This blog post was authored by Erika Noerenberg


Over the past months, Malwarebytes researchers have been tracking a unique malspam campaign delivering the Remcos remote access trojan (RAT) via financially-themed emails. Remcos is often delivered via malicious documents or archive files containing scripts or executables. Like other RATs, Remcos gives the threat actor full control over the infected system and allows them to capture keystrokes, screenshots, credentials, or other sensitive system information. Unlike most RATs used by malicious actors however, Remcos is marketed as an administrative tool by the company Breaking Security which sells it openly on their website.


Remcos often infects a system by embedding a specially-crafted settings file into an Office document, allowing an attacker to trick a user to run malicious code without additional notification. This variant of Remcos has been observed to be distributed via targeted spam emails with an attached archive file. The emails and attachment names have been primarily financially-themed; an example email is shown below:

Sample Email Delivering VBS Remcos

For illustration, the following table lists a sample of email subjects and attachment names from 2021 by date:

DateSubjectAttachment NameContents
21 JanSeparate Remittance Advice: paper document no – 9604163Payment Advice.imgPayment Advice.vbs
26 AprAppraisal Report for your Loan Application-11003354677341Appraisal.reportl1100335467734.zipAppraisal.vbs
18 MayFwd: Appraisal Report for your Loan Application-1100788392210Appraisalreportl1100788392210.zipAppraisal..vbs
28 JunFwd: Reminder: Your July Appointment-11002214991transaction_completed11003456773311..zipReport-Slip.vbs
6 JulFwd: Reminder: Your July Appointment-11003456773312transaction_completed11003456773312.zipReport-11003456773312.vbs

In most Remcos spam campaigns, the payload is an executable contained in an attached archive (.zip) or disk image (.img) file, though malicious documents are also sometimes used. In this campaign however, the emails contain a zip archive containing a Visual Basic script (.vbs) which downloads and executes additional scripts and finally installs the Remcos payload.

*Eariler versions also included a “Property.hta” file which only comprised the VB script wrapped in HTML as seen below. Interestingly, the body of this HTML consisted only of the text “demo”, which indicates this might have been test code.



Remcos is a fully-functioning RAT that gives the threat actor full control over the infected system and allows them to collect keystrokes, audio, video, screenshots, and system information. Because it has full control, Remcos is also able to download and execute additional software onto the system. This Remcos distribution utilizes a series of scripts that ultimately results in the injection of a Remcos payload into the Windows system binary aspnet_compiler.exe. A sample infection chain for this variant is shown below:

VBS Remcos Infection Chain

The samples analyzed below originate from the attachment (SHA256 4e712de8a3d602ccf55321a85701114c01f9731af356da05fb6e3881a13bb23e). As with all analyzed samples, the the infection chain followed the process flow above; the initial Visual Basic script initiates a series of download and execution of obfuscated scripts that eventually result in the injection of the final Remcos payload into aspnet_compiler.exe.

Remcos Initial VBS Script

Although the script above is lengthy due to obfuscation, it ultimately amounts to the following simple powershell command which downloads and executes a second Visual Basic script:

Deobfuscated Initial Script

The first downloaded script (ALL.TXT) also uses simple deobfuscation techniques to perform a few simple tasks. The $JUANADEARCO variable in this script contains Base64-encoded data which is decoded by the last line of the script (this data is shown as decoded in the highlighted box in the image below). This script performs the following actions:

  • Creates the directory C:\Users\Public\Run
  • Downloads Run_02_02_02.TXT (saved as C:\Users\Public\Run\Run.vbs)
  • Downloads Lerveri.txt (saved as Users\Public\Run\—–Run+++++++++.ps1)
  • Sets HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup to “C:\Users\Public\Run”
  • Sets HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup to “C:\Users\Public\Run”

The shell folder registry entries are legacy keys that are still existent for backwards compatibility. Setting the “Startup” value of these registry entries to the malware’s directory of execution effectively sets the contents of that directory to execute upon system startup, ensuring persistence.

ALL.txt – Second Script After Base64 Decoding

Run.vbs is obfuscated in a similar fashion to the initial Visual Basic script:

Run_02_02_02.txt (saved as C:\Users\Public\Run\Run.vbs)

This script (deobfuscated below) is responsible only for execution the main powershell script which contains embedded binaries, encoded in hex in plaintext.

Run.vbs Deobfuscated

One of the binaries encoded in —–Run+++++++++.ps1 is the Remcos payload which is loaded into the legitimate Windows binary aspnet_compiler.exe. The following function in the powershell script loads the Remcos PE into the binary:

Load function: Remcos Payload

Although all of the analyzed Remcos samples of this campaign since January 2021 call back to the same IP address and port, no actual C2 traffic has been observed. All of the script downloads have pointed to addresses on the legitimate website, and the payloads have connected (though only via TCP handshake) to the IP address 185.19.85[.]168 on port 8888.

Because this IP address has not changed over several months, we investigated the passive DNS records to see if the infrastructure may have been used in other recent attacks. We found that this IP address had the following resolutions over the last few months:

AddressFirst SeenLast Seen
shugardaddy.ddns.net26 May 21<current as of writing>
ch-pool-1194.nvpn.to24 May 2130 June 21
tippet.duckdns.org13 May 2116 May 21
mail.swissauto.top29 May 2011 May 21
randyphoenix.hopto.org4 April 2114 April 21

Examination of this IP address revealed several hosted services on multiple ports. The highlighted date range above is interesting as it appears to be a mail server, and Spamhaus Zen classifies this address as blocked due to spam. Furthermore, analysis also revealed that the #totalhash malware database contains malware associated with this address going back as far as 2013. Correlating additional malware associated with this address showed several other versions of Remcos samples connecting to the same IP (many to port 5946) – a few recent samples are shown below:

SHA256 HashDate Last Seen
15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc16 Jul 21
0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e5 Jul 21
8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a29 Jun 21
22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab425 Jun 21
898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d225 Jun 21
d7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a3621 Jun 21

One identifying factor from this campaign is the use of to host payloads. Although this is not unique to malware campaigns in general, it is unique to the Remcos campaigns we have analyzed – only the VBS method of distribution has been observed to display this behavior.

In an analysis from Morphisec in March of this year, an HCrypt loader sample was analyzed that demonstrated a similar infection chain to the Remcos samples discussed above. Although the stages and scripts are not identical, the intermediary steps share a few similarities, such as the file names of the downloaded scripts ALL.txt, Server.txt, and in newer samples, Bypass.txt. The scripts also have a few function names in common, but the HCrypt samples have anti-analysis and anti-virus evasion functionality not seen in the Remcos samples. Further research is required to determine whether this set of scripts is a generically available package, or specific to a particular actor and being re-used across campaigns.

Although the actor or group behind this campaign is not known, the sporadic nature of the emails distributing this malware suggests that it could be targeted in nature. Remcos is a mature trojan that has evolved over many years; though the basic capabilities have remained the same, the methodologies of distribution and installation continue to change. Because it is software that can be purchased openly online, it is difficult to trace or attribute usage to a particular actor. However, given the consistency of network infrastructure and installation methodology, it is possible that the motivation or actors behind these attacks could be identified. Malwarebytes analysts continue to monitor and track this threat and will update detections and indicators as needed.


Malwarebytes protects users from Remcos by using real-time protection.



Analyzed Samples:

TypeName / SubjectSHA256
Email SubjectFwd: Appraisal Report for your Loan Application-1100788392210673b315a95b8c816502ec0dc3cae79cf14e0d7c09139c2fc4b9202fb09b5b753
Extracted Sample Appraisal..vbs1f8853601030ad92bd78fd3f0fbf39eacd2f39f47317914b67aa26dfd57fa176

Remcos VB Scripts:


Related Remcos Samples:


Other IOCs: