine-learning powered PowerShell classifier, identified PowerShell commands executed\r\nby Remcos RAT\r\nMDR for Endpoint identified secondary execution phases.\r\nWhat did we do?\r\nOur team of 24/7 SOC Cyber Analysts isolated the host and worked with the customer to remediate.\r\nWhat can you learn from this TRU positive?\r\nRemcos provides an attacker with nearly full control of the compromised system, so rapid identification\r\nand removal is critical.\r\nRemcos stores captured information in the following files and folders:\r\n%APPDATA%\\rem\\logs.dat (captured keystrokes)\r\n%APPDATA%\\Screenshots\r\nhttps://www.esentire.com/blog/remcos-rat\r\nPage 2 of 6\n\n%APPDATA%\\MicRecords\r\nUnfortunately, antivirus detection for the macro-enabled Excel document is minimal since password-protected documents can be used to evade link and attachment inspection.\r\nAs of January 18th, 2022 only two vendors have identified it on VirusTotal.\r\nRecommendations from our Threat Response Unit (TRU) Team:\r\nEmploy email filtering and protection measures.\r\nBlock or quarantine email attachments such as EXEs, Password-Protected ZIPs, Javascript, and\r\nVisualBasic scripts.\r\nImplement anti-spoofing measures such as DMARC and SPF.\r\nEmploy an MFA solution to reduce impact of compromised credentials.\r\nTrain users to identify and report suspicious emails.\r\nProtect endpoints against malware\r\nEnsure antivirus signatures are up-to-date.\r\nUse a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and\r\ncontain threats.\r\nLimit or disable macros across the organization. See UK's National Cyber Centre guidance on\r\nMacro Security.\r\nAsk Yourself…\r\nCan my team prevent emails containing encrypted malicious documents from reaching users?\r\nDoes my team have endpoint monitoring in place to identify malicious documents which bypass email\r\ncontrols?\r\nIndicators of Compromise\r\nType Value Note\r\nFile\r\n(SHA256)\r\n50f2ff7d96392fcfe6ed57a1ff71ae9c87a1346ff3694173a255b67e9ff8a208 firewall.vbs\r\nFile\r\n(SHA256)\r\nabf8ada022fce92c24e0aead4f1b1ae8991002130bbbc4335f3381972683b400\r\nRemittance\r\nAdvice.xlsm\r\nDomain eter101[.]dvrlists[.]com Remcos C2\r\nDomain eter103[.]dvrlists[.]com Remcos C2\r\nDomain lbl[.]support Hosts\r\nfirewall.vbs and\r\nother\r\ncomponents\r\nhttps://www.esentire.com/blog/remcos-rat\r\nPage 3 of 6\n\nused during\r\nexecution\r\nIf you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you\r\npartner with us for security services in order to disrupt threats before they impact your business.\r\nWant to learn more? Connect with an eSentire Security Specialist\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nGET STARTED\r\nhttps://www.esentire.com/blog/remcos-rat\r\nPage 4 of 6\n\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\n Back to blog\r\nTake Your Cybersecurity Program to the Next Level with eSentire MDR.\r\nhttps://www.esentire.com/blog/remcos-rat\r\nPage 5 of 6\n\nBUILD A QUOTE\r\nin this blog\r\nWhat did we find?How did we find it?What did we do?What can you learn from this TRU positive?\r\nRecommendations from our Threat Response Unit (TRU) Team:\r\nSource: https://www.esentire.com/blog/remcos-rat\r\nhttps://www.esentire.com/blog/remcos-rat\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.esentire.com/blog/remcos-rat"
	],
	"report_names": [
		"remcos-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434861,
	"ts_updated_at": 1775791264,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9ba783a94daa38c698da0e67e8b856bc4e3d8968.pdf",
		"text": "https://archive.orkl.eu/9ba783a94daa38c698da0e67e8b856bc4e3d8968.txt",
		"img": "https://archive.orkl.eu/9ba783a94daa38c698da0e67e8b856bc4e3d8968.jpg"
	}
}