Peeling Back the Layers of RemcosRat Malware

McAfee Labs documents a sophisticated multi-stage Remcos RAT campaign distributed by phishing: an obfuscated VBS inside a ZIP/RAR executes a PowerShell downloader that fetches an obfuscated script, which decodes and injects a .NET loader that decrypts a SykCrypter DLL and ultimately loads a Remcos native payload. The report describes evasion and anti-analysis techniques, persistence via shortcuts and registry Run keys, process injection, harvesting capabilities (browsers, email, wallets), a hardcoded C2 (172.96.14.18:2404), and includes IOCs (SHA256 hashes) to aid detection and response.