By CagedTech in Trojans

Threat Scorecard

Ranking: 2,109
Threat Level: 80 % (High)
Infected Computers: 26,059
First Seen: October 16, 2016
Last Seen: September 20, 2023
OS(es) Affected: Windows

RemcosRAT is a Remote Access Trojan that is designed to work on the Windows OS platform. RemcosRAT is deployed to PC users via spam email, malvertising, and fake updates for Windows 7, 8 and 10. The threat is named after the primary executable used to facilitate its operations—remcos.exe. AV vendors may detect files related to RemcosRAT under the following tags:

  • Backdoor:Win32/Rescoms.A!bit
  • Generic.Malware.SL!B.78084EDB
  • HEUR/QVM07.1.0000.Malware.Gen
  • Trj/GdSda.A
  • Trojan.DownLoader22.28028
  • W32/Bloop.A.gen!Eldorado
  • Win32:RemcosRAT-A [Trj]
  • trojandownloader.win32.qqhelper.ka

RemcosRAT is a standard Remote Access Trojan that supports most features you would expect from a RAT. The threat at hand can track what programs are running on the system, index data stored on local drives, make modifications to installed software and issue commands to the Windows kernel. Initial threat assessment revealed that RemcosRAT connects to a remote host via HTPP channel and waits for commands. Attackers could use RemcosRAT to lower your cyber defenses and install apps remotely. RemcosRAT might store its files in the Temp directory where Windows saves temporary Internet files used while you surf the Web. We have reports that RemcosRAT can connect to the IP address and access data on the site. This portal is flagged by AV vendors and Web filters as unsafe already. Computer users that notice missing programs from their OS and unusual data transmissions might wish to scan their machine with a reliable anti-malware application.

SpyHunter Detects & Remove RemcosRAT

File System Details

RemcosRAT may create the following file(s):
# File Name MD5 Detections
1. 7g1cq51137eqs.exe aeca465c269f3bd7b5f67bc9da8489cb 83
2. 321.exe d435cebd8266fa44111ece457a1bfba1 45
3. windslfj.exe 968650761a5d13c26197dbf26c56552a 5
4. file.exe 83dd9dacb72eaa793e982882809eb9d5 5
5. Legit Program.exe cd2c23deea7f1eb6b19a42fd3affb0ee 3
6. unseen.exe d8cff8ec41992f25ef3127e32e379e3b 2
7. file.exe 601ceb7114eefefd1579fae7b0236e66 1
8. file.exe c9923150d5c18e4932ed449c576f7942 1
9. file.exe 20dc88560b9e77f61c8a88f8bcf6571f 1
10. file.exe c41f7add0295861e60501373d87d586d 1
11. file.exe 8671446732d37b3ad4c120ca2b39cfca 0
12. File.exe 35b954d9a5435f369c59cd9d2515c931 0
13. file.exe 3e25268ff17b48da993b74549de379f4 0
14. file.exe b79dcc45b3d160bce8a462abb44e9490 0
15. file.exe 390ebb54156149b66b77316a8462e57d 0
16. e12cd6fe497b42212fa8c9c19bf51088 e12cd6fe497b42212fa8c9c19bf51088 0
17. file.exe 1d785c1c5d2a06d0e519d40db5b2390a 0
18. file.exe f48496b58f99bb6ec9bc35e5e8dc63b8 0
19. file.exe 5f50bcd2cad547c4e766bdd7992bc12a 0
20. file.exe 1645b2f23ece660689172547bd2fde53 0
21. 50a62912a3a282b1b11f78f23d0e5906 50a62912a3a282b1b11f78f23d0e5906 0

Registry Details

RemcosRAT may create the following registry entry or registry entries:
Regexp file mask
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\filename.exe
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\firewall.vbe
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Holmdel8.vbe
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Legit Program.exe
%TEMP%\Name of the melted file.exe


RemcosRAT may create the following directory or directories:

%ALLUSERSPROFILE%\task manager
%PROGRAMFILES(x86)%\Microsft Word
%WINDIR%\SysWOW64\Adobe Inc


Most Viewed