4818d00fee9f51fb8747b4de46240909c886eb3c5afb94840ec5dac021ec336dStatic Analysis Report — 4818d00fee9f51fb8747b4de46240909c886eb3c5afb94840ec5dac021ec336d
Family: remcos
Confidence: high
Analysis date: 2026-06-05
CAPE: skipped — no Windows guest available.
1. Build / RE
Toolchain — PE32 GUI, MSVC 6.0 linker (Major=0x6, Minor=0x0), compiled Thu Jan 5 19:50:13 2017 UTC ^[pefile.txt]. Heavy MSVCP60.dll STL surface: std::basic_string, std::basic_fstream, std::basic_ostream, std::ios_base::Init ^[r2:imports]. 4 standard sections (.text, .rdata, .data, .rsrc); no packer, no overlay entropy spike ^[file.txt]. Unsigned (signed: false) ^[rabin2-info.txt].
RCData config — Resource SETTINGS holds a 429-byte RCData blob ^[r2:iR]. Same resource name observed across Remcos siblings; builder-encrypted configuration. Standard icon (1 + 102 GROUP_ICON) accompanying the payload.
Anti-analysis — Sandbox string checks only: SbieDll.dll ^[strings.txt:40], HARDWARE\ACPI\DSDT\VBOX__ ^[strings.txt:41], PROCMON_WINDOW_CLASS ^[strings.txt:42], PROCEXPL ^[strings.txt:43]. No debugger hooks, no VM exit checks, no timing bombs. Code quality is builder-generated C++: repetitive std::string temporaries, heavy exception prologue (_EH_prolog, __CxxFrameHandler) ^[pefile.txt], and predictable IAT layout.
Notable functions
fcn.0040d477— Process hollowing engine. ResolvesNtUnmapViewOfSectiondynamically fromntdll.dll^[r2:fcn.0040d477], thenCreateProcessA(suspended) →VirtualAllocEx→WriteProcessMemory→SetThreadContext→ResumeThread. Classic TTP with full PE relocation loop visible in decompile.fcn.00402a78— UAC bypass dispatcher. WritesHKCU\Software\Classes\mscfile\shell\open\commandviaRegSetValueExAwrapper^[r2:fcn.00408fda], backs up original value asorigmsc^[strings.txt:76], thenShellExecuteA("open", "eventvwr.exe")^[r2:fcn.00402a78].fcn.00402504— C2 frame builder. Prepends[DataStart]+ 4-byte length to std::string payload, thensend()over raw TCP socket^[r2:fcn.00402504].fcn.00403877— Keylogger hook thread. CallsSetWindowsHookExAand pumps messages viaGetMessageA/TranslateMessage/DispatchMessageA^[r2:fcn.00403877].fcn.004084b8— UAC disable fallback. Spawnscmd.exe /k reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fviaCreateProcessA^[r2:fcn.004084b8].
2. Deploy / ATT&CK
All TTPs below are inferable from static strings + decompiled control flow; no runtime execution was performed (CAPE skipped).
| Technique | Evidence |
|---|---|
| T1055.012 — Process Hollowing | NtUnmapViewOfSection ^[strings.txt:286], VirtualAllocEx ^[strings.txt:357], WriteProcessMemory ^[strings.txt:356], SetThreadContext ^[strings.txt:355], ResumeThread ^[strings.txt:354] in single decompiled routine ^[r2:fcn.0040d477] |
| T1548.002 — UAC Bypass: eventvwr | Hijacks HKCU\Software\Classes\mscfile\shell\open\command ^[strings.txt:67], executes eventvwr.exe ^[strings.txt:66], restores original with origmsc tag ^[strings.txt:76] ^[r2:fcn.00402a78] |
| T1547.001 — Registry Run Keys | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ ^[strings.txt:139] |
| T1547.004 — Winlogon Shell/Userinit | Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ ^[strings.txt:142], Userinit ^[strings.txt:140], explorer.exe, ^[strings.txt:143] |
| T1056.001 — Keylogger | SetWindowsHookExA ^[strings.txt:380], [F1]–[F12] key-name strings ^[strings.txt:89-99], keylogger command strings (startonlinekl, stoponlinekl, deletekeylog) ^[strings.txt:232-235] |
| T1056.002 — Clipboard Capture | OpenClipboard, GetClipboardData, SetClipboardData, EmptyClipboard ^[strings.txt:105-110], clipboard paste/capture log strings ^[strings.txt:107] |
| T1113 — Screen Capture | GdiplusStartup ^[strings.txt:583], StretchBlt ^[strings.txt:415], GdipSaveImageToFile ^[r2:imports], screenshot command strings (screenshotdata, scrslist, scrcap) ^[strings.txt:249-251] |
| T1123 — Audio Capture | waveInOpen / waveInStart / waveInAddBuffer / waveInClose ^[strings.txt:568], microphone commands (miccapture, stopmiccapture) ^[strings.txt:254-255] |
| T1125 — Video Capture | OpenCamera, GetFrame, CloseCamera ^[strings.txt:56], webcam commands (startcamcap, getcamframe, freecamcap) ^[strings.txt:51-54] |
| T1217 — Browser Credential Theft | Chrome Login Data / Cookies ^[strings.txt:117-118], Firefox key3.db / logins.json / cookies.sqlite ^[strings.txt:121-124], IE cookies ^[strings.txt:125], clearlogins command ^[strings.txt:256] |
| T1071.001 — Raw TCP C2 | [DataStart] frame delimiter ^[strings.txt:59], [DataStart]0000 variant ^[strings.txt:60], keep-alive heartbeat %02i:%02i:%02i:%03i [KeepAlive] ^[strings.txt:61], WS2_32.dll send/recv/connect/htons ^[r2:imports] |
| T1105 — Ingress Tool Transfer | URLDownloadToFileA ^[strings.txt:579], InternetOpenUrlA ^[strings.txt:595], update commands (updatefromurl, updatefromlocal) ^[strings.txt:260-261] |
| T1083 — File and Directory Discovery | filefound, searchstarted, searchfinished, searchwrongpath ^[strings.txt:77-81], file-manager command set (listfiles, driveslist, newfolder, upload, download) ^[strings.txt:266-276] |
| T1497.001 — Sandbox Evasion | Sandbox/VM string checks: SbieDll.dll ^[strings.txt:40], VBOX__ ^[strings.txt:41], PROCMON_WINDOW_CLASS ^[strings.txt:42], PROCEXPL ^[strings.txt:43] |
| T1070.004 — Indicator Removal: File Deletion | uninstall.bat with @RD /Q and del %0 ^[strings.txt:145-147], deletefile command ^[strings.txt:259] |
| T1543 — Idle-time Detection | GetLastInputInfo ^[strings.txt:290], { User has been idle for ... minutes } ^[strings.txt:96] |
Attribution — Remcos v1.7 Pro ^[strings.txt:203]; vendor watermark * Breaking-Security.Net ^[strings.txt:297]; singleton mutex Remcos_Mutex_Inj ^[strings.txt:168]. Same builder version and string profile as sibling 0f723826 (v1.7 Pro, Jan 2017); this sample differs only in SETTINGS blob size (429 bytes vs 531 bytes in 5a1e57f7b0).
Observations
- No encrypted IAT, no API hashing, no PEB walking. The binary is a standard C++ PE with a clear import table — consistent with builder output from Breaking-Security's Remcos Pro edition.
- Process hollowing and UAC bypass are both present in the same binary, suggesting this sample was configured for elevated installation rather than relying solely on userland persistence.
- The presence of both
eventvwr.exeauto-elevate andcmd.exe /k reg.exe ... EnableLUA=0fallback means the operator had two paths to disable UAC. - No hardcoded C2 address in strings; configuration is encrypted inside RCData
SETTINGS. Decryption routine not recovered statically without dynamic trace.