VERY IMPORTANT

This report analyzes samples of the Remcos remote access trojan, revealing some of its unknown tactics, techniques and procedures. The analysis shows how threat actors use process hollowing to inject the Remcos payload into a new process, employing various techniques to evade detection. Key findings include the use of VBScript, PowerShell scripts, base64 encoding, and downloading payloads disguised as image files. Remcos exfiltrates data, records audio and video, and connects to command and control servers. The report provides indicators of compromise and other technical details of Remcos' operation.