Remcos Is Pairing with PrivateLoader to Extend Its Capabilities



This week, the SonicWall Capture Labs threat research team investigated a sample of the RemcosRAT that uses a PrivateLoader module to provide additional data and persistence on the victim’s machine. By installing VB scripts, altering the registry and setting up services to restart the malware at variable times or by control, this malware is able to infiltrate a system completely and remain undetected.

Infection Cycle

The sample is detected as a 32-bit PE file with no packer or protector.

Figure 1: Initial detection

When looking into the sections and API calls of the file, different tools give different reports. Detect It Easy shows API calls that have been cleared (to obfuscate what they’re doing), and TLS (Thread Local Storage) functionality, meaning that malicious code can be prepared or run before the main file has started at its entry point. PEStudio, however, shows all available API calls but no TLS functionality.

Figure 2: Every call from ws2_32.dll has been obfuscated

Figure 3: A separate tool shows all hidden calls

Once functions are properly labeled, the file is shown to have the following capabilities:

  • Anti-analysis/ Anti-VM
    • GetSystemTimeAsFileTime
    • GetTickCount
    • IsDebuggerPresent
    • IsProcessorFeaturePresent
    • QueryPerformanceCounter
    • QueryPerformanceFrequency
  • System Enumeration
    • CreateToolhelp32Snapshot
    • EnumDisplaySettingsW
    • EnumServicesStatusW
    • EnumSystemLocalesW
    • EnumWindows
    • FindFirstFileA/Ex/W
    • FindNextFileA/Ex/W
    • GetClipboardData
    • GetCurrentProcessId
    • GetCurrentThreadId
    • GetEnvironmentStrings
    • GetLogicalDriveStringsA
    • GetLocalTime
    • GetLocaleInfoA/W
    • GetNativeSystemInfo
    • GetStartupInfo
    • GetTimeZoneInformation
    • GetUserDefaultLCID
    • GetWindowThreadProcessId
    • IsLocaleValid
    • OpenClipboard
    • RegEnumKeyA/W
    • RegEnumValueA/W
    • SystemParametersInfoW
  • Monitoring
    • GetCursorPos
    • GetForegroundWindow
    • GetKeyState
    • GetKeyboardLayout
    • GetKeyboardState
    • Mouse_event
    • ReadProcessMemory
    • SetWindowsHookExA
    • waveInAddBuffer
    • waveInStart
  • Process Injection
    • GetProcessId
    • GetModuleHandleA/Ex/W
    • CreateProcessA/W
    • Process32FirstW
    • ProcessNextW
    • VirtualAlloc
    • VirtualFree
    • VirtualProtect
    • WriteProcessMemory
  • Persistence
    • AdjustTokenPrivilege
    • ControlService
    • GetTempFileNameW
    • LookupPrivilegeValueA
    • OpenProcess
    • OpenProcessToken
    • RegCreateKeyA/Ex/W
    • RegDeleteKeyA/Ex/W
    • RegDeleteValueA/Ex/W
    • RegSetValueA/Ex/W
    • ShellExecuteExA/W
    • WriteFile
  • Communication
    • InternetOpenUrlW
    • InternetReadFile
    • URLDownloadToFileW
    • URLOpenBlockingStreamW
    • Inet_addr
    • Gethostbyaddr
    • Gethostbyvalue
    • getservbyvalue
    • Connect
    • Send
    • socket
    • Recv

Runtime shows that if security checks are not initially cleared by modules within ntdll.dll, the main portion of the executable will not be touched before it exits. No files are dropped, and nothing is injected into memory.

Figure 4: Beginning of the security check function

Once security has been passed, which consists of VM, locale, timezone and analysis tool enumeration, two files are dropped.

  • C:\Users\user\AppData\Local\Temp\install.vbs
  • C:\Users\user\AppData\Roaming\data\notepads.exe

Notepads.exe is a copy of the parent executable placed for persistence. The script contains the following four lines and is deleted once executed – there is no check on whether or not this action is successful. The script will simply delete itself if it is run before ‘notepads.exe’ is dropped.

Figure 5: Install.vbs contents

User security access is then checked. If applicable, Windows User Access Control is disabled with the following command to allow for privileged access:

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Figure 6: UAC is disabled

At this point, the system is enumerated fully and hooks are implemented to track keystrokes, mouse actions, audio and screen grabs. Targeted software includes browsers by searching the following locations for logins and cookie data, as well as the clipboard data being pulled:

\AppData\Local\Google\Chrome\User Data\Default\Login Data

\AppData\Local\Google\Chrome\User Data\Default\Cookies


\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


\Opera Software\Opera Stable\

\User Data\Default\Network\Cookies

This information is stored in ‘logins.json’ and ‘key3.db’, also seen in the screenshot below.

Figure 7: Browser paths and storage files

Once complete, ‘notepads.exe’ will open a socket on the system and reach out to two URLs. The first is a GET request to geoplugin(dot)net/, which returns geographic information pertaining to the victim’s IP address. The second is to Once a connection is made, a config file is created and sent to the server. Here is the configuration observed during runtime:


“Host:Port:Password”: “”,

“Assigned name”: “Nuevos”,

“Connect interval”: “1”,

“Install flag”: “Enable”,

“Setup HKCU\Run”: “Enable”,

“Setup HKLM\Run”: “Enable”,

“Install path”: “AppData”,

“Copy file”: “notepads.exe”,

“Startup value”: “system32”,

“Hide file”: “Disable”,

“Mutex”: “Rmc-WRNU47”,

“Keylog flag”: “1”,

“Keylog path”: “Application path”,

“Keylog file”: “logs.dat”,

“Keylog crypt”: “Disable”,

“Hide keylog file”: “Disable”,

“Screenshot flag”: “Disable”,

“Screenshot time”: “10”,

“Take Screenshot option”: “Disable”,

“Take screenshot title”: “”,

“Take screenshot time”: “5”,

“Screenshot path”: “AppData”,

“Screenshot file”: “Screenshots”,

“Screenshot crypt”: “Disable”,

“Mouse option”: “Disable”,

“Delete file”: “Disable”,

“Audio record time”: “5”


At this point the C2 has assumed control and can remotely stop, start and engage further monitoring or file downloads for other functionality.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this malware, the following signatures have been released:

  • PrivateLoader


Parent sample / Notepads.exe: 27bb3968cc18fb0df5b14e6d1b805552

Install.vbs: a7fe45cc57afb3dba91ab77483fffa0a

Mutex Created

  • \Sessions\1\BaseNamedObjects\Rmc-WRNU47

IP Addresses

  • 246.82.10
  • 237.33.50


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.