Analysis of a RAT:
Remcos

Learn how automated filtering of irrelevant artifacts can turn complexity into clarity through an analysis of a Remcos RAT sample.

TRY VMRAY
Download the E-book

Below is an analysis of a Word document that used macros to download a RAT (Remote Access Trojan) known as Remcos.

A RAT is a type of malware that allows outsiders to monitor and control your computer or network. RATs, like most types of malware, often piggyback on legitimate-looking files like documents in an email or within a large software package.

This type of malware can be difficult to detect once installed as they generally don’t slow down a computer and the malware operator can often fly below the computer operator’s radar. Sometimes users can be infected by a RAT for years without noticing anything wrong.

IOC tab that shows the created mutex with the name “Remcos-WLC63H”
Figure 1: IOC tab that shows the created mutex with the name “Remcos-WLC63H”

Automated noise-filtering in action

Looking to the IOC tab in the VMRay analysis of the code sample, the user can see there were 130 artifacts in all, of which 12 were IOCs. One of the IOCs, highlighted in the screenshot below, was a mutex.

This file is helpful as some malware families tend to use recurring name patterns which helps to identify the family and detect an infected system. In the mutex file below the name is prefixed with “Remcos” which is a well-known RAT.

Another assist for identification of the code sample is in the IP section of the IOC tab, users can see the code sample downloads and executes Remcos using PowerShell.

The payload is hosted on grupo-omega[.]com[.]ar which is an artifact with a suspicious verdict.

Figure 2: IOC tab shows the connected IP to the corresponding domain grupo-omega[.]com[.]ar which hosts the payload.
Figure 2: IOC tab shows the connected IP to the corresponding domain grupo-omega[.]com[.]ar which hosts the payload.

In the File section of the IOC tab, users can see the three files that were IOCs labeled malicious. The section at the bottom of the screenshot on the right shows meta-information about the highlighted “PO.exe” file (downloaded in Figure 2 above):

IOC tab shows the downloaded payload file “PO.exe” with additional information including its hash values and the resource URL.
Figure 3: IOC tab shows the downloaded payload file “PO.exe” with additional information including its hash values and the resource URL.

And the screenshot on the right shows the related VTIs (malicious behavior) of the PO.exe file:

IOC tab that shows the related VTIs that triggers on the payload file “PO.exe”.
Figure 4: IOC tab that shows the related VTIs that triggers on the payload file “PO.exe”.

Turning complexity into clarity

As one can see from the analysis above, VMRay’s unique IOC filtering system allows users to not only identify code samples as malware but also identify the specific actions and files modified by the malware.

Armed with this information, security teams are well equipped to enact a swift and effective response.

IOCs vs Artifacts: Filtering out the noise

Table of Contents

Explore the insights on VMRay malware and phishing academy, where you can self-educate on the hottest topics on cybersecurity, as well as the most challenging malware and phishing threats

See VMRay in action.
Get a complete and noise-free picture of malware and phishing threats

Take the interactive tour
Watch demo videos
Check sample reports
REQUEST FREE TRIAL NOW

Further resources

PRODUCT

VMRay
TotalInsight

Build the most reliable and actionable Threat Intelligence:

Explore the product

SOLUTION

Threat Intelligence Extraction

Explore how you can benefit from VMRay’s capabilities for Threat Hunting

Explore the solution

PRODUCT

VMRay
DeepResponse

The most advanced malware and phishing sandbox

Explore the product

Welcome to the playground.

Explore what you can do with VMRay.

Click on the yellow dots to check the report formats, see the overview, explore the network connections of the sample, malicious behavior, and relevant files, map the threat on MITRE ATT&CK Framework, analyze and download IOCs and artifacts.

The analysis report tabs are available both for VMRayDeepResponse and VMRayTotalInsight. The bundle of VMRay FinalVerdict and VMRayDeepResponse also offers access to the analysis report tabs.

We’re sorry. 

The interactive tour is not available on mobile devices.

REQUEST FREE TRIAL

Unveiling the power:
See our experts showcasing VMRay’s capabilities.

REQUEST FREE TRIAL
Analysis of a malicious file

Join Fatih Akar from the VMRay team as he provides a detailed walkthrough of a malicious LNK file, a prevalent attack vector since Microsoft’s Office macros block.

Gain valuable insights into each tab of our comprehensive analysis report and get a sneak peek into what you’ll be exploring.

Play Video
Analysis of a malicious URL

Join Andrey Voitenko, an expert in advanced malware and phishing analysis from the VMRay team, as he demonstrates how to submit emails and URLs to the VMRay platform using built-in connectors.

Discover the capabilities of our new Automation Dashboard, enabling one-click automation with your existing EDR, SOAR, SIEM, and TIP tools. Monitor analysis data seamlessly from your VMRay dashboard and unlock new levels of efficiency in your security operations.

Play Video
Integrating with existing tools

Watch Michael Bourton showcasing the seamless integration of VMRay platform with your existing security stacks.

Discover how effortlessly you can leverage unparalleled detection and analysis capabilities by utilizing dedicated connectors or our Rest API.

Play Video

Experience VMRay in Action:
Explore Real-world Malware Analysis Reports

Get a firsthand look at the power and capabilities of the VMRay platform by delving into our sample malware and phishing analysis reports.

Immerse yourself in a range of report formats, providing comprehensive insights.

Dive into the overview, explore intricate network connections, analyze malicious behavior in detail, and map threats using the MITRE ATT&CK Framework. See the possibilities to download clear IOCs.

Uncover the capabilities that await you.

REQUEST FREE TRIAL
Sample analysis
of Emotet
Explore
Delivery service phishing scam
Explore
Explore 1m+ in-depth analysis reports
Explore
Social media platform impersonation
Explore
Sample analysis of Lokibot
Explore
Sample analysis of BumbleBee
Explore
Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator
Try It Now