Analysis and threat research - Remcos RAT delivered with malicious RTF document

Important elements of the analysis:

• Malicious RTF document that delivers Remcos RAT
• Voluntarily corrupted with sections padding to evade malware detections
• VBE malicious script
• C&C IP addresses with SSH, SMB, RDP protocols exposed
• PowerShell loading of AppDomain object with CurrentDomain
• AppData\Local\Temp dropped files
• .NET CLR useragent for C&C HTTP GET requests
• C&C VPS host

In this article we will go through a technical inspection and threat research about a Remcos RAT malware sample delivered through a malicious RTF document.

The main section of the RTF is the 4, which contains the root of the document which is related to the header "d0cf1le":

 

Here are the document objects that have been added to corrupt the RTF file, which are present before the d0cf1le header:

Those objects are heuristically flagged as malicious by some OSINT sources because of voluntary corruption and padding objects data adding of the RTF document used for CVE-2017-11882 exploitation to avoid detections by antimalware and EDR / XDR products:

The entropy of the RTF document is 3.1, here are also details about packed bytes details and repetition coefficient:

Here are the details of others sections of the document:

The following section contains some details about numerical coefficient that can be converted into an Unix timestamp:

By analyzing a detonation of the artifact we can see a EQNEDT32.EXE exploitation, the execution of the VBE script truebusinessgivenbestthings.vbe downloaded from the C&C IP Address  188.127.231[.]170. After that, a PowerShell session is initialized with ExecutionPolicy Bypass option and loading under the CurrentDomain with an AppDomain object the package located under the registry key HKCU:\Software\VGLluXSQthjHvYL decoded from Base64.

The following folders under AppData\Local\Temp are created with AddInProcess32.exe .NET Framework process:

Here are further details about the padding and voluntary corruption of the RTF document to bypass malware detection:

The C&C HTTP GET requests are performed with .NET CLR useragent:

At the time of the analysis the IP address in question is offline:

The C&C IP Address 188.127.231[.]170 has been registered in Russia by LLC Smart Ape:

It is recognized as malicious by OSINT sources and associated to SSH Brute Force events:

It has the opened port 22 (SSH protocol):

Here is the OSINT relation to the sample analyzed:

The IP address is associated to a VPS host:

Here is an evidence about the extracted configuration of the RemcosRAT which contains for example keylogger and UAC bypass, browser cleaning on startup, logs.dat file (related to keylogging routine) details:

We can see a reference to the C&C IP address 216.9.225[.]163 connected on port 24040. The IP in question has been registered in Turkey by DC HOST Inc.

Here is a recent OSINT detection:

The IP Address has the opened port 3389 (RDP protocol), the details are the following:

The RDP TLS certificate is valid from 1st February 2025 until 3th August 2025.

With another OSINT research we can also see opened ports 135 (DCE-RPC), 139 (NetBIOS), 445 (SMB):

Here are further details about the RDP opened port and its certificate thumbprint:

IOCs:

• 6a8ca8f615f0a5a3188e306c64eda3a9
• e1e95fdd11a8e7b91cb501cfa8a9d162d2089562
• cf374f8a76a3ffffdb3e6a853e06402172241e65ab5ad683705cd6add0d10336
• TLS Fingerprint: de675aae84979d8b40c7acc8d569ea41cc8d93f267403600412eb4e534658f89
• 188.127.231[.]170
• 216.9.225[.]163
• hcwyrdprg
• truebusinessgivenbestthings.vbe

YARA Rules:

rule RemcosRATRTF11042025

{

    strings:

        $str = "hcwyrdprg"

        $hex = { 68 63 77 79 72 64 70 72 67 }

    condition:

        $str or $hex

}

rule RemcosRATRTF11042025CnC {

meta:

description = "Detects Remcos RAT RTF downloader sample of 11th April 2025 with C&C information"

condition:

vt.net.url.raw icontains "188.127.231[.]170" or vt.net.url.raw icontains "216.9.225[.]163"

}