Remcos RAT - How to Remove

Last updated: 2026-04-01

Incident Response Guide: Remcos RAT

Incident Triage Steps

Within the first 30 minutes of a suspected Remcos RAT incident, your priority is to determine the scope, identify compromised systems, and assess potential data exfiltration. Begin by reviewing alerts from your EDR solution or SIEM platform for key Remcos behavioral indicators. Look for process creation events related to svchost.exe spawning unusual child processes, or instances of rundll32.exe executing suspicious DLLs, as Remcos often uses these for execution. Check for network connections to known Remcos command-and-control (C2) IP addresses or domains on ports 80, 443, or a custom high port (e.g., 8080, 8443). A sudden spike in outbound traffic to a single external IP may indicate C2 communication or data exfiltration.

Immediately query your endpoint logs for the creation of specific Remcos persistence mechanisms. Search for new scheduled tasks named with random strings or common system-sounding names, new services installed with random or disguised names, and Run or RunOnce registry keys under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pointing to suspicious executables. Examine systems where users have reported unusual behavior, such as mouse movement without input, unexpected pop-ups, or disabled security software, as these are common user-level indicators of Remcos activity.

To determine if data exfiltration occurred, analyze proxy logs, firewall egress traffic logs, and any network monitoring tools for large, sustained outbound transfers to the identified C2 IPs, especially outside business hours. Remcos can exfiltrate via HTTP POST requests or custom TCP packets. Check for the presence of archived files (ZIP, RAR) in temporary directories that may have been staged for exfiltration. Identify the initial compromised host by correlating the first alert timeline with user logon events, phishing email receipts, or suspicious download logs.

Evidence Collection

Before initiating containment or eradication, preserve forensic evidence. On live, affected systems, capture a full memory dump using a trusted memory analysis tool. This is critical as Remcos stores configuration data, encryption keys, and injected code in memory. Collect a triage file system image, focusing on directories where Remcos artifacts are commonly found: %AppData%, %LocalAppData%, %Temp%, and the root of C:\. Preserve any suspicious executables, DLLs, or log files.

Extract a detailed process listing with command-line arguments, parent process IDs, and loaded modules. Look for processes with mismatched signatures, processes injecting code into legitimate Windows processes like explorer.exe or svchost.exe, and processes making network connections to the identified C2 servers. Dump the network connection table (e.g., using netstat or a forensic tool) to capture active and listening ports.

Collect specific Remcos RAT artifacts. Export the entire registry hive, paying special attention to the persistence locations mentioned in the triage phase. Check for the Remcos mutex, which often follows a pattern like “RMC-” or “Remcos-”, using a process analysis tool. Preserve Prefetch files (C:\Windows\Prefetch\) and ShimCache/Amcache entries, as they can reveal execution history of the Remcos payload. Ensure all collected evidence is hashed (MD5, SHA-256) and its chain of custody is documented.

Containment Procedures

The goal is to stop the malware’s spread and C2 communication without alerting the attacker or destroying evidence. Immediately segment the network. Place identified compromised hosts in an isolated VLAN with no internet access and no access to critical internal servers (domain controllers, file servers, databases). If the initial vector was phishing, consider temporarily restricting internal email links and attachments.

Block communication with identified Remcos C2 servers at the network perimeter. Update firewall rules, proxy blocklists, and DNS sinkhole configurations to deny all traffic to and from the malicious IPs and domains. Remcos may use dynamic DNS or multiple fallback IPs, so ensure your threat intelligence feed is updated and blocking is applied broadly. If you cannot immediately block all C2s, consider deploying a network sensor in the isolated segment to monitor for additional callbacks.

Reset credentials that may have been compromised. Scope this by identifying which user accounts were active on the infected systems during the infection window. Prioritize resetting passwords for local administrator accounts on those machines and any domain accounts with elevated privileges that were used there. Do not reset all domain passwords en masse initially, as this may cause operational disruption and could be the attacker’s goal. Enable multi-factor authentication where possible.

Disable the identified Remcos persistence mechanisms on critical systems as a temporary measure. This may involve stopping and disabling malicious scheduled tasks or services. Do not delete the associated files or registry keys yet, as they are needed for evidence. If possible, take disk snapshots of critical servers before making any changes.

Eradication and Recovery

Eradication requires the complete removal of Remcos components from all affected systems. Follow the detailed, step-by-step procedures outlined in the dedicated Removal Guide. This guide provides per-system instructions for killing malicious processes, deleting persistent artifacts from the filesystem and registry, and removing any installed drivers or hooks.

After executing the removal steps, validate the clean state. Use your EDR solution to scan the system memory and filesystem for any remaining Remcos signatures or behaviors. Verify that no processes are calling back to the previously identified C2 infrastructure by monitoring network traffic from the host post-cleanup. Check that all malicious scheduled tasks, services, and registry entries have been removed.

For recovery, restore systems from known-clean backups. The backup date must predate the earliest identified evidence of infection. Do not restore from backups taken during the compromise window. For systems where clean backups are unavailable, a rebuild from trusted installation media is required. After restoring or rebuilding, immediately apply all relevant security patches, as Remcos often exploits unpatched vulnerabilities. Re-image the system if any doubt remains about persistence.

Before returning contained systems to the production network, perform a final validation scan with updated anti-malware tools and ensure all security agents are functioning correctly. Monitor these systems closely for at least one week for any signs of re-infection.

Lessons Learned Checklist

Conduct a post-incident review to improve defenses against future Remcos or similar RAT attacks.

  • Initial Infection Vector: How did Remcos RAT gain initial access?

    • Was it a malicious email attachment (e.g., .scr, .docm with macros)?
    • Was it a drive-by download from a compromised website?
    • Was it through exploitation of a public-facing service (e.g., RDP, VPN)?
    • Did it involve a malicious USB device or other physical media?

  • Control Failures: Which security controls did not prevent or detect the intrusion?

    • Email filtering: Did it fail to block the malicious attachment/link?
    • Endpoint Protection: Why didn’t it prevent execution or raise an alert sooner?
    • Application Whitelisting: Was it not deployed or improperly configured?
    • Patch Management: Was the system missing a critical update that was exploited?
    • Network Segmentation: Was lateral movement too easy?

  • Detection Gaps: Where were the visibility gaps?

    • Were process creation events from rundll32.exe or regsvr32.exe not being monitored?
    • Were outbound connections to non-standard ports not logged or alerted on?
    • Were changes to Run keys or scheduled tasks not centrally correlated?
    • Was there a delay between EDR alerting and analyst review?

  • Improvement Actions: Based on the above, what must be improved?

    • Update and test email security rules to catch the observed lure tactics.
    • Enhance endpoint detection rules to flag Remcos-specific behaviors (see Detection Guide).
    • Implement or tighten application control policies to block execution from user writable directories.
    • Accelerate the patch cycle for critical vulnerabilities.
    • Improve network monitoring to detect lateral movement and C2 traffic anomalies.
    • Conduct user awareness training focused on the phishing method used.

For more information on this threat, refer to the Remcos RAT Overview.

Related

← Remcos RAT Overview Removal Guide How to Detect Protection Guide IOCs Samples All Families