Remcos RAT HTA Downloader malware analysis + C&C threat intelligence research

In this new article we are going to analyze an HTA Remcos RAT dropper. The applicationname attribute of the page is "InternalCache", it creates an ActiveXObject for WScript.Shell and gets the environment as User.


We can see the variable "pyrotoxin" has different string concatenations. One of the strings contains a Base64 encoded pattern that is related to the C&C IP address 64.44.156[.]79 and we can also see that the word "centralities" splits the actual content of the strings.



Base64 encoded strings (related to the C&C IP address and downloading URL) are converted to Unicode format and inserted to the variable $teasels





Here we can see the item "ancestries" of the variable slapp (which is referred to the Environment of the User) is put as equals to the main variable pyrotoxin. We'll see later the importance of the item "ancestries" because it will be fundamental in a further dropping stage of this malware infection.



In the following screenshot we can have an evidence associated to the run of the payload:

By decoding the content of the main strings we can have the following programmatic path: The web client definition, the useragent setting.





The variable $throughflow is filled in with the downloaded content of the $teasels variable:


Here we can have evidences of different strings manipulations also with the use of IndexOf and LastIndexOf of strings based on specific variables and getting encoding formats :











In this case in the string's content the # symbols are replaced with upper 'A' and the content is converted to a char array:


Then, the array $siderophilin is reversed:


The join of the variable $siderophilin with $Juley variable is done without specifying any characters:


An array of bytes with the variable name $hobblingly is defined by converting from Base64 the content of $Juley, this is to load and execute the dropped threat in the CurrentDomain context, infact we can see also the Win32_Process and Win32_ProcessStartup references and the powershell.exe command with the ancestries references of the environment. In this execution context the following try-catch construct is used for possible exceptions.









We can see the entropy of the HTA file is quite low as coefficient (4.33027):



The HTA file is recognized as malicious by OSINT sources and labeled as Trojan:HTML/Remcos.RAT.BD!MTB




Here we can see further details about related malicious domains, the threat also gets information of the victims by abusing the licit GeoPlugin service with calls to geoplugin[.]net/json.gp.

Here we can see some details about the dropped executable artifacts:


The C&C IP address 64.44.156[.]79 belongs to 365 Group with the domain green[.]cloud and it has the following main ports and services opened: 80 (HTTP), 135 (DCERPC), 139 (NETBIOS), 445 (SMB), 3650 (RDP), 5985 (WINRM).





Here we can see the clear reference to the analyzed HTA malware on this C&C IP address:



The IP in question has a lot of vulnerabilities of Apache HTTP:






IOCs:

  • 47af1f0d9932840767920b3cb2befb3839bbc980e610c6a14327edf1b1682b2d
  • 9f5c02e8b30738c4a1d52429023588a07ca79d64
  • c0d94fca477cdc2dae48a0e450a608c3
  • 64.44.156[.]79
  • pavementmg[.]duckdns[.]org
  • 178.237.33[.]50
  • 192.236.217[.]94
YARA rules:

rule RemcosRAT_HTA_20260711 {

meta:

  description = "C&C IP address of a new HTA malware sample related to a RemcosRAT downloader"

  author = "malwareanalysis0"

  target_entity = "url"

condition:

  vt.net.ip.ip_as_int == 1076665423

}

rule RemcosRAT_HTA_pattern_20260711

{

    strings:

        $str = "pyrotoxin"

        $hex = { 70 79 72 6f 74 6f 78 69 6e }

    condition:

        any of them

}

Sources of OSINT screenshots: VirusTotal, AbuseIPDB, Threatbook, Shodan, Censys