Remy

Description

(Cylance) Arriving as an obfuscated PowerShell script built using the MSFvenom psh-reflection payload, the Remy DLL payload is ultimately unpacked, injected into memory, and executed via a Veil shellcode payload.

The Remy DLL shares code with Backdoor.Win32.Denis (Kaspersky), and appears to be related to the “WINDSHIELD” malware (described in the FireEye APT32 report).

Names

Name
Remy
Remy RAT
WINDSHIELD

Type

Backdoor

Information

https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf
https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.remy

Other Information

Uuid

5f4763dc-2637-4fd7-8387-29de883b56ba

Last Card Change

2022-12-29

Threat Intelligence Garden

Explorer

Remy

Remy

Description

Names

Category

Type

Information

Malpedia

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks