BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
9
Global rank
3 infographic chevron month
Month rank
2 infographic chevron week
Week rank
2419
IOCs

Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.

Trojan
Type
ex-USSR territory
Origin
1 June, 2016
First seen
16 April, 2024
Last seen

How to analyze Remcos with ANY.RUN

Type
ex-USSR territory
Origin
1 June, 2016
First seen
16 April, 2024
Last seen

IOCs

IP addresses
104.250.180.178
192.210.201.57
62.102.148.185
172.245.208.13
185.241.208.113
107.175.229.139
109.111.167.229
192.161.184.21
91.207.102.163
37.120.235.114
81.17.17.70
141.98.102.227
91.92.253.150
66.63.162.155
45.133.174.81
194.147.140.167
194.147.140.222
45.128.96.122
64.188.20.186
102.176.65.44
Hashes
a89897dcc1e52283b5f169d1dfba7a30df9006550a3fadeee5c58df314310e09
54d8f4bcf9e38d05ef12875a7a9400ffcaf3e71175019d655129f2727c58e65b
33201adbd42d8dc9ccc2db573fdd919e89a057db25193f16053ae7750a9fb35d
50ca98ba2d54858b97cbbfff758edf7f81a29a8a4884a4319ae994cb8a434de3
9adc5f79412b073c57ff3c46ecf715ae1f931a471001847ab4a8f9d4a2f97b87
12842d49038c066464ac723b9665ff93f634042646bdd6947b54042fd0e06342
9c530365dda476ecf306d42b00922e73a98d4d213c6dea99953e6412e21a39af
a67d4cdb218d6e7106b4efef10d24fdd69025b556df74549921e3d4156201084
d7409c29c408de43fb4cbcfa880b436aceaf03d4ad5b39890cf518a82d4a3e25
c2c8cceb0ee59b816db4cc7449e311ed3abeb2dd376cab676bd0c4d8c10781f7
f5d707c704a60d1578d0b00f656477eda9b5dbfa440466660bfd92aff363625d
920fae943bbfb6cb7dd1a1a13e6abfb6f951ed79eaa01b9b693ff6a8224ae1e1
925b3f0c28feb07eea91c36354adb0022a621bb20d1f96f3a1ad976c366893a6
f44e495e1301866188a62916859075ed73d13193823c69884312f04785707279
60d448324c236bf17c5b164140f83d180249e4ec56a44ee5a9962e6eda9aed2e
e2c60159ad9908ac2a1ab446c1866dfe5a59b1535ca29f111ae56833996d82b8
e15677ab90ab5cb707c87420cb49c733d5948513cfbfd152470a03942effc9b8
15bae1d6f7888e3ae771e3e4c636e574848a8a391c0650dbb7ffcc3129956d6b
003bcd42df2546a1add584a5c41acaaae1c197660303309a38cfe7bc175e8401
6d711bb5090b69fe383491c2fdd6987f8bfeffbac711a6194e967c06f9134560
Domains
cada1224.con-ip.com
ezege.duckdns.org
marcofreilelora09.con-ip.com
pentester0.accesscam.org
archived.zapto.org
honeypotresearchteam.duckdns.org
paygateme.net
rmcnewlistening.duckdns.org
merega.3utilities.com
0.tcp.eu.ngrok.io
chichonexpress.con-ip.com
26febrero.con-ip.com
limpios.con-ip.com
ferfnekfkjerfjre.con-ip.com
febrero22.con-ip.com
11abril.con-ip.com
page4work.mywire.org
sandshoe.myfirewall.org
asegurar100.4cloud.click
setimetntalatsuirity.ddnsfree.com
URLs
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/logaccess.php
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/OnlineCheck-v4.php
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/upd_free.txt
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/login.php
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q1, 2024
watchers 157
comments 0
post image
Understand Encryption in Malware: From Basics...
watchers 547
comments 0
post image
ANY.RUN for Enterprises: Learn About Our Most...
watchers 298
comments 0

What is Remcos trojan?

Remcos is a remote access trojan – a malware used to take remote control over infected PCs. This malicious software has been operational since 2016 when it first became available for sale in the underground hacker communities on the dark web.

Remcos RAT has been receiving substantial updates throughout its lifetime. In fact, this malware is being maintained extremely actively, with new releases coming out almost every month. In April 2019, the malware was available for purchase for as little as just over 60 dollars up to over 400 dollars depending on the selected package.

General description of Remcos trojan

This trojan is created and sold to clients by a “business” called Breaking Security. Although Breaking Security promises that the program is only available to those who intend to use it for legal purposes, in reality, Remcos RAT gives clients all necessary features to launch potentially destructive attacks. The malware can be purchased with different cryptocurrencies. The program can remotely control PCs with any Windows OS, including XP and newer. It can also capture screenshots, record keystrokes on infected machines, and send the collected information to host servers.

What’s more, it comes equipped with a crypto program that enables the malware to stay hidden from antivirus software. In fact, Breaking Security has released a video on its YouTube channel which demonstrates the analysis of how multiple antiviruses fail to detect the presence of the Remcos RAT. In addition, Breaking Security provides attackers with a keylogger that can be used to remotely record keystrokes of the victim, a mass mailer program that can be used to carry out distribution campaigns, and a DynDNS service with a client-server connection. With all additional services combined, purchasers gain all they need to create their own functioning botnets.

The company responsible for selling Remcos RAT to the criminals is registered in Germany. Germany is the only country out of all European Union members that do not allow looking up company details online. Therefore founders of Breaking Security are still not identified. The website itself does not provide any information about the company or the team behind Remcos. The domain name of the website itself is hosted on Cloudflare, and all information related to it is protected by the privacy policy of the hoster organization. Clearly, the people behind Breaking Security have taken a lot of effort to stay anonymous.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

Remcos malware analysis

Remcos RAT execution and analysis can be watched in-depth in a video recorded in the ANY.RUN malware hunting service. Moreover, you can also research other malicious families there such as AZORult and Adwind.

process graph of the Remcos execution Figure 1: Displays the lifecycle of Remcos as presented by a visual graph generated by ANY.RUN

text report 0f the Remcos trojan analysis Figure 2: A customizable text report generated by ANY.RUN is a feature specifically developed to simplify the sharing of analysis results.

Remcos trojan execution process

Remcos trojan can be delivered in different forms. Based on RAT's analysis, it can be spread as an executable file with the name that should convince users to open it, or it pretends to be a Microsoft Word file that exploits vulnerabilities to download and execute the main payload, obfuscate the server component. In our analysis, after Remcos made its way to infect the device and begin the execution process, it started VBS script execution. Script ran command line and proceeded to drop an executable file from it. This file was the main payload, and it carried out the main malicious activities – stealing information, changing the autorun value in the registry, and connecting to the C2 server.

remcos execution process tree Figure 3: Execution processes of Remcos as displayed by the ANY.RUN malware analysis service

Distribution of Remcos

Although being distributed using multiple methods, being provided in a bundle with mass mailer software, the analysis proves that Remcos RAT usually gets into victims’ machines through malicious attachments in spam email campaigns. The attackers normally use phishing techniques to try and trick users into downloading file attachments, commonly – contaminated Microsoft Office files. Once downloaded, the files would prompt the users to activate the macros required for the execution of Ramcos to start.

Attackers who utilize this trojan are known to target specific organizations and sometimes go a long way to craft custom phishing emails designed to fool their victims. Corporations that are known to become targets of Remcos attacks include news agencies and businesses energy industry-related businesses.

If the victim does enable the macros, they reconstruct a small executable file which is then dropped to a pre-specified location and launched from there. This file then proceeds to download the main payload, which is Remcos itself, from a control server and then begin the execution process. Even though the location can vary from sample to sample, it usually includes one of the following locations, typical for malware creators: %APPDATA% and %TEMP%.

How to detect Remcos using ANY.RUN?

Cybersecurity specialists can easily detect Remcos – the trojan writes its name into a registry. Look at registry events: click on the process and then on the More Info button. If the Registry changes tab has a key like "HKEY_CURRENT_USER\Software\Remcos-{digits_letters}", you can be sure it’s Remcos.

remcos log file Figure 4: Remcos registry changes analysis

Conclusion

Remcos RAT is a dangerous trojan available to attackers for a relatively low price. Despite its accessibility, it comes equipped with enough robust features to allow attackers to set up their own effective botnets. What's more, it is modernized with updates released nearly every month by the owner company. Accessibility and powerful feature set helped to make Ramcos into a powerful and dangerous trojan.

Thankfully, malware hunting services such as ANY.RUN gives professionals an equally robust feature set to research threats like Ramcos and respond with effective countermeasures.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy