> Family · Remcos RAT_

~/packetpursuit $ cat /intel/families/remcos.md

typeentityconfidencehighcreated2026-06-03updated2026-06-05malware-familyratc2persistencedefense-evasiondiscoveryexfiltration

Remcos RAT

Commodity remote-access trojan (RAT) sold as malware-as-a-service by Breaking-Security.Net since ~2016. Windows-native, C++ with MSVCP60 STL, standard IAT, no packer. Distributed in versioned "Pro" builds with builder-generated encrypted RCData configuration.

Build Stack

  • MSVC C++ with MSVCP60.dll C++ standard library (observed Jan 2017 build)
  • PE32 GUI or console, 4 sections (.text .rdata .data .rsrc)
  • No packer, no obfuscation, no anti-debug beyond sandbox string checks
  • Unsigned (all observed samples)
  • RCData resource SETTINGS holds encrypted config blob (245–300 bytes typical)
  • Heavy std::basic_string and iostream usage; builder likely emits C++ source compiled with legacy toolchain

Deploy / TTPs

  • T1547.001 — Registry Run / Explorer Policies\Run persistence
  • T1547.004 — Winlogon Userinit hijack
  • T1548.002eventvwr-uac-bypass (eventvwr.exe auto-elevate via mscfile handler)
  • T1056.001 / T1056.002 — Keylogger + clipboard capture (SetWindowsHookExA)
  • T1113 — Screenshot capture (GDIPlus / StretchBlt)
  • T1123 — Microphone capture (WINMM waveIn*)
  • T1125 — Webcam capture
  • T1057 — Process enumeration (Toolhelp32 API)
  • T1217 — Browser credential theft (Chrome, Firefox, IE storage)
  • T1005 — File manager / upload / download
  • T1071.001 — Raw TCP C2 with [DataStart] frame delimiter and keep-alive heartbeat
  • T1105 — Payload update via URLDownloadToFileA / InternetOpenUrlA fallback

Capabilities

  • credential-dumping-browser-storage
  • keylogging-SetWindowsHookExA
  • clipboard-hijack-clipboard-apis
  • screenshot-capture-gdiplus
  • webcam-capture-directshow
  • microphone-capture-wavein
  • file-manager-upload-download
  • process-enumeration-toolhelp32
  • registry-modification-run-keys
  • uac-bypass-eventvwr-mscfile
  • uac-disable-EnableLUA-registry
  • raw-tcp-c2-DataStart-framing
  • http-fallback-download
  • sandbox-evasion-string-checks
  • mutex-singleton-Remcos_Mutex_Inj
  • process-hollowing-NtUnmapViewOfSection

Variants / Aliases

  • Remcos ("Remote Control & Surveillance")
  • RemcosRAT
  • Breaking-Security.Net vendor label

Notable Analyses

  • 4818d00f — v1.7 Pro, Jan 2017, 429-byte SETTINGS RCData (enlarged config), process hollowing engine, eventvwr UAC bypass + EnableLUA fallback, static-only (no CAPE).
  • 5a1e57f7b0 — sibling with 531-byte SETTINGS RCData (enlarged config vs 245-byte sibling)
  • 0f723826 — v1.7 Pro, Jan 2017, unencrypted IAT, SETTINGS RCData blob. Full static report available.
  • d9950b15 — sibling with identical string profile
  • 6114904c — sibling with identical string profile
  • c6193af6 — v1.7 Pro, Jan 2017, 593-byte SETTINGS RCData (largest observed in corpus), identical build/imports to 0f723826.

Related