{ "id": "b3ce9557-e738-4a22-8572-258e6be01431", "created_at": "2026-04-06T00:19:54.663652Z", "updated_at": "2026-04-10T03:30:57.263351Z", "deleted_at": null, "sha1_hash": "a4baf6d29cec1f054d68467a0f80b1fc3f040986", "title": "Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Two", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1245047, "plain_text": "Dissecting REMCOS RAT: An in-depth analysis of a widespread\r\n2024 malware, Part Two\r\nBy Cyril François, Samir Bousseaden\r\nPublished: 2024-04-30 · Archived: 2026-04-05 21:46:39 UTC\r\nIn the previous article in this series on the REMCOS implant, we shared information about execution, persistence,\r\nand defense evasion mechanisms. Continuing this series we’ll cover the second half of its execution flow and\r\nyou’ll learn more about REMCOS recording capabilities and communication with its C2.\r\nStarting watchdog\r\nIf the enable_watchdog_flag (index 0x32 ) is enabled, the REMCOS will activate its watchdog feature.\r\n0x40F24F Starting watchdog feature if enabled in the configuration\r\nThis feature involves the malware launching a new process, injecting itself into it, and monitoring the main\r\nprocess. The goal of the watchdog is to restart the main process in case it gets terminated. The main process can\r\nalso restart the watchdog if it gets terminated.\r\nConsole message indicating activation of watchdog module\r\nThe target binary for watchdog injection is selected from a hardcoded list, choosing the first binary for which the\r\nprocess creation and injection are successful:\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-two\r\nPage 1 of 12\n\nsvchost.exe\r\nrmclient.exe\r\nfsutil.exe\r\n0x4122C5 Watchdog target process selection\r\nIn this example, the watchdog process is svchost.exe .\r\nsvchost.exe watchdog process\r\nThe registry value HKCU/SOFTWARE/{MUTEX}/WD is created before starting the watchdog process and contains the\r\nmain process PID.\r\nThe main process PID is saved in the WD registry key\r\nOnce REMCOS is running in the watchdog process, it takes a \"special\" execution path by verifying if the WD\r\nvalue exists in the malware registry key. If it does, the value is deleted, and the monitoring procedure function is\r\ninvoked.\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-two\r\nPage 2 of 12\n\n0x40EB54 Watchdog execution path when WD registry value exists\r\nIt is worth noting that the watchdog process has a special mutex to differentiate it from the main process mutex.\r\nThis mutex string is derived from the configuration (index 0xE ) and appended with -W .\r\nMutex field in the configuration\r\nComparison between main process and watchdog process mutexes\r\nWhen the main process is terminated, the watchdog detects it and restarts it using the ShellExecuteW API with\r\nthe path to the malware binary retrieved from the HKCU/SOFTWARE/{mutex}/exepath registry key\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-two\r\nPage 3 of 12\n\nConsole message indicating process restart by watchdog\r\nStarting recording threads\r\nKeylogging thread\r\nThe offline keylogger has two modes of operation:\r\n1. Keylog everything\r\n2. Enable keylogging when specific windows are in the foreground\r\nWhen the keylogger_mode (index 0xF ) field is set to 1 or 2 in the configuration, REMCOS activates its\r\n\"Offline Keylogger\" capability.\r\nKeylogging is accomplished using the SetWindowsHookExA API with the WH_KEYBOARD_LL constant.\r\n0x40A2B8 REMCOS setting up keyboard event hook using SetWindowsHookExA\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-two\r\nPage 4 of 12\n\nThe file where the keylogging data is stored is built using the following configuration fields:\r\nkeylogger_root_directory (index 0x31 )\r\nkeylogger_parent_directory (index 0x10 )\r\nkeylogger_filename (index 0x11 )\r\nThe keylogger file path is {keylogger_root_directory}/{keylogger_parent_directory}/{keylogger_filename} .\r\nIn this case, it will be %APPDATA%/keylogger.dat .\r\nKeylogging data file keylogger.dat\r\nKeylogging data content\r\nThe keylogger file can be encrypted by enabling the enable_keylogger_file_encryption_flag (index 0x12 )\r\nflag in the configuration. It will be encrypted using the RC4 algorithm and the configuration key.\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-two\r\nPage 5 of 12\n\n0x40A7FC Decrypting, appending, and re-encrypting the keylogging data file\r\nThe file can also be made super hidden by enabling the enable_keylogger_file_hiding_flag (index 0x13 ) flag\r\nin the configuration.\r\nWhen using the second keylogging mode, you need to set the keylogger_specific_window_names (index 0x2A )\r\nfield with strings that will be searched in the current foreground window title every 5 seconds.\r\n0x40A109 Keylogging mode choice\r\nUpon a match, keylogging begins. Subsequently, the current foreground window is checked every second to stop\r\nthe keylogger if the title no longer contains the specified strings.\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-two\r\nPage 6 of 12\n\nMonitoring foreground window for keylogging activation\r\nScreen recording threads\r\nWhen the enable_screenshot_flag (index 0x14 ) is enabled in the configuration, REMCOS will activate its\r\nscreen recording capability.\r\n0x40F0B3 Starting screen recording capability when enabled in configuration\r\nTo take a screenshot, REMCOS utilizes the CreateCompatibleBitmap and the BitBlt Windows APIs. If the\r\nenable_screenshot_mouse_drawing_flag (index 0x35 ) flag is enabled, the mouse is also drawn on the bitmap\r\nusing the GetCursorInfo , GetIconInfo , and the DrawIcon API.\r\n0x418E76 Taking screenshot 1/2\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-two\r\nPage 7 of 12\n\n0x418E76 Taking screenshot 2/2\r\nThe path to the folder where the screenshots are stored is constructed using the following configuration:\r\nscreenshot_parent_directory (index 0x19 )\r\nscreenshot_folder (index 0x1A )\r\nThe final path is {screenshot_parent_directory}/{screenshot_folder} .\r\nREMCOS utilizes the screenshot_interval_in_minutes (index 0x15 ) field to capture a screenshot every X\r\nminutes and save it to disk using the following format string: time_%04i%02i%02i_%02i%02i%02i .\r\nLocation where screenshots are saved\r\nSimilarly to keylogging data, when the enable_screenshot_encryption_flag (index 0x1B ) is enabled, the\r\nscreenshots are saved encrypted using the RC4 encryption algorithm and the configuration key.\r\nAt the top, REMCOS has a similar \"specific window\" feature for its screen recording as its keylogging capability.\r\nWhen the enable_screenshot_specific_window_names_flag (index 0x16 ) is set, a second screen recording\r\nthread is initiated.\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-two\r\nPage 8 of 12\n\n0x40F108 Starting specific window screen recording capability when enabled in configuration\r\nThis time, it utilizes the screenshot_specific_window_names (index 0x17 ) list of strings to capture a screenshot\r\nwhen the foreground window title contains one of the specified strings. Screenshots are taken every X seconds, as\r\nspecified by the screenshot_specific_window_names_interval_in_seconds (index 0x18 ) field.\r\nIn this case, the screenshots are saved on the disk using a different format string:\r\nwnd_%04i%02i%02i_%02i%02i%02i . Below is an example using [\"notepad\"] as the list of specific window names\r\nand setting the Notepad process window in the foreground.\r\nScreenshot triggered when Notepad window is in the foreground\r\nAudio recording thread\r\nWhen the enable_audio_recording_flag (index 0x23 ) is enabled, REMCOS initiates its audio recording\r\ncapability.\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-two\r\nPage 9 of 12\n\n0x40F159 Starting audio recording capability when enabled in configuration\r\nThe recording is conducted using the Windows Wave* API. The duration of the recording is specified in minutes\r\nby the audio_recording_duration_in_minutes ( 0x24 ) configuration field.\r\n0x401BE9 Initialization of audio recording\r\nAfter recording for X minutes, the recording file is saved, and a new recording begins. REMCOS uses the\r\nfollowing configuration fields to construct the recording folder path:\r\naudio_record_parent_directory (index 0x25 )\r\naudio_record_folder (index 0x26 )\r\nThe final path is {audio_record_parent_directory}/{audio_record_folder} . In this case, it will be\r\nC:\\MicRecords . Recordings are saved to disk using the following format: %Y-%m-%d %H.%M.wav .\r\nAudio recording folder\r\nCommunication with the C2\r\nAfter initialization, REMCOS initiates communication with its C2. It attempts to connect to each domain in its\r\nc2_list (index 0x0 ) until one responds.\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-two\r\nPage 10 of 12\n\nAccording to previous research, communication can be encrypted using TLS if enabled for a specific C2. In such\r\ncases, the TLS engine will utilize the tls_raw_certificate (index 0x36 ), tls_key (index 0x37 ), and\r\ntls_raw_peer_certificate (index 0x38 ) configuration fields to establish the TLS tunnel.\r\nIt's important to note that in this scenario, only one peer certificate can be provided for multiple TLS-enabled C2\r\ndomains. As a result, it may be possible to identify other C2s using the same certificate.\r\nOnce connected we received our first packet:\r\nHello packet from REMCOS\r\nAs described in depth by Fortinet, the protocol hasn't changed, and all packets follow the same structure:\r\n(orange) magic_number : \\x24\\x04\\xff\\x00\r\n(red) data_size : \\x40\\x03\\x00\\x00\r\n(green) command_id (number): \\0x4b\\x00\\x00\\x00\r\n(blue)data fields separated by |\\x1e\\x1e\\1f|\r\nAfter receiving the first packet from the malware, we can send our own command using the following functions.\r\nMAGIC = 0xFF0424\r\nSEPARATOR = b\"\\x1e\\x1e\\x1f|\"\r\ndef build_command_packet(command_id: int, command_data: bytes) -\u003e bytes:\r\nreturn build_packet(command_id.to_bytes(4, byteorder=\"little\") + command_data)\r\ndef build_packet(data: bytes) -\u003e bytes:\r\npacket = MAGIC.to_bytes(4, byteorder=\"little\")\r\npacket += len(data).to_bytes(4, byteorder=\"little\")\r\npacket += data\r\nreturn packet\r\nHere we are going to change the title of a Notepad window using the command 0x94, passing as parameters its\r\nwindow handle (329064) and the text of our choice.\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-two\r\nPage 11 of 12\n\ndef main() -\u003e None:\r\nserver_0 = nclib.TCPServer((\"192.168.204.1\", 8080))\r\nfor client in server_0:\r\n print(client.recv_all(5))\r\n client.send(build_command_packet(\r\n 0x94,\r\n b\"329064\" + SEPARATOR + \"AM_I_A_JOKE_TO_YOU?\".encode(\"utf-16-le\")))\r\nREMCOS executed the command, changing the Notepad window text\r\nThat’s the end of the second article. The third part will cover REMCOS' configuration and its C2 commands.\r\nSource: https://www.elastic.co/security-labs/dissecting-remcos-rat-part-two\r\nhttps://www.elastic.co/security-labs/dissecting-remcos-rat-part-two\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.elastic.co/security-labs/dissecting-remcos-rat-part-two" ], "report_names": [ "dissecting-remcos-rat-part-two" ], "threat_actors": [ { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434794, "ts_updated_at": 1775791857, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a4baf6d29cec1f054d68467a0f80b1fc3f040986.pdf", "text": "https://archive.orkl.eu/a4baf6d29cec1f054d68467a0f80b1fc3f040986.txt", "img": "https://archive.orkl.eu/a4baf6d29cec1f054d68467a0f80b1fc3f040986.jpg" } }