BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
9
Global rank
4
Month rank
3
Week rank
2035
IOCs

Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.

Trojan
Type
ex-USSR territory
Origin
1 June, 2016
First seen
2 December, 2023
Last seen

How to analyze Remcos with ANY.RUN

Type
ex-USSR territory
Origin
1 June, 2016
First seen
2 December, 2023
Last seen

IOCs

IP addresses
185.222.58.243
172.93.164.62
107.175.229.139
198.27.121.194
91.92.250.65
185.65.105.197
185.65.105.199
95.214.26.199
185.65.105.192
95.214.26.190
185.65.105.193
185.65.105.15
185.65.105.196
185.65.105.191
95.214.26.60
185.65.105.194
101.99.92.103
101.99.92.101
95.214.26.99
185.65.105.190
Hashes
33201adbd42d8dc9ccc2db573fdd919e89a057db25193f16053ae7750a9fb35d
889008d2491e5f92d86a36cd32374eee10e745cc310bd97b23ca17c0735bb061
8c71aeb54732d7c292c42820b9b46cd44710c58920bdee797c8c462b22c3569b
9a00523dfd6d321adb4fffbb54a1550055dde6301dddba3a5157a4169b11d462
b564ce75ebda7ddfe0c1be6becd119905c850c6703bb81af1d0ca8d8b9dcb86a
ecf1543ede939be5d36fad166f79c7cb8a4d645b368b3fe069aa60689f4ec48d
8e7cd60d532ae88ba437fcf2ede014dfde3a1f5261bf0569d22566360b71485d
bc663a12e76623f5bcb297c16a209b0ef5a978f2474ba9027d9ec4601c3fcc16
42b468b52493a6d5e82d05e3dc3f779ecbbc3c2756ec1d571e61dd7aa77115cd
9d6ead1f911aa56ad0d3bb44131f22f0064d7c553c86d1d518d35247af49d488
38debfec78116fdaec613c6e2a8b61e6977fea47df6f193a252171d8293ccb5c
196b7244e13e1994f268cf636024fec9e91b2ea86fe07731504c4d2cf39eec9b
327946233fb8a8dba8e47aa58499a1d06b50fc635d9ec674156617a039d7e85a
4dafd419d7527d71fa56c6c124b1da96ec108bd7685ff98e79d15ba122e04530
8a7703a7a13f95e6e58aac075b70bc322355e7f683e04824c17407a1881838cf
e5349a064403917e3f1c3aa1cb2f18e4a09477242eb9f7bee5a80c724b1a49ab
8167261af1cde7e03bd2ddf43ebde21bda4af66216d2c4ee9ca1c967e580f7a5
7092f70a3da40f994f74a966d0c31c42edd8ea933b6b853c5fe9618f8e166024
2f497ff3f27048054b345c0e177fc2365ad2b093490e1e980e7f475116cad26c
73a8f239da349dabeba46f143311e8f5874589917a88e3f6cd64767c56dde3a2
Domains
grantadistciaret.com
autgerman.autgerman.com
cloudhost.myfirewall.org
seanblacin.sytes.net
9.tcp.ngrok.io
whatgodcannotdodoestnotexist.duckdns.org
redentor.con-ip.com
fiujrkefdosdlfosdjfjdf.con-ip.com
sameruo.ddns.net
money001.duckdns.org
5.tcp.eu.ngrok.io
ascoitaliasasummer.duckdns.org
gfishfihfuf9uhiufheuhiuewiewwe.con-ip.com
yadirapenalora09.con-ip.com
f8terat.ddns.net
wrfisdufhisdhidhcisdhcsdnj.con-ip.com
gservicese.com
retghrtgwtrgtg.bounceme.net
datastream.myvnc.com
listpoints.click
URLs
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/login.php
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/logaccess.php
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/upd_free.txt
Last Seen at

Recent blog posts

3 Cybersecurity Events ANY.RUN Attended in No...
watchers 142
comments 0
5 malware threats we discovered in the wild i...
watchers 345
comments 0
RisePro Malware Analysis: Exploring C2 Commun...
watchers 2314
comments 0

What is Remcos trojan?

Remcos is a remote access trojan – a malware used to take remote control over infected PCs. It has been operational since 2016 when it first became available for sale in the underground hacker communities on the dark web.

Remcos RAT has been receiving substantial updates throughout its lifetime. In fact, this malware is being maintained extremely actively, with new releases coming out almost every month. In April 2019, the malware was available for purchase for as little as just over 60 dollars up to over 400 dollars depending on the selected package.

General description of Remcos trojan

This trojan is created and sold to clients by a “business” called Breaking Security. Although Breaking Security promises that the program is only available to those who intend to use it for legal purposes, in reality, Remcos RAT gives clients all necessary features to launch potentially destructive attacks. The malware can be purchased with different cryptocurrencies. The program can remotely control PCs with any Windows OS, including XP and newer. It can also capture screenshots, record keystrokes on infected machines, and send the collected information to host servers.

What’s more, it comes equipped with a crypto program that enables the malware to stay hidden from antivirus software. In fact, Breaking Security has released a video on its YouTube channel which demonstrates the analysis of how multiple antiviruses fail to detect the presence of Remcos. In addition, Breaking Security provides attackers with a keylogger that can be used to remotely record keystrokes of the victim, a mass mailer program that can be used to carry out distribution campaigns, and a DynDNS service with a client-server connection. With all additional services combined, purchasers gain all they need to create their own functioning botnets.

The company responsible for selling Remcos RAT to the criminals is registered in Germany. Germany is the only country out of all European Union members that do not allow looking up company details online. Therefore founders of Breaking Security are still not identified. The website itself does not provide any information about the company or the team behind Remcos. The domain name of the website itself is hosted on Cloudflare, and all information related to it is protected by the privacy policy of the hoster organization. Clearly, the people behind Breaking Security have taken a lot of effort to stay anonymous.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Remcos malware analysis

Remcos RAT execution and analysis can be watched in-depth in a video recorded in the ANY.RUN malware hunting service. Moreover, you can also research other malicious families there such as AZORult and Adwind.

process graph of the Remcos execution Figure 1: Displays the lifecycle of Remcos as presented by a visual graph generated by ANY.RUN

text report 0f the Remcos trojan analysis Figure 2: A customizable text report generated by ANY.RUN is a feature specifically developed to simplify the sharing of research results.

Remcos trojan execution process

Remcos trojan can be delivered in different forms. Based on RAT's analysis, it can be spread as an executable file with the name that should convince users to open it, or it pretends to be a Microsoft Word file that exploits vulnerabilities to download and execute the main payload, obfuscate the server component. In our simulation, after Remcos made its way to infect the device and begin the execution process, it started VBS script execution. Script ran command line and proceeded to drop an executable file from it. This file was the main payload, and it carried out the main malicious activities – stealing information, changing the autorun value in the registry, and connecting to the C2 server.

remcos execution process tree Figure 3: Execution processes of Remcos as displayed by the ANY.RUN malware analysis service

Distribution of Remcos

Although being distributed using multiple methods, being provided in a bundle with mass mailer software, the analysis proves that Remcos RAT usually gets into victims’ machines through malicious attachments in spam email campaigns. The attackers normally use phishing techniques to try and trick users into downloading file attachments, commonly – contaminated Microsoft Office files. Once downloaded, the files would prompt the users to activate the macros required for the execution of Ramcos to start.

Attackers who utilize this trojan are known to target specific organizations and sometimes go a long way to craft custom phishing emails designed to fool their victims. Corporations that are known to become targets of Remcos attacks include news agencies and businesses energy industry-related businesses.

If the victim does enable the macros, they reconstruct a small executable file which is then dropped to a pre-specified location and launched from there. This file then proceeds to download the main payload, which is Remcos itself, from a control server and then begin the execution process. Even though the location can vary from sample to sample, it usually includes one of the following locations, typical for malware creators: %APPDATA% and %TEMP%.

How to detect Remcos using ANY.RUN?

Cybersecurity specialists can easily detect Remcos – the trojan writes its name into a registry. Look at registry events: click on the process and then on the More Info button. If the Registry changes tab has a key like "HKEY_CURRENT_USER\Software\Remcos-{digits_letters}", you can be sure it’s Remcos.

remcos log file Figure 4: Remcos registry changes

Conclusion

Remcos RAT is a dangerous trojan available to attackers for a relatively low price. Despite its accessibility, it comes equipped with enough robust features to allow attackers to set up their own effective botnets. What's more, it is modernized with updates released nearly every month by the owner company. Accessibility and powerful feature set helped to make Ramcos into a powerful and dangerous trojan.

Thankfully, malware hunting services such as ANY.RUN gives professionals an equally robust feature set to research threats like Ramcos and respond with effective countermeasures.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy