Remcos Is Pairing with PrivateLoader to Extend Its Capabilities
Published: 2024-05-14 · Archived: 2026-04-06 03:22:34 UTC
Overview
This week, the SonicWall Capture Labs threat research team investigated a sample of the RemcosRAT that uses a
PrivateLoader module to provide additional data and persistence on the victim’s machine. By installing VB
scripts, altering the registry and setting up services to restart the malware at variable times or by control, this
malware is able to infiltrate a system completely and remain undetected.
Infection Cycle
The sample is detected as a 32-bit PE file with no packer or protector.
Figure 1: Initial detection
When looking into the sections and API calls of the file, different tools give different reports. Detect It Easy shows
API calls that have been cleared (to obfuscate what they’re doing), and TLS (Thread Local Storage) functionality,
meaning that malicious code can be prepared or run before the main file has started at its entry point. PEStudio,
however, shows all available API calls but no TLS functionality.
https://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/
Page 1 of 10

Figure 2: Every call from ws2_32.dll has been obfuscated
https://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/
Page 2 of 10

Figure 3: A separate tool shows all hidden calls
Once functions are properly labeled, the file is shown to have the following capabilities:
Anti-analysis/ Anti-VM
GetSystemTimeAsFileTime
GetTickCount
IsDebuggerPresent
IsProcessorFeaturePresent
QueryPerformanceCounter
QueryPerformanceFrequency
System Enumeration
CreateToolhelp32Snapshot
EnumDisplaySettingsW
EnumServicesStatusW
https://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/
Page 3 of 10

EnumSystemLocalesW
EnumWindows
FindFirstFileA/Ex/W
FindNextFileA/Ex/W
GetClipboardData
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetLogicalDriveStringsA
GetLocalTime
GetLocaleInfoA/W
GetNativeSystemInfo
GetStartupInfo
GetTimeZoneInformation
GetUserDefaultLCID
GetWindowThreadProcessId
IsLocaleValid
OpenClipboard
RegEnumKeyA/W
RegEnumValueA/W
SystemParametersInfoW
Monitoring
GetCursorPos
GetForegroundWindow
GetKeyState
GetKeyboardLayout
GetKeyboardState
Mouse_event
ReadProcessMemory
SetWindowsHookExA
waveInAddBuffer
waveInStart
Process Injection
GetProcessId
GetModuleHandleA/Ex/W
CreateProcessA/W
Process32FirstW
ProcessNextW
VirtualAlloc
VirtualFree
VirtualProtect
WriteProcessMemory
https://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/
Page 4 of 10

Persistence
AdjustTokenPrivilege
ControlService
GetTempFileNameW
LookupPrivilegeValueA
OpenProcess
OpenProcessToken
RegCreateKeyA/Ex/W
RegDeleteKeyA/Ex/W
RegDeleteValueA/Ex/W
RegSetValueA/Ex/W
ShellExecuteExA/W
WriteFile
Communication
InternetOpenUrlW
InternetReadFile
URLDownloadToFileW
URLOpenBlockingStreamW
Inet_addr
Gethostbyaddr
Gethostbyvalue
getservbyvalue
Connect
Send
socket
Recv
Runtime shows that if security checks are not initially cleared by modules within ntdll.dll, the main portion of the
executable will not be touched before it exits. No files are dropped, and nothing is injected into memory.
https://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/
Page 5 of 10

Figure 4: Beginning of the security check function
Once security has been passed, which consists of VM, locale, timezone and analysis tool enumeration, two files
are dropped.
C:\Users\user\AppData\Local\Temp\install.vbs
C:\Users\user\AppData\Roaming\data\notepads.exe
Notepads.exe is a copy of the parent executable placed for persistence. The script contains the following four lines
and is deleted once executed – there is no check on whether or not this action is successful. The script will simply
delete itself if it is run before ‘notepads.exe’ is dropped.
https://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/
Page 6 of 10

Figure 5: Install.vbs contents
User security access is then checked. If applicable, Windows User Access Control is disabled with the following
command to allow for privileged access:
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
/v EnableLUA /t REG_DWORD /d 0 /f
Figure 6: UAC is disabled
At this point, the system is enumerated fully and hooks are implemented to track keystrokes, mouse actions, audio
and screen grabs. Targeted software includes browsers by searching the following locations for logins and cookie
data, as well as the clipboard data being pulled:
\AppData\Local\Google\Chrome\User Data\Default\Login Data
\AppData\Local\Google\Chrome\User Data\Default\Cookies
\AppData\Roaming\Mozilla\Firefox\Profiles\
\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
\AppData\Local\Microsoft\Edge\
\Opera Software\Opera Stable\
\User Data\Default\Network\Cookies
This information is stored in ‘logins.json’ and ‘key3.db’, also seen in the screenshot below.
https://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/
Page 7 of 10

Figure 7: Browser paths and storage files
Once complete, ‘notepads.exe’ will open a socket on the system and reach out to two URLs. The first is a GET
request to geoplugin(dot)net/json.gp, which returns geographic information pertaining to the victim’s IP address.
The second is to nuevosremcs.duckdns.org. Once a connection is made, a config file is created and sent to the
server. Here is the configuration observed during runtime:
{
"Host:Port:Password": "nuevosremcs.duckdns.org:9090:1",
"Assigned name": "Nuevos",
"Connect interval": "1",
"Install flag": "Enable",
"Setup HKCU\Run": "Enable",
https://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/
Page 8 of 10

"Setup HKLM\Run": "Enable",
"Install path": "AppData",
"Copy file": "notepads.exe",
"Startup value": "system32",
"Hide file": "Disable",
"Mutex": "Rmc-WRNU47",
"Keylog flag": "1",
"Keylog path": "Application path",
"Keylog file": "logs.dat",
"Keylog crypt": "Disable",
"Hide keylog file": "Disable",
"Screenshot flag": "Disable",
"Screenshot time": "10",
"Take Screenshot option": "Disable",
"Take screenshot title": "",
"Take screenshot time": "5",
"Screenshot path": "AppData",
"Screenshot file": "Screenshots",
"Screenshot crypt": "Disable",
"Mouse option": "Disable",
"Delete file": "Disable",
"Audio record time": "5"
}
At this point the C2 has assumed control and can remotely stop, start and engage further monitoring or file
downloads for other functionality.
SonicWall Protections
https://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/
Page 9 of 10

To ensure SonicWall customers are prepared for any exploitation that may occur due to this malware, the
following signatures have been released:
PrivateLoader
IOCs
Parent sample / Notepads.exe: 27bb3968cc18fb0df5b14e6d1b805552
Install.vbs: a7fe45cc57afb3dba91ab77483fffa0a
Mutex Created
\Sessions\1\BaseNamedObjects\Rmc-WRNU47
IP Addresses
246.82.10
237.33.50
URLs
http://geoplugin.net/json.gp
duckdns.org
Source: https://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/
https://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/
Page 10 of 10