{
	"id": "c48d0b21-aa4c-4fc3-b904-2989a06dc185",
	"created_at": "2026-04-06T01:29:37.9769Z",
	"updated_at": "2026-04-10T13:13:02.68977Z",
	"deleted_at": null,
	"sha1_hash": "b986c0cf65b29767fbbab62a7f0306f77b63c8fa",
	"title": "Malware Analysis — Remcos RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3935216,
	"plain_text": "Malware Analysis — Remcos RAT\r\nBy 0xMrMagnezi\r\nPublished: 2024-02-20 · Archived: 2026-04-06 00:12:53 UTC\r\nPress enter or click to view image in full size\r\n4 min read\r\nFeb 19, 2024\r\nRamcos RAT is a sophisticated type of malware called a remote access trojan (RAT). It evades antivirus detection\r\nand gives cybercriminals remote access and control over infected systems. Typically , it’s used for stealing\r\ninformation, installing more malware, or using the infected system in a botnet.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-ramcos-rat-48fd986328f5\r\nPage 1 of 6\n\nMalwareBazaar sample\r\nStage 1:\r\nAs usual I downloaded the file and extracted it using the password “infected”.\r\nPress enter or click to view image in full size\r\nOriginal CMD file\r\nAfter extracting the file and examining its contents , I noticed it consisted of two large chunks of code , along with\r\nsets and loops. The code was lengthy and heavily obfuscated. To better understand its behavior , I ran it and\r\nmonitored for any new processes launched by the original file.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-ramcos-rat-48fd986328f5\r\nPage 2 of 6\n\nPowerShell was being executed under the original file\r\nStage 2:\r\nPress enter or click to view image in full size\r\nObfuscated PowerShell\r\nThis PowerShell code was much easier to deobfuscate , it used simple replacements to create a list of words and\r\nthen used those words in the hidden PowerShell code.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-ramcos-rat-48fd986328f5\r\nPage 3 of 6\n\nDeobfuscated PS — Highlighting the AES Decryption and Decompress\r\nAfter renaming the variables and deobfuscation it was clear to me why the original file was impossible to\r\nunderstand and deobfuscate — it was encrypted and compressed. Using the above code I had all the things I\r\nneeded to decrypt the original file ; using the AES key and IV.\r\nPress enter or click to view image in full size\r\nCyberChef — Extracting EXE from the original file\r\nGet 0xMrMagnezi’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nAt first, I converted from Base64 to Hex and then decrypted using AES with the Key and IV found in the previous\r\npart. Finally, I decompressed the output using Gunzip. Essentially, I followed the decoding steps as intended. I\r\nknew I was on the right path as soon as I saw the MZ Header, which is the file format of an EXE file. There were\r\nactually two chunks of code , indicating two files inside, as shown in the next picture.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-ramcos-rat-48fd986328f5\r\nPage 4 of 6\n\nUsing DIE, I determined the language in which those files were written (.NET)\r\nI chose to debug those files in DNSPY because they were written in .NET. Once I opened them, it was clear what\r\nthe program was trying to do. The attacker hadn’t obfuscated this final sample.\r\nAs shown in the next picture, I was able to see exactly the names of the functions and what they were supposed to\r\ndo.\r\nPress enter or click to view image in full size\r\nDisable Defender Function\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-ramcos-rat-48fd986328f5\r\nPage 5 of 6\n\nPersistence Function\r\nPress enter or click to view image in full size\r\nFinding The file that is being used as persistence\r\nImportant to note that this file that is being saved in the startup path is the original cmd file that was analyzed.\r\nMoreover , while analyzing this sample , I monitored network connections and discovered additional IOCs.\r\nPress enter or click to view image in full size\r\nIOCs:\r\nlods.cmd — 194118c43c65faad06bf5ff6cd9b52a2\r\nIxsqpAscrubb.exe — 3ca5a8e1e0217d89b4926ca68e5f41c8\r\nMAEmka.tmp(exe) — e60e82df05c02ec173655dd9c41dd829\r\nDomain — api[.]ipify[.]org\r\nDomain — ads[.]hostloads[.]xyz\r\nIn conclusion , the analysis of Ramcos RAT highlights the sophisticated techniques used by cybercriminals to\r\nevade detection and gain remote access to infected systems. The malware’s multi-stage approach , from obfuscated\r\nCMD and PowerShell scripts to encrypted and compressed payloads , showcases the complexity of modern\r\nmalware threats.\r\nSource: https://medium.com/@b.magnezi/malware-analysis-ramcos-rat-48fd986328f5\r\nhttps://medium.com/@b.magnezi/malware-analysis-ramcos-rat-48fd986328f5\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@b.magnezi/malware-analysis-ramcos-rat-48fd986328f5"
	],
	"report_names": [
		"malware-analysis-ramcos-rat-48fd986328f5"
	],
	"threat_actors": [],
	"ts_created_at": 1775438977,
	"ts_updated_at": 1775826782,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b986c0cf65b29767fbbab62a7f0306f77b63c8fa.pdf",
		"text": "https://archive.orkl.eu/b986c0cf65b29767fbbab62a7f0306f77b63c8fa.txt",
		"img": "https://archive.orkl.eu/b986c0cf65b29767fbbab62a7f0306f77b63c8fa.jpg"
	}
}