Quick Malware Analysis: REMCOS RAT pcap from 2025-03-10

Thanks to Brad Duncan for sharing this pcap from 2025-03-10 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.

We did a quick analysis of this pcap using Security Onion 2.4.130:

https://blog.securityonion.net/2025/03/security-onion-24130-now-available.html

If you'd like to follow along, you can do the following:

• install Security Onion 2.4.130 in a VM:
  https://docs.securityonion.net/en/2.4/first-time-users.html
• import the pcap using the SOC Grid interface:
  https://docs.securityonion.net/en/2.4/grid.html#icons-in-lower-left-corner
• optionally enable the DNS lookups feature:
  https://docs.securityonion.net/en/2.4/soc-customization.html?#reverse-dns-lookups

The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:

https://blog.securityonion.net/search/label/quick%20malware%20analysis

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see:
https://securityonion.net

Screenshots

First, we start with the overview of all alerts and logs:

Next, let's look at just the alerts in their default grouped display:

Now let's ungroup the alerts, sort by timestamp, and review our AI summary for the first alert:

Review our AI summary for the Remcos checkin alert:

Review our AI summary for the Remcos response alert:

All the Remcos alerts are for the same TCP stream, so let's pivot to full packet capture:

Let's view that stream as an ASCII transcript:

Scrolling down we see some interesting artifacts:

Now let's get an overview of our protocol metadata:

Here are the files transferred:

Next let's review the DNS lookups:

Here are all of the network connections seen:

Let's investigate the 3 connections on port 3980:

Pivoting to full packet capture, we see the MZ file header and "This program cannot be run in DOS mode" so this looks like a Windows EXE:

Sending that to CyberChef and looking for strings yields interesting artifacts:

Looking at another one of the connections on port 3980, we see yet another Windows EXE:

Sending that to CyberChef and looking for strings yet again yields interesting artifacts: