Embedded RCData Encrypted Configuration

Malware build pattern: runtime configuration (C2 host, port, mutex name, feature flags, credentials) is stored as an RCData resource inside the PE, encrypted to defeat static extraction. Decrypted at runtime into memory buffers (typically std::string or byte arrays) and never written to disk in plaintext.

Detection / Fingerprint

• PE resource directory contains RT_RCDATA with a human-readable name like SETTINGS, CONFIG, DATA, or numeric ID
• Blob size 200–500 bytes with entropy > 7.5 (highly compressed or encrypted)
• Binary references FindResourceA, LoadResource, LockResource, SizeofResource early in main()
• Post-decryption strings (C2 host, port) do not appear in static strings output

Variants

• Remcos uses a ~245–593 byte RCData blob named SETTINGS with a simple XOR or byte-substitution cipher. Size varies by campaign/build profile (observed: 245 bytes in 0f723826, 593 bytes in c6193af6).
• Other families (NanoCore, AsyncRAT) encrypt RCData with AES and a hardcoded key derived from a build-specific passphrase

Cross-References

• remcos — family that uses this pattern