{
	"id": "4e65e36a-0602-4264-95e4-656263c1e510",
	"created_at": "2026-04-06T01:31:50.543101Z",
	"updated_at": "2026-04-10T03:21:58.724414Z",
	"deleted_at": null,
	"sha1_hash": "9c0dc0e459b6da1f59fa45f621adc24d1e939170",
	"title": "malware-analysis-writeups/Remcos/Remcos.md at main · itaymigdal/malware-analysis-writeups",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2394483,
	"plain_text": "malware-analysis-writeups/Remcos/Remcos.md at main ·\r\nitaymigdal/malware-analysis-writeups\r\nBy itaymigdal\r\nArchived: 2026-04-06 01:18:16 UTC\r\nMalware\r\nName\r\nFile Type SHA256\r\nRemcos\r\nx32 exe\r\n(.NET)\r\n5eb996275b36c1e8c1d3daa71e6469507a29401c77f2b1fd91e4d354ccde9860\r\nAnalysis process\r\nThis writeup starts with a suspicious executable that was sent via mail.\r\nWe can see that most part of the PE is packed (entropy ~ 8 -\u003e High entropy indicates on encrypted / compressed\r\ndata):\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md\r\nPage 1 of 10\n\nThe PE is .NET so we'll check it out in Dnspy:\r\nAs usual, we'll watch it under Procmon. this is the interesting process tree:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md\r\nPage 2 of 10\n\nWe can see that:\r\nThe file creates scheduled task for persistence\r\nThe file writes a vbs script to \\AppData\\Local\\Temp\\ and runs it\r\nThe vbs script copies the malware to \\AppData\\Roaming\\remcos\\ (Nice spoiler, thank you malware author\r\n😘), and executes it from there.\r\nThe Script content:\r\nAs we can see, after the copy \u0026 execute, the vbs script deletes itself (and is written back next execution).\r\nIn this analysis i took the \"quick and dirty\" approach, so i in order to unpack the file, i let it run for about a minute\r\nor two, and then dumped it using Pe-Sieve (i added the /data argument, because this is .NET executable):\r\nAnd Vwalla:\r\nWe've got our unpacked version with nice icon:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md\r\nPage 3 of 10\n\nAnd it isn't packed:\r\nThe file is a native PE file (i.e. written in C\\C++, unlike the loader which was written in .NET), and it's importing\r\na lot of interesting libraries:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md\r\nPage 4 of 10\n\nObserving the strings we find very interesting finds:\r\nIndeed the malware is Remcos PRO 2.7.2:\r\nKeylogger capabilities:\r\nBrowser stealing capabilities:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md\r\nPage 5 of 10\n\nExfilitration and Infilitration capabilities:\r\nThe malware contains a setting resource which looks encrypted:\r\nSo we will try to watch it decrypted in memory. here we can see the file loads it:\r\nAnd after some math we see the settings in clear text:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md\r\nPage 6 of 10\n\nc2 Server: 185.244.26.209\r\nWe can see some more juicy stuff, like Mutex string, execution path, logs path and encryption keys.\r\nAfter some Googling about Remcos, seems like it is total legal software which has a very detailed site. This is\r\nhow the panel from the attacker side looks like:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md\r\nPage 7 of 10\n\nA lot of nice and evil capabilities 😏.\r\nBonus\r\nAfter watching this, i learned how Remcos encrypts his config, so i wrote a little script that retrieves a Remcos\r\nencrypted SETTINGS file, and decrypt it:\r\nfrom os import path\r\nfrom sys import argv\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md\r\nPage 8 of 10\n\nfrom Crypto.Cipher import ARC4\r\nfrom string import printable\r\nimport colorama\r\ndef print_help():\r\n print(\"[-] Usage: {} \u003csettings-file\u003e\".format(argv[0]))\r\n exit(1)\r\ndef hexdump(src, length=16, sep='.'):\r\n FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or sep for x in range(256)])\r\n lines = []\r\n for c in range(0, len(src), length):\r\n chars = src[c: c + length]\r\n hex_ = ' '.join(['{:02x}'.format(x) for x in chars])\r\n if len(hex_) \u003e 24:\r\n hex_ = '{} {}'.format(hex_[:24], hex_[24:])\r\n printable = ''.join(['{}'.format((x \u003c= 127 and FILTER[x]) or sep) for x in chars])\r\n lines.append('{0:08x} {1:{2}s} |{3:{4}s}|'.format(c, hex_, length * 3, printable, length))\r\n return '\\n'.join(lines)\r\ndef main():\r\n if len(argv) != 2 or not (path.isfile(argv[1])):\r\n print_help()\r\n with open(argv[1], \"rb\") as settings_file:\r\n settings_data = settings_file.read()\r\n # first byte in settings = key length\r\n key_length = settings_data[0]\r\n # then the key\r\n key = settings_data[1:key_length + 1]\r\n # then the encrypted data\r\n encrypted_data = settings_data[(key_length + 1):]\r\n # create rc4 object and decrypt\r\n rc4 = ARC4.new(key)\r\n decrypted = rc4.decrypt(encrypted_data)\r\n colorama.init(autoreset=True)\r\n # print hexdump\r\n print(colorama.Fore.LIGHTGREEN_EX + \"\\n###### Hexdump ######\\n\")\r\n print(hexdump(decrypted))\r\n print(\"\\n\")\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md\r\nPage 9 of 10\n\n# print values in settings\r\n print(colorama.Fore.LIGHTGREEN_EX + \"###### Values ######\\n\")\r\n printable_data = \"\"\r\n for byte in bytearray(decrypted):\r\n if chr(byte) in printable:\r\n printable_data += chr(byte)\r\n splited_data = printable_data.split(\"|\")\r\n for value in splited_data:\r\n if len(value) \u003e 0:\r\n print(\"[#] {}\".format(value))\r\n print(\"\\n\")\r\nmain()\r\nSource: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md\r\nPage 10 of 10\n\n  https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md  \nThe PE is .NET so we'll check it out in Dnspy:  \nAs usual, we'll watch it under Procmon. this is the interesting process tree:\n   Page 2 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md"
	],
	"report_names": [
		"Remcos.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775439110,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c0dc0e459b6da1f59fa45f621adc24d1e939170.pdf",
		"text": "https://archive.orkl.eu/9c0dc0e459b6da1f59fa45f621adc24d1e939170.txt",
		"img": "https://archive.orkl.eu/9c0dc0e459b6da1f59fa45f621adc24d1e939170.jpg"
	}
}