{ "id": "b1c8656e-7222-4cd6-8be2-dfa4187e5cef", "created_at": "2026-04-06T00:17:33.921981Z", "updated_at": "2026-04-10T13:12:17.913658Z", "deleted_at": null, "sha1_hash": "ba3efeb4672a61efd19b9c0919cd10504c812088", "title": "Remcos RAT Distributed as UUEncoding (UUE) File", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1189232, "plain_text": "Remcos RAT Distributed as UUEncoding (UUE) File\r\nBy ATCP\r\nPublished: 2024-05-23 · Archived: 2026-04-05 23:43:10 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) recently discovered that Remcos RAT is being distributed via\r\nUUEncoding (UUE) files compressed using Power Archiver.\r\nThe image below shows a phishing email distributing the Remcos RAT downloader. Recipients must be vigilant as\r\nphishing emails are disguised as emails about importing/exporting shipments or quotations.\r\nhttps://asec.ahnlab.com/en/66463/\r\nPage 1 of 7\n\n1. UUE\r\nThe threat actor distributes a VBS script encoded using the UUE method through an attachment. The UUE\r\nmethod, short for Unix-to-Unix Encoding, is a method used to exchange data between Unix systems by encoding\r\nthe binary data in the ASCII text format.\r\nA UUE file consists of a header (begin), an encoded data, and an end, and the threat actor appears to have tried\r\nbypassing detection via UUE. Upon decoding the file, an obfuscated VBS script can be found (see Figure 3).\r\nhttps://asec.ahnlab.com/en/66463/\r\nPage 2 of 7\n\n2. Downloader\r\nThe VBS script saves the PowerShell script into the %Temp% directory as Talehmmedes.txt and runs it. The\r\nexecuted script accesses hxxp://194.59.30[.]90/Isocarbostyril.u32 to download Haartoppens.Eft into the\r\n%AppData% directory and run an additional PowerShell script.\r\nhttps://asec.ahnlab.com/en/66463/\r\nPage 3 of 7\n\nThe executed additional PowerShell script is also obfuscated to prevent others from analyzing it, and its main\r\nfeature is loading a shell code in the wab.exe process.\r\nThe shellcode adds a registry to maintain persistence and accesses\r\nhxxp://194.59.30[.]90/mtzDpHLetMLypaaA173.bin to load additional data. Ultimately, Remcos RAT is executed.\r\nhttps://asec.ahnlab.com/en/66463/\r\nPage 4 of 7\n\n3. Remcos RAT\r\nThe malware collects system information through hxxp://geoplugin[.]net/json.gp. It then saves the keylogging\r\ndata as mifvghs.dat in the %Appdata% directory and sends the data to the C\u0026C server.\r\nhttps://asec.ahnlab.com/en/66463/\r\nPage 5 of 7\n\n[C\u0026C Servers]\r\nfrabyst44habvous1.duckdns[.]org:2980:0\r\nfrabyst44habvous1.duckdns[.]org:2981:1\r\nfrabyst44habvous2.duckdns[.]org:2980:0\r\nUsers should refrain from opening emails from unknown sources, and should not run or enable macro when\r\ndownloading attachment files. If the security level of the document program is set to low, macros may run\r\nhttps://asec.ahnlab.com/en/66463/\r\nPage 6 of 7\n\nautomatically without any notification. Therefore, users should maintain the security level high to prevent any\r\nunintended features from being run.\r\nAlso, we recommend users update the anti-malware engine pattern to its latest version.\r\nAhnLab’s anti-malware product, V3, detects and blocks the malicious types of files introduced in the post using\r\nthe aliases below.\r\n[File Detection]\r\nDownloader/VBS.Agent (2024.05.17.01)\r\nData/BIN.Encoded (2024.05.24.00)\r\nMD5\r\n7e6ca4b3c4d1158f5e92f55fa9742601\r\nb066e5f4a0f2809924becfffa62ddd3b\r\neaec85388bfaa2cffbfeae5a497124f0\r\nfd14369743f0ccd3feaacca94d29a2b1\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/66463/\r\nhttps://asec.ahnlab.com/en/66463/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/66463/" ], "report_names": [ "66463" ], "threat_actors": [], "ts_created_at": 1775434653, "ts_updated_at": 1775826737, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ba3efeb4672a61efd19b9c0919cd10504c812088.pdf", "text": "https://archive.orkl.eu/ba3efeb4672a61efd19b9c0919cd10504c812088.txt", "img": "https://archive.orkl.eu/ba3efeb4672a61efd19b9c0919cd10504c812088.jpg" } }