{
	"id": "dd521242-e740-44bf-ad95-3617d260e373",
	"created_at": "2026-04-06T03:35:34.095498Z",
	"updated_at": "2026-04-10T03:20:47.045648Z",
	"deleted_at": null,
	"sha1_hash": "dd0ed419f394a06e0b0f601f4f166faf357d35dc",
	"title": "Remcos Is Pairing with PrivateLoader to Extend Its Capabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 222555,
	"plain_text": "Remcos Is Pairing with PrivateLoader to Extend Its Capabilities\r\nPublished: 2024-05-14 · Archived: 2026-04-06 03:22:34 UTC\r\nOverview\r\nThis week, the SonicWall Capture Labs threat research team investigated a sample of the RemcosRAT that uses a\r\nPrivateLoader module to provide additional data and persistence on the victim’s machine. By installing VB\r\nscripts, altering the registry and setting up services to restart the malware at variable times or by control, this\r\nmalware is able to infiltrate a system completely and remain undetected.\r\nInfection Cycle\r\nThe sample is detected as a 32-bit PE file with no packer or protector.\r\nFigure 1: Initial detection\r\nWhen looking into the sections and API calls of the file, different tools give different reports. Detect It Easy shows\r\nAPI calls that have been cleared (to obfuscate what they’re doing), and TLS (Thread Local Storage) functionality,\r\nmeaning that malicious code can be prepared or run before the main file has started at its entry point. PEStudio,\r\nhowever, shows all available API calls but no TLS functionality.\r\nhttps://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/\r\nPage 1 of 10\n\nFigure 2: Every call from ws2_32.dll has been obfuscated\r\nhttps://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/\r\nPage 2 of 10\n\nFigure 3: A separate tool shows all hidden calls\r\nOnce functions are properly labeled, the file is shown to have the following capabilities:\r\nAnti-analysis/ Anti-VM\r\nGetSystemTimeAsFileTime\r\nGetTickCount\r\nIsDebuggerPresent\r\nIsProcessorFeaturePresent\r\nQueryPerformanceCounter\r\nQueryPerformanceFrequency\r\nSystem Enumeration\r\nCreateToolhelp32Snapshot\r\nEnumDisplaySettingsW\r\nEnumServicesStatusW\r\nhttps://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/\r\nPage 3 of 10\n\nEnumSystemLocalesW\r\nEnumWindows\r\nFindFirstFileA/Ex/W\r\nFindNextFileA/Ex/W\r\nGetClipboardData\r\nGetCurrentProcessId\r\nGetCurrentThreadId\r\nGetEnvironmentStrings\r\nGetLogicalDriveStringsA\r\nGetLocalTime\r\nGetLocaleInfoA/W\r\nGetNativeSystemInfo\r\nGetStartupInfo\r\nGetTimeZoneInformation\r\nGetUserDefaultLCID\r\nGetWindowThreadProcessId\r\nIsLocaleValid\r\nOpenClipboard\r\nRegEnumKeyA/W\r\nRegEnumValueA/W\r\nSystemParametersInfoW\r\nMonitoring\r\nGetCursorPos\r\nGetForegroundWindow\r\nGetKeyState\r\nGetKeyboardLayout\r\nGetKeyboardState\r\nMouse_event\r\nReadProcessMemory\r\nSetWindowsHookExA\r\nwaveInAddBuffer\r\nwaveInStart\r\nProcess Injection\r\nGetProcessId\r\nGetModuleHandleA/Ex/W\r\nCreateProcessA/W\r\nProcess32FirstW\r\nProcessNextW\r\nVirtualAlloc\r\nVirtualFree\r\nVirtualProtect\r\nWriteProcessMemory\r\nhttps://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/\r\nPage 4 of 10\n\nPersistence\r\nAdjustTokenPrivilege\r\nControlService\r\nGetTempFileNameW\r\nLookupPrivilegeValueA\r\nOpenProcess\r\nOpenProcessToken\r\nRegCreateKeyA/Ex/W\r\nRegDeleteKeyA/Ex/W\r\nRegDeleteValueA/Ex/W\r\nRegSetValueA/Ex/W\r\nShellExecuteExA/W\r\nWriteFile\r\nCommunication\r\nInternetOpenUrlW\r\nInternetReadFile\r\nURLDownloadToFileW\r\nURLOpenBlockingStreamW\r\nInet_addr\r\nGethostbyaddr\r\nGethostbyvalue\r\ngetservbyvalue\r\nConnect\r\nSend\r\nsocket\r\nRecv\r\nRuntime shows that if security checks are not initially cleared by modules within ntdll.dll, the main portion of the\r\nexecutable will not be touched before it exits. No files are dropped, and nothing is injected into memory.\r\nhttps://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/\r\nPage 5 of 10\n\nFigure 4: Beginning of the security check function\r\nOnce security has been passed, which consists of VM, locale, timezone and analysis tool enumeration, two files\r\nare dropped.\r\nC:\\Users\\user\\AppData\\Local\\Temp\\install.vbs\r\nC:\\Users\\user\\AppData\\Roaming\\data\\notepads.exe\r\nNotepads.exe is a copy of the parent executable placed for persistence. The script contains the following four lines\r\nand is deleted once executed – there is no check on whether or not this action is successful. The script will simply\r\ndelete itself if it is run before ‘notepads.exe’ is dropped.\r\nhttps://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/\r\nPage 6 of 10\n\nFigure 5: Install.vbs contents\r\nUser security access is then checked. If applicable, Windows User Access Control is disabled with the following\r\ncommand to allow for privileged access:\r\n/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\r\n/v EnableLUA /t REG_DWORD /d 0 /f\r\nFigure 6: UAC is disabled\r\nAt this point, the system is enumerated fully and hooks are implemented to track keystrokes, mouse actions, audio\r\nand screen grabs. Targeted software includes browsers by searching the following locations for logins and cookie\r\ndata, as well as the clipboard data being pulled:\r\n\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data\r\n\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies\r\n\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\\r\n\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\r\n\\AppData\\Local\\Microsoft\\Edge\\\r\n\\Opera Software\\Opera Stable\\\r\n\\User Data\\Default\\Network\\Cookies\r\nThis information is stored in ‘logins.json’ and ‘key3.db’, also seen in the screenshot below.\r\nhttps://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/\r\nPage 7 of 10\n\nFigure 7: Browser paths and storage files\r\nOnce complete, ‘notepads.exe’ will open a socket on the system and reach out to two URLs. The first is a GET\r\nrequest to geoplugin(dot)net/json.gp, which returns geographic information pertaining to the victim’s IP address.\r\nThe second is to nuevosremcs.duckdns.org. Once a connection is made, a config file is created and sent to the\r\nserver. Here is the configuration observed during runtime:\r\n{\r\n\"Host:Port:Password\": \"nuevosremcs.duckdns.org:9090:1\",\r\n\"Assigned name\": \"Nuevos\",\r\n\"Connect interval\": \"1\",\r\n\"Install flag\": \"Enable\",\r\n\"Setup HKCU\\Run\": \"Enable\",\r\nhttps://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/\r\nPage 8 of 10\n\n\"Setup HKLM\\Run\": \"Enable\",\r\n\"Install path\": \"AppData\",\r\n\"Copy file\": \"notepads.exe\",\r\n\"Startup value\": \"system32\",\r\n\"Hide file\": \"Disable\",\r\n\"Mutex\": \"Rmc-WRNU47\",\r\n\"Keylog flag\": \"1\",\r\n\"Keylog path\": \"Application path\",\r\n\"Keylog file\": \"logs.dat\",\r\n\"Keylog crypt\": \"Disable\",\r\n\"Hide keylog file\": \"Disable\",\r\n\"Screenshot flag\": \"Disable\",\r\n\"Screenshot time\": \"10\",\r\n\"Take Screenshot option\": \"Disable\",\r\n\"Take screenshot title\": \"\",\r\n\"Take screenshot time\": \"5\",\r\n\"Screenshot path\": \"AppData\",\r\n\"Screenshot file\": \"Screenshots\",\r\n\"Screenshot crypt\": \"Disable\",\r\n\"Mouse option\": \"Disable\",\r\n\"Delete file\": \"Disable\",\r\n\"Audio record time\": \"5\"\r\n}\r\nAt this point the C2 has assumed control and can remotely stop, start and engage further monitoring or file\r\ndownloads for other functionality.\r\nSonicWall Protections\r\nhttps://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/\r\nPage 9 of 10\n\nTo ensure SonicWall customers are prepared for any exploitation that may occur due to this malware, the\r\nfollowing signatures have been released:\r\nPrivateLoader\r\nIOCs\r\nParent sample / Notepads.exe: 27bb3968cc18fb0df5b14e6d1b805552\r\nInstall.vbs: a7fe45cc57afb3dba91ab77483fffa0a\r\nMutex Created\r\n\\Sessions\\1\\BaseNamedObjects\\Rmc-WRNU47\r\nIP Addresses\r\n246.82.10\r\n237.33.50\r\nURLs\r\nhttp://geoplugin.net/json.gp\r\nduckdns.org\r\nSource: https://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/\r\nhttps://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/"
	],
	"report_names": [
		"remcos-is-pairing-with-privateloader-to-extend-its-capabilities"
	],
	"threat_actors": [],
	"ts_created_at": 1775446534,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dd0ed419f394a06e0b0f601f4f166faf357d35dc.pdf",
		"text": "https://archive.orkl.eu/dd0ed419f394a06e0b0f601f4f166faf357d35dc.txt",
		"img": "https://archive.orkl.eu/dd0ed419f394a06e0b0f601f4f166faf357d35dc.jpg"
	}
}