remcos: c6193af6 — v1.7 Pro, enlarged 593-byte SETTINGS RCData

Executive Summary V1.7 Pro Remcos RAT (Breaking-Security.Net) compiled Jan 5 2017. 98 KB PE32 GUI, MSVC 6.0 / MSVCP60, standard IAT, no packer. Distinguishing feature: SETTINGS RCData resource is 593 bytes — 2.4x larger than the 245-byte sibling 0f723826, indicating an expanded C2 or feature configuration. Static-only (CAPE skipped — no Windows guest). See remcos for cluster-wide TTPs and replication notes.

What It Is

This is the same build toolchain and version string as sibling 0f723826. The delta is the enlarged encrypted config — see below.

How It Works

RCData Config Extraction At startup main calls FindResourceA("SETTINGS", RT_RCDATA) → LoadResource → LockResource → SizeofResource, then decrypts the blob in place. ^[r2:main] The resulting plaintext contains C2 host, port, mutex name, feature flags, and install paths. The SETTINGS resource in this sample is 0x251 bytes (593 decimal), versus 0xF5 (245) in 0f723826. ^[pefile.txt:703-706] This suggests either a longer C2 hostname, additional feature toggles, or extra credentials baked into the builder profile. The config is never written to disk — it lives only in memory buffers allocated via malloc and wrapped in std::string. ^[r2:fcn.00407c53]

Persistence & Evasion Standard Remcos pattern: singleton mutex Remcos_Mutex_Inj, registry Run / Winlogon / Explorer Policies\Run keys, and the eventvwr.exe UAC bypass via Software\Classes\mscfile\shell\open\command. ^[strings.txt:66-69] ^[strings.txt:139-144] Sandbox string checks for SbieDll.dll, VBOX__, PROCMON_WINDOW_CLASS, PROCEXPL. ^[strings.txt:40-43] No debugger timing checks observed.

Decompiled Behavior

Entry point entry0 (0x0040FD88) is a standard MSVCRT CRT bootstrap: __set_app_type, __getmainargs, GetStartupInfoA, then calls main. ^[r2:entry0]

main (0x00407452) — key observations from radare2 pseudocode:

• Constructs several std::basic_string objects via MSVCP60 constructors. ^[r2:main]
• Calls fcn.00407c53 to read and decrypt the RCData SETTINGS blob into a std::string. ^[r2:main]
• Calls fcn.00408510 which manipulates the decrypted string buffer (likely parsing key-value pairs). ^[r2:main]
• Opens registry key ProductName under SOFTWARE\Microsoft\Windows NT\CurrentVersion to fingerprint the OS. ^[r2:main]
• Checks mutex Remcos_Mutex_Inj via OpenMutexA; if absent, creates it via CreateMutexA. ^[r2:main]
• If mutex already exists, exits silently (single-instance enforcement). ^[r2:main]

fcn.00408e97 — registry-open wrapper:

• Thin wrapper around RegOpenKeyExA with KEY_READ (0x20019). ^[r2:fcn.00408e97]
• Xrefs from main and fcn.00405f6c, suggesting it is used for both initial system fingerprinting and later persistence checks.

Process Hollowing Engine Imports include NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread. ^[pefile.txt:247-248] The mutex name suffix _Inj and these imports confirm a process-hollowing module for injecting the RAT into explorer.exe or userinit.exe. ^[strings.txt:141-142] ^[strings.txt:155-156]

C2 Infrastructure

The C2 configuration is runtime-decrypted from RCData; no plaintext host/port in strings. Observable protocol artifacts:

• WS2_32.dll raw TCP imports: socket, connect, send, recv, htons, gethostbyname, WSAStartup. ^[pefile.txt:582-590]
• Message framing delimiters: [DataStart] and [DataStart]0000. ^[strings.txt:59-60]
• Keep-alive heartbeat with configurable timeout (%02i:%02i:%02i:%03i [KeepAlive]). ^[strings.txt:61]
• Plaintext command tokens visible in strings: upload, download, screenshotdata, scrcap, miccapture, proclist, keepaliveoff, ping, clearlogins, autogetofflinelogs, updatefromurl, pwgrab. ^[strings.txt:205-275]
• Fallback HTTP download via URLDownloadToFileA (urlmon.dll) and InternetOpenUrlA / InternetReadFile (wininet.dll). ^[pefile.txt:599-633]

No TLS wrappers in the IAT; traffic is raw TCP or plaintext HTTP fallback.

Interesting Tidbits

• Builder opsec: the binary retains the version string 1.7 Pro and vendor string Breaking-Security.Net. ^[strings.txt:203] ^[strings.txt:297]
• The 593-byte SETTINGS blob is the largest Remcos RCData observed in this corpus to date (prior sibling 0f723826: 245 bytes; another sibling 5a1e57f7: 531 bytes). This suggests an active builder with varying config sizes per campaign.
• C++ STL footprint is unusually heavy for a 2017 commodity RAT: std::basic_string, std::basic_ifstream/ofstream/fstream, std::ios_base. The builder likely emits C++ source rather than packing a scripted payload.
• Padding strings at end of .rsrc (PADDINGXXPADDING...) are resource compiler artifacts, not a packer. ^[strings.txt:624]
• The floss.txt failure was an argument-parsing bug (--no got the binary path), not a sample issue.
• capa.txt failure was missing signatures, not a sample issue.

How To Mess With It (Homelab Replication)

This is a cluster sibling — replication steps are identical to 0f723826. See remcos for the build recipe. To study the enlarged config:

1. Extract raw RCData: pedump --resource SETTINGS c6193af6.bin > settings.bin
2. Patch main in x32dbg to dump the decrypted buffer after fcn.00407c53 returns.
3. Compare config keys against the 245-byte sibling to identify new fields.

Deployable Signatures

YARA

rule remcos_v17_pro_settings_rcdata {
    meta:
        description = "Remcos RAT v1.7 Pro with SETTINGS RCData resource"
        author = "triage-auto"
        date = "2026-06-05"
        sha256 = "c6193af60d125c62d35c9507fc640c5f8b06d6683621d3de1993fe056eb607a6"
    strings:
        $a = "Remcos_Mutex_Inj" ascii wide
        $b = "[DataStart]" ascii
        $c = "Breaking-Security.Net" ascii
        $d = "REMCOS v" ascii
        $e = "1.7 Pro" ascii
        $f = "eventvwr.exe" ascii
        $g = "Software\\Classes\\mscfile\\shell\\open\\command" ascii
        $h = "SETTINGS" wide
    condition:
        uint16(0) == 0x5A4D and
        5 of them and
        pe.number_of_sections == 4 and
        pe.sections[0].name == ".text" and
        pe.sections[3].name == ".rsrc"
}

Sigma (Behavioral)

title: Remcos RAT Process Spawn Pattern
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'Software\Classes\mscfile\shell\open\command'
            - 'eventvwr.exe'
        ParentImage|endswith:
            - '\Backdoor.exe'
    condition: selection
falsepositives:
    - Legitimate eventvwr troubleshooting
level: high

IOC List

Behavioral Fingerprint

On launch the binary calls FindResourceA("SETTINGS", RT_RCDATA), decrypts a ~245–600 byte config into memory, checks OpenMutexA("Remcos_Mutex_Inj"), queries registry for ProductName, and begins C2 connection attempts over raw TCP with [DataStart] framing. If not admin, it attempts the eventvwr.exe UAC bypass by writing HKCU\Software\Classes\mscfile\shell\open\command. Persistence is established via Run keys and Winlogon Userinit hijack.

Detection Signatures

ATT&CK mapping is identical to sibling 0f723826 and the broader Remcos cluster. See remcos for the full technique grid and detection mappings.

References

• remcos — entity page for the Remcos RAT family
• embedded-rcdata-config — concept page for encrypted RCData staging
• eventvwr-uac-bypass — technique page for the mscfile hijack
• /intel/analyses/0f723826986628a3a4a4ddb32bffa158a6a662483339baa438c55b147e706975.html — sibling with 245-byte SETTINGS

Provenance

• file.txt, exiftool.json, pefile.txt, strings.txt, rabin2-info.txt, binwalk.txt, ssdeep.txt, tlsh.txt, yara.txt
• metadata.json, triage.json, dynamic-analysis.md (CAPE skipped — no Windows guest)
• capa.txt (signature failure), floss.txt (argument parse error)
• radare2 analysis: mcp_radare2_open_file + aa level 3 + pdf on entry0, main, fcn.00407c53, fcn.00408510, fcn.00408e97