> Analysis · 0f7238269866_

~/packetpursuit $ cat /intel/analyses/0f7238269866.../report.md

typeanalysisfamilyremcosconfidencehighcreated2026-06-03updated2026-06-03ratmalware-familypec2persistencedefense-evasiondiscovery
SHA-256: 0f723826986628a3a4a4ddb32bffa158a6a662483339baa438c55b147e706975

remcos: 0f723826 — v1.7 Pro Jan 2017 build, unencrypted RCData config

Executive Summary PE32 GUI, 94 KB, MSVC linked Jan 5 2017. Remcos RAT v1.7 Pro by Breaking-Security.Net. No packer, no obfuscation, standard IAT. Encrypted SETTINGS blob in RCData resource. Static-only (CAPE skipped — no Windows guest).

Build / RE

Compiler / Linker MSVC C++ with MSVCP60.dll C++ standard-library imports — an archaic 1998 runtime pressed into service for a 2017 binary. ^[pefile.txt:32] Linker version 6.0, timestamp 0x586EA375 (Thu Jan 5 19:50:13 2017 UTC). ^[exiftool.json:15] ^[rabin2-info.txt:11] ^[pefile.txt:45-46]

Packing / Obfuscation None. 4 sections (.text, .rdata, .data, .rsrc) with reasonable entropy (6.05, 5.37, 0.58, 6.55). ^[pefile.txt:78-157] No overlay — binwalk.txt shows only the PE header. ^[binwalk.txt] Padding strings at end of .rsrc suggest resource compiler artifacts, not a packer. ^[strings.txt:621]

Anti-Analysis Mutex singleton: Remcos_Mutex_Inj. ^[strings.txt:168] OpenMutexA / CreateMutexA pair in main. ^[pefile.txt:221-222] Sandbox indicators checked: SbieDll.dll, HARDWARE\ACPI\DSDT\VBOX__, PROCMON_WINDOW_CLASS, PROCEXPL. ^[strings.txt:40-43] No debugger checks observed. No TLS callbacks observed.

Code Quality & Toolchain Heavy std::basic_string usage throughout main (constructors, c_str, find, substr, assign, replace). ^[strings.txt:444-500] C++ iostreams (basic_ifstream, basic_ofstream, basic_fstream) for file operations. ^[strings.txt:460-497] This is hand-written C++ with STL, not a builder framework like PyInstaller or .NET. The developer used an old MSVCP60 runtime rather than static-linking or using a newer VC++ redistributable — possibly to reduce binary size or avoid runtime dependencies.

Resources RT_RCDATA named SETTINGS at offset 0x16DA4, size 0xF5 (245 bytes). High-entropy encrypted blob. ^[pefile.txt:708] This is the standard Remcos configuration container; decrypted at runtime by the binary. See embedded-rcdata-config.

Signing Unsigned. signed: false in rabin2, no security directory. ^[rabin2-info.txt:27]

Notable Functions (radare2) main (0x00407452): constructs std::strings, reads registry keys (ProductName, Software...), checks mutex, creates directories, spawns threads. fcn.0040f234: recursive directory deletion routine (FindFirstFileA / FindNextFileA / RemoveDirectoryA / DeleteFileA). fcn.00402b5b: registry manipulation wrapper around RegCreateKeyExA / RegSetValueExA, hardcodes origmsc subkey related to UAC bypass. fcn.0040f44c: file-existence check using basic_ifstream.

Deploy / ATT&CK

TTPs (static-inferred, CAPE skipped) T1547.001 — Registry Run key: strings reference Software\Microsoft\Windows\CurrentVersion\Run\ and explorer.exe,. ^[strings.txt:143-144] Registry-write imports present (RegSetValueExA, RegCreateKeyExA). ^[pefile.txt:367-377] T1547.004 — Winlogon shell: references Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ and Userinit. ^[strings.txt:141-142] T1547.001 — Explorer Run key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\. ^[strings.txt:139] T1548.002 — UAC bypass via eventvwr.exe / mscfile hijacking: strings contain eventvwr.exe, Software\Classes\mscfile\shell\open\command, and origmsc. ^[strings.txt:66-69] This is the classic eventvwr.exe auto-elevate bypass. See eventvwr-uac-bypass. T1056.001 — Keylogging: extensive virtual-key strings ([F1], [Ctrl+V], [Enter], etc.), SetWindowsHookExA, GetKeyState, GetForegroundWindow, GetWindowTextA. ^[strings.txt:79-106] ^[pefile.txt:340] T1056.002 — Clipboard capture: OpenClipboard, GetClipboardData, SetClipboardData, EmptyClipboard, [Ctrl + V], [Following text has been pasted from clipboard:]. ^[strings.txt:106-112] T1113 — Screen capture: screenshotdata, dwnldscr, GDI32 imports (StretchBlt, GetDIBits, CreateCompatibleBitmap), gdiplus.dll imports (GdipSaveImageToFile). ^[strings.txt:230] ^[pefile.txt:348-357] T1123 — Audio capture: miccapture, stopmiccapture, WINMM.dll imports (waveInOpen, waveInStart). ^[strings.txt:226-227] ^[pefile.txt:556-562] T1125 — Video / webcam capture: camframe, startcamcap, getcamframe, initcamcap, CloseCamera, OpenCamera. ^[strings.txt:46-58] T1057 — Process discovery: proclist, getproclist, Process32First/Process32Next, CreateToolhelp32Snapshot. ^[strings.txt:253-255] ^[pefile.txt:224-225] T1082 — System information discovery: GetComputerNameExW, IsWow64Process, GlobalMemoryStatusEx, ProductName from registry. ^[strings.txt:163-177] T1005 — Data from local system: filemgr, download, upload, listfiles, driveslist, file enumeration APIs. ^[strings.txt:256-274] T1012 — Query registry: extensive registry read/write imports + initregedit, regcreatekey, regeditval, regdelkey. ^[strings.txt:189-200] T1083 — File and directory discovery: FindFirstFileA, FindNextFileA, GetLogicalDriveStringsA. ^[pefile.txt:269-270] T1217 — Browser credential theft: Chrome (Login Data, Cookies), Firefox (logins.json, key3.db, cookies.sqlite), IE cookies. Explicit "cleared!" confirmation strings. ^[strings.txt:114-133] T1497.001 — Virtual machine evasion: VBOX__ and Sandboxie checks in strings. ^[strings.txt:41-43] T1574.002 — DLL side-loading / injection: NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread — process hollowing indicators. ^[pefile.txt:247-248] ^[strings.txt:286] The Remcos_Mutex_Inj mutex name suggests an injection component. T1071.001 — Application layer protocol (TCP): WS2_32.dll imports (socket, connect, send, recv, WSAStartup), Initializing connection to C&C..., Connected to C&C!, KeepAlive. ^[strings.txt:205-206] ^[pefile.txt:582-590] T1105 — Ingress tool transfer: URLDownloadToFileA (urlmon.dll) and InternetOpenUrlA / InternetReadFile (wininet.dll) for payload updates. ^[pefile.txt:599-633] T1562.001 — Impair defenses: SetProcessDEPPolicy (anti-exploit), UAC disable command (reg.exe ADD HKLM\...\EnableLUA /d 0), and browser credential clearing. ^[strings.txt:170] ^[strings.txt:185-186]

C2 Protocol Custom TCP protocol over raw sockets (WS2_32). Message framing uses [DataStart] and [DataStart]0000 delimiters. ^[strings.txt:59-60] Keep-alive with configurable timeout. Commands are plaintext keyword tokens: upload, download, screenshotdata, scrcap, miccapture, proclist, keepaliveoff, ping, pong, etc. ^[strings.txt:205-275] No TLS observed in imports; traffic is likely plaintext or lightly obfuscated.

Persistence Registry Run keys, Winlogon Userinit, and Explorer Policies\Run. Binary also writes install.bat and uninstall.bat to disk for self-removal. ^[strings.txt:145-153]

Attribution / Family Breaking-Security.Net — vendor string in binary. ^[strings.txt:207] Version "1.7 Pro". ^[strings.txt:203] This is unambiguously Remcos RAT, a commodity malware-as-a-service offered since ~2016.

IOC Summary Mutex: Remcos_Mutex_Inj Registry: Software\Classes\mscfile\shell\open\command (UAC bypass) Files: install.bat, uninstall.bat, update.bat in %Temp% / %AppData% Network: Raw TCP sockets + fallback HTTP download via URLDownloadToFileA / InternetOpenUrlA

Provenance file.txt, exiftool.json, pefile.txt, strings.txt, rabin2-info.txt, binwalk.txt, raw binary loaded in radare2 (aa level 3, afl), capa.txt (signature failure), floss.txt (argument error), dynamic-analysis.md (CAPE skipped).

References

  • Breaking-Security.Net (Remcos vendor)
  • MITRE ATT&CK techniques referenced inline