Remcos in the Shadows: A Fileless Multi-Stage Attack Dissected

Article By Zaki Pedio

Intro

This article unravels a complex multi-stage attack chain designed to deploy a fileless, in-memory-loaded version of Remcos RAT, likely originating from a phishing campaign. In this analysis we will review it's stages in the chain analyzing the steps by explaining and defeating the obfuscation and anti-analysis techniques and understanding how it achieves persistence and evasion on the compromised host.

What is Remcos RAT

Remcos is a commercial Remote Administration Tool marketed for legitimate IT and support, offering features such as keylogging, screen capture, process management, file transfer or remote shell.

However, cybercriminals abuse this toolkit to conduct malicious operations, like:

  • Exfiltration of sensitive data

  • Remote control of victim machines

  • Deployment of additional malware like infostealers, botnets, or ransomwares

Remcos Logo

Overview

The chain consists of three main stages that we know of:

  1. stage 1 HTA Downloader Likely originating from a phishing email, possibly triggered by a macro in an Office document or a similar delivery mechanism, the first stage is a heavily obfuscated file combining JavaScript, VBScript, and PowerShell. When executed, it downloads and runs the next stage: dllhost.exe.

  2. Stage 2 EXE and PowerShell Loader The downloaded dllhost.exe binary unpacks several files, launches a 32‑bit PowerShell process, and loads an embedded PowerShell script. This script decrypts and injects malicious code in memory, then performs process hollowing into a new process to prepare for the final stage: the Remcos payload.

  3. Stage 3 Remcos Inside the hollowed process the loader pulls an encrypted Remcos payload from its C&C server, decrypts it, and invokes the RAT entirely in memory. At launch, Remcos initializes with a decrypted settings block, establishes a TLS‑protected C&C channel, and awaits remote commands.

Limitations

The original servers where Remcos and its stages were hosted are unreachable (likely detected and tore down by the providers). I managed to download the stage number 1 and 2 but not the third one, so I was forced to download another sample of Remcos RAT to simulate the analysis of the full chain.

Stage 1: HTA Downloader

The first stage of the HTA file has obfuscated characters using hexadecimal escape sequences which are then deobfuscated using the now-deprecated but still functional unescape() function, maintained in JavaScript for backward compatibility.

First Stage

The payload has been obfuscated using these techniques 2 times. Now we can observe that the payload is URL-encoded with a lot of %09, which is a tab and other url-encoded characters.

First Stage First Deobfuscation

Now we just need to URL-decode it, remove the tabs and the other useless characters and beautify it. It's now clear that this hta execute VBA code.

First Stage Second Deobfuscation

This doesn’t look fine, maybe it’s better to clean it and decode the necessary chars.

First Stage ThirdDeobfuscation

The VBA script spawns a PowerShell process via the default Windows shell, leveraging the %ComSpec% environment variable, which typically points to cmd.exe. This powershell script is the final step of the first stage. This script is executed as base64-encoded, once decoded its workflow is clear:

  1. It request dllhost.exe from hxxp[:]//192[.]3[.]220[.]22/430/dllhost.exe

  2. It downloads it in $env:APPDATA\dllhost.exe

  3. It executes $env:APPDATA\dllhost.exe

First Stage Last Deobfuscation

Stage 2: EXE and PowerShell Loader

Dllhost.exe

Static analysis of Dllhost.exe using PEStudio reveals clear signs of malicious behavior. Key indicators include:

  • A Nullsoft signature, software often used to bundle and compress payloads into a single executable.

  • Untrusted certificate, the certificate chain terminates in a root certificate which is not trusted by the trust provider.

  • Missing timestamp, no signing-time found in the certificate.

  • Suspicious overlay characteristics: - File ratio: 51.64%, a large overlay can indicate embedded payloads or installers.

    • Entropy: 8.000, maximum entropy suggests heavy packing or encryption.

  • Highly suspicious API imports, commonly associated with malicious behavior:

    • File manipulation: WriteFile, MoveFileW, MoveFileExW

    • Process and token control: OpenProcessToken, AdjustTokenPrivileges, CreateProcessW

    • Registry operations: RegCreateKeyExW, RegSetValueExW, RegEnumKeyW, RegDeleteValueW, RegDeleteKeyW

    • Clipboard interaction: OpenClipboard, SetClipboardData, CloseClipboard

    • Execution: ShellExecuteExW

PEStudio Analysis

Since we already know which suspicious APIs the malware calls, the simplest approach is to set breakpoints on them using x64dbg to observe runtime behavior.

Hooked APIs

The malware creates C:\\Users\\%USER%\\AppData\\Roaming\\intercessionate\\Favourablies117\\sulfonylurea, drop the following files and set their FileTime to 29/05/2024 13:35:

  • Valvulate.Cru

  • Aerognosy.Res

  • Tribades.vir

  • Ukr.txt

  • Playlet\\brkops.ind

  • Playlet\\dumrians.und

Created Files
Created Files in explorer.exe

The final task of this executable is to run a powershell script via CreateProcessW.

CreateProcessW to execute powershell.exe

The executed script:L"\"powershell.exe\" -windowstyle hidden \"$krjning=Get-Content -Raw 'C:\\Users\\Flare\\AppData\\Roaming\\intercessionate\\Favourablies117\\sulfonylurea\\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)\"" Once decoded and beautified, the command becomes:

Note: $Lukewarmly95 resolves to iEx, meaning the script ultimately executes the content of Aerognosy.Res.

Aerognosy.Res

Aerognosy.Res is a highly obfuscated and pretty sophisticated powershell script. Upon deobfuscation, we see that it defines and invokes a custom function Wornness function on the $Peppermint which will result in the string IEX, execute the same Wornness function on the Bygmestres variable and then execute its result.

Aerognosy.Res beautified

This tries to execute another well obfuscated powershell payload.

Aerognosy.Res step 2

This powershell script is very difficult to deobfuscate so we will aid to this by combining various dynamic analysis tools and anyrun. After a quick scan on any.run we gained a better understanding of the PowerShell script’s behavior. We can see that the main function of it is to just execute Vaccinerende.exe, a binary that had not been observed in previous stages.

any.run sandbox run

Analysis of Vaccinerende.exe (located at C:\Users\%USER%\AppData\Local\Temp\) reveals that it is identical to dllhost.exe, though it behaves differently at runtime.

HashMyFiles shows they are the same PE

From the analysis we can clearly see that Vaccinerende.exe does not behave like dllhost.exe, as the main goal of it is to download and execute a (probably encrypted) Remcos .bin file and executes it in memory, while setting persistence on the system via registry.

Request to download the final stage

The registry persistence is achieved by a command inserted in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, this is a powershell script (%Misbehavers% resolve as C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe) that query the HKEY_CURRENT_USER\Software\Roscoelite\Aftvttedes key and execute its content:$krjning=Get-Content -Raw 'C:\Users\Flare\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)

Which is the same powershell script also executed by dllhost.exe

AutoRun RegKey
Remcos run RegKey

My hypothesis is that the powershell script Aerognosy.Res move dllhost.exe in the user AppData\Local\Temp directory, run it, and use some sort of hollowing-like technique to execute code, its very likely that the executed code originates from the Valvulate.Cru file, which is an obfuscated PE. Then we already know that once Valvulate.Cru is decrypted and ran in the hollowed Vaccinerende.exe it's flow is: set persistence, download and execute an obfuscated .bin Remcos.

Stage 3: Remcos RAT

As mentioned in the Limitations section, this isn't the actual Remcos sample retrieved during the initial infection chain. Instead, it's a functionally equivalent variant downloaded from MalwareBazaar. Yes this sample was also obfuscated, but its deobfuscation wasn’t particularly complex or interesting, so that step won’t be covered here. We'll focus instead on configuration extraction and a few noteworthy strings found in the binary.

Configuration Dumping

To extract the configuration, the usual Remcos procedure applies:

  1. Scan the PE file's resource section.

  2. Locate the resource named "SETTINGS".

  3. Extract the raw binary data.

  4. Read the first byte — this defines the RC4 key length.

  5. Extract the RC4 key based on that length.

  6. Treat the remaining bytes as encrypted config data.

  7. Use the extracted key to decrypt the config via RC4.

  8. Decode the decrypted data using Latin-1 encoding.

This entire process can be automated using this Python script.

Remcos Configurations Dumped

Using this, we extracted the following configurations. These were identified using the excellent Remcos Configuration Table from Elastic Security Labs:

  • C2 List: 185.157.162.75:62186

  • Botnet Name: PowerPoint

  • Enable Install Flag: 1 (Install Remcos on the host)

  • Enable HKCU Run Persistence: 1 (Persistence via HKCU registry)

  • Install Filename: windowsjx.exe (Filename when installed)

  • Mutex: P1Z89AQ0B0 (Mutex/registry key identifier)

  • Keylogger Filename: logs.dat

  • Enable Screenshot Flag: 1 (Screenshot capability enabled)

  • Screenshot Folder: Screenshot

  • Enable Audio Recording: 1 (Microphone recording enabled)

  • Audio Record Folder: MicRecords

  • Install Directory: Remcos

  • Keylogger Root Directory: remcos

  • License: 941B1692F48007B51F5084C8832993AF (License serial key)

  • TLS Raw Certificate: (Binary certificate data after 00¦ ?l­;Ù-'J¾pRG...)

  • TLS Key: (Binary key data in the middle section)

  • TLS Raw Peer Certificate: (Binary peer certificate data at the end)

Interesting Strings

This isn’t a full binary deep dive just a rundown of noteworthy strings found in the sample and the suspected functionality they point to. If you're interested in reversing the relevant functions, the hash and MalwareBazaar link are available.

mscfile\\shell\\open\\command

UAC Bypass Technique

mscfile\\shell\\open\\command and eventvwr.exe? This string (alongside eventvwr.exe) appears to be part of a UAC bypass technique via eventvwr.msc, as detailed in this Fortinet blog post.

SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion

Machine Informations

Very likely to identify the machine info on the first connect-back. An example of ProductName and CurrentBuildNumber are: Windows 10 Pro, 19045

ZipFiles/UnzipFiles

ZipFiles/UnzipFiles

Not sure, but likely related to compress and exfiltrate. The presence of both terms suggests the RAT can archive local data or unpack received payloads.

Browsers

Browser Tampering

Others similar strings i found are:

  • \AppData\Local\Google\Chrome\User Data\Default\Login Data

  • \AppData\Local\Google\Chrome\User Data\Default\Cookies

  • \AppData\Roaming\Mozilla\Firefox\Profiles\

  • Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

I'm not sure about this, at first i thought about commands to exfiltrate cookies or credentials from browsers, that a very strange thing to do as a legit Remote Admin toolkit, but checking the strings it dosen't actually seems to steal them. My 2 main theories about that are:

  1. It actually dosen't steal anything

  2. It's a separate plugin, this explain the malicious nature of it

Remcos Banner

Remcos Banner

This string is part of the console banner displayed at runtime. It includes:

  • Version: 3.6.0 Pro

  • Vendor: BreakingSecurity.net

It’s shown via CONOUT$, confirming that the binary was compiled with UI output in mind.

Dinkumware Standard C++ Library

Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.

After searching it i found out that probably it refers to the Dinkumware Standard C++ Library, which is the "implementation of the C++ Standard Library that C++Builder uses for applications on the 32-bit Windows, 64-bit Windows and macOS target platforms."

Padding

One very interesting string i found is the PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD string, which is probably used for padding encrypted blocks or preventing alignment issues in memory.

Conclusion

This was my first attempt at comprehensively analyzing an end-to-end infection chain resulting in the deployment of Remcos RAT from the initial lure to final payload execution.

While not every part of the chain was highly sophisticated, the overall flow demonstrated several classic and effective techniques, including:

  • Macro-based initial payload delivery

  • Multi-stage droppers with obfuscation

  • Final stage deployment of a fully featured Remcos instance

Despite using a different Remcos sample from MalwareBazaar for the final stage, the extracted configuration, interesting strings, and behavioral indicators closely matched the functionality expected from known Remcos variants. Features like persistence via registry keys, keylogging, screenshotting, and potential credential access demonstrate how this tool blurs the line between legitimate remote administration and outright malware.

IOCS

Executables stage1.hta:F99757C98007DA241258AE12EC0FD5083F0475A993CA6309811263AAD17D4661 dllhost.exe:9124d7696d2b94e7959933c3f7a8f68e61a5ce29cd5934a4d0379c2193b126be Remcos RAT:8f47dbd8189dbe96bda7511f2a37277ee9fab8a763619d120c0fe49d953124b7

Servers Second stage:hxxp[:]//192[.]3[.]220[.]22/430/dllhost.exe Remcos:hxxp[:]//192[.]3[.]220[.]22/hFXELFSwRHRwqbE214.bin

PreviousLockBit 3.0: Ransomware as... a Service?NextCommand & Control

Last updated

Was this helpful?