{
	"id": "39b9eb0c-0855-42db-ae1d-070963f2e814",
	"created_at": "2026-04-06T00:17:32.506214Z",
	"updated_at": "2026-04-10T13:12:29.675154Z",
	"deleted_at": null,
	"sha1_hash": "fdf734c6115e5106691e6685bf21f09297bc3e10",
	"title": "Distribution of Remcos RAT Disguised as Payslip",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1161359,
	"plain_text": "Distribution of Remcos RAT Disguised as Payslip\r\nBy ATCP\r\nPublished: 2023-10-25 · Archived: 2026-04-05 21:16:15 UTC\r\nAhnLab Security Emergency response Center (ASEC) has discovered circumstances of the Remcos remote\r\ncontrol malware being distributed through an email disguised as a payslip. As shown in Figure 1, the identified\r\nRemcos RAT was distributed under an email subject that read ‘This is a confirmation document for your payment\r\ntransfer’, deceiving the readers. The attached compressed cab file contains an EXE file (Remcos RAT) disguised\r\nwith a PDF file icon as shown in Figure 2.\r\nhttps://asec.ahnlab.com/en/58195/\r\nPage 1 of 6\n\nFigure 1. Phishing email\r\nhttps://asec.ahnlab.com/en/58195/\r\nPage 2 of 6\n\nFigure 2. Remcos RAT (.exe) within the attached compressed .cab file\r\n  As shown in Figure 3, Remcos RAT can not only perform keylogging, screenshot capturing, and controlling\r\nwebcams and microphones according to the threat actor’s commands, but also enable malicious remote control\r\nsuch as extracting the histories and passwords saved to web browsers within the system it is installed in. [1] As\r\nRemcos RAT is designed for remote control, it does not exhibit any malicious behaviors until commands are\r\nreceived from the threat actor’s server (C2). However, due to the behaviors of the offline keylogger which runs\r\nimmediately after infection without any command from the C2, it can be detected with sandbox devices.\r\nhttps://asec.ahnlab.com/en/58195/\r\nPage 3 of 6\n\nFigure 3. Various control features of the Remcos RAT’s remote control server (Remcos v2.6.0)\r\n  Figure 4 shows the Remcos RAT’s offline keylogger feature’s functions that run without any command from the\r\nC2. Specifically, it uses the SetWindowHookExA API and installs a hook procedure that monitors keyboard input\r\nevents through the WH_KEYBOARD_LL argument, as shown in Figure 5.\r\nFigure 4. Remcos RAT’s offline keylogger feature\r\nhttps://asec.ahnlab.com/en/58195/\r\nPage 4 of 6\n\nFigure 5. Remcos RAT’s keyboard input hooking code (SetWindowsHookExA)\r\n  [Detection by MDS] Figure 6 is the screen that shows the detection of the aforementioned Remcos RAT’s\r\noffline keylogger feature in AhnLab MDS sandbox environment. Figure 7 shows that the malicious behavior of\r\nhooking keyboard input has been detected.\r\nFigure 6. Remcos RAT malware detected using AhnLab MDS (1)\r\nFigure 7. Remcos RAT malware detected using AhnLab MDS (2)\r\nRAT malware performs key malicious behaviors through the commands of the threat actor. Thus, it is\r\ncharacteristically difficult to be aware of said infections until the threat actor’s commands are run through\r\ncommunications with the server. To prevent security incidents and enable quick response upon breach, security\r\nadministrators must not only use APT solutions such as MDS but also monitor abnormal behaviors occurring in\r\nendpoint environments with products such as EDR.  [File Detection] – Trojan/Win.Generic.R611702\r\n(2023.10.14.00) [Behavior Detection] – SystemManipulation/MDP.Hooking.M10055 –\r\nExecution/MDP.Remcos.M11099 – DefenseEvasion/MDP.AntiAnalysis.M912 \r\nhttps://asec.ahnlab.com/en/58195/\r\nPage 5 of 6\n\nMD5\r\n1e378b5dc586175e1b5e5931b8727ae3\r\nAdditional IOCs are available on AhnLab TIP.\r\nTo learn more about AhnLab MDS's sandbox-based behavioral analysis, please click the banner below.\r\nSource: https://asec.ahnlab.com/en/58195/\r\nhttps://asec.ahnlab.com/en/58195/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/58195/"
	],
	"report_names": [
		"58195"
	],
	"threat_actors": [],
	"ts_created_at": 1775434652,
	"ts_updated_at": 1775826749,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fdf734c6115e5106691e6685bf21f09297bc3e10.pdf",
		"text": "https://archive.orkl.eu/fdf734c6115e5106691e6685bf21f09297bc3e10.txt",
		"img": "https://archive.orkl.eu/fdf734c6115e5106691e6685bf21f09297bc3e10.jpg"
	}
}