BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
9
Global rank
3 infographic chevron month
Month rank
4
Week rank
2377
IOCs

Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.

Trojan
Type
ex-USSR territory
Origin
1 June, 2016
First seen
29 March, 2024
Last seen

How to analyze Remcos with ANY.RUN

Type
ex-USSR territory
Origin
1 June, 2016
First seen
29 March, 2024
Last seen

IOCs

IP addresses
192.210.201.57
172.245.208.13
102.176.65.44
66.63.162.155
107.172.31.178
194.147.140.180
91.92.247.97
107.150.18.202
80.66.75.44
185.156.72.28
37.139.129.251
37.120.235.114
192.161.184.21
74.119.194.217
172.81.60.60
20.121.128.235
193.142.146.21
62.102.148.185
185.161.208.123
193.222.96.75
Hashes
7c93d76a0e9fcc56590bd9ff9aff722afcca47c6645df567f4a38fc79c57e40a
ec901217558e77f2f449031a6a1190b1e99b30fa1bb8d8dabc3a99bc69833784
f3e4dd541766cd7a3af91ef964b91ded632f13ebe69bd4fb5eadd563c0207059
8e7cd60d532ae88ba437fcf2ede014dfde3a1f5261bf0569d22566360b71485d
a662577f902f877793cb9ab2a7a6101344f8026d62a69dedcdbff8b1930089bf
b84d775cf5de9234ec178e4a94c5c459f0c6e8ad3bffc977ba20b116b4d9d88e
01a051c70476ff3fae38ab673bfeb567f80ebc9c5e8cc0fec03091b8c5d00bd9
f468e78e2f4a5f1958f7dc8c47b4919607fbbb02e3fe5eee414160fdb792e0d7
07050af33c4d45af03caa34bbf61a832ec4cfb84535aaae85097176e0defcf11
f125e58bcea173dc1aa5a9498dfa18ddd1a69fbd431610df034af7af78bd602e
b41e4528449d3fa1730eca98df0dc9fd9e3683ccfaedf1d72ee2af2899f18db8
60e520cabd741f718ca4b748b8af4e793c637de473cfb5091281660827b59ce8
34c7377e5b187edf6d660e7df34b68b968940b6de1399c2f4a3e5675099139f4
de8a8e788979f605ae68981ec3bf84711e957bfa4746d5f23c2015a8ec928c32
de680087d48c2789463444d87dc09962e29effc2491d398d713931ac62cf4e1b
b0857cadd4caff3ab536d041591bdff78f83d02b3fda1ec52c518ae87e779b92
b529ff68636353363de3a4e6f53c1abe3dda18ff711d55494578152e0cf15922
2e5243c0f25a508026aa4bc82e7cdddd2df91f556c8509ac6e2b60d3ef17b517
43d2a1081b1fba2cee356ff5e0981d2f09900ef1b0b5f487ca0b3e96c8d11c28
5cdd4524220e922d81157f31322b2750d0cf507f9c6846bac805a05d593f90fe
Domains
leetboy.dynuddns.net
0.tcp.eu.ngrok.io
unilateralcospilino.duckdns.org
setimetntalatsuirity.ddnsfree.com
highestlotto.duckdns.org
pentester0.accesscam.org
archived.zapto.org
honeypotresearchteam.duckdns.org
jgm.kozow.com
salomon77.con-ip.com
windowsexplorerszzo.duckdns.org
uniresearchteam.mywire.org
gregolia.duckdns.org
serverupdatemarch353.duckdns.org
sprdingmefeb.ddnsfree.com
backsprdingmefeb.ddnsfree.com
laitheliar.duckdns.org
clepdhunt.duckdns.org
darkotemplar.sytes.net
marzo5.con-ip.com
URLs
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/logaccess.php
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/OnlineCheck-v4.php
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/login.php
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/upd_free.txt
Last Seen at

Recent blog posts

post image
Basic Malware Packers: What are They and How...
watchers 621
comments 0
post image
New BunnyLoader Version Gains Modular Capabil...
watchers 211
comments 0
post image
What are Threat Intelligence Feeds? 
watchers 187
comments 0

What is Remcos trojan?

Remcos is a remote access trojan – a malware used to take remote control over infected PCs. This malicious software has been operational since 2016 when it first became available for sale in the underground hacker communities on the dark web.

Remcos RAT has been receiving substantial updates throughout its lifetime. In fact, this malware is being maintained extremely actively, with new releases coming out almost every month. In April 2019, the malware was available for purchase for as little as just over 60 dollars up to over 400 dollars depending on the selected package.

General description of Remcos trojan

This trojan is created and sold to clients by a “business” called Breaking Security. Although Breaking Security promises that the program is only available to those who intend to use it for legal purposes, in reality, Remcos RAT gives clients all necessary features to launch potentially destructive attacks. The malware can be purchased with different cryptocurrencies. The program can remotely control PCs with any Windows OS, including XP and newer. It can also capture screenshots, record keystrokes on infected machines, and send the collected information to host servers.

What’s more, it comes equipped with a crypto program that enables the malware to stay hidden from antivirus software. In fact, Breaking Security has released a video on its YouTube channel which demonstrates the analysis of how multiple antiviruses fail to detect the presence of the Remcos RAT. In addition, Breaking Security provides attackers with a keylogger that can be used to remotely record keystrokes of the victim, a mass mailer program that can be used to carry out distribution campaigns, and a DynDNS service with a client-server connection. With all additional services combined, purchasers gain all they need to create their own functioning botnets.

The company responsible for selling Remcos RAT to the criminals is registered in Germany. Germany is the only country out of all European Union members that do not allow looking up company details online. Therefore founders of Breaking Security are still not identified. The website itself does not provide any information about the company or the team behind Remcos. The domain name of the website itself is hosted on Cloudflare, and all information related to it is protected by the privacy policy of the hoster organization. Clearly, the people behind Breaking Security have taken a lot of effort to stay anonymous.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

Remcos malware analysis

Remcos RAT execution and analysis can be watched in-depth in a video recorded in the ANY.RUN malware hunting service. Moreover, you can also research other malicious families there such as AZORult and Adwind.

process graph of the Remcos execution Figure 1: Displays the lifecycle of Remcos as presented by a visual graph generated by ANY.RUN

text report 0f the Remcos trojan analysis Figure 2: A customizable text report generated by ANY.RUN is a feature specifically developed to simplify the sharing of analysis results.

Remcos trojan execution process

Remcos trojan can be delivered in different forms. Based on RAT's analysis, it can be spread as an executable file with the name that should convince users to open it, or it pretends to be a Microsoft Word file that exploits vulnerabilities to download and execute the main payload, obfuscate the server component. In our analysis, after Remcos made its way to infect the device and begin the execution process, it started VBS script execution. Script ran command line and proceeded to drop an executable file from it. This file was the main payload, and it carried out the main malicious activities – stealing information, changing the autorun value in the registry, and connecting to the C2 server.

remcos execution process tree Figure 3: Execution processes of Remcos as displayed by the ANY.RUN malware analysis service

Distribution of Remcos

Although being distributed using multiple methods, being provided in a bundle with mass mailer software, the analysis proves that Remcos RAT usually gets into victims’ machines through malicious attachments in spam email campaigns. The attackers normally use phishing techniques to try and trick users into downloading file attachments, commonly – contaminated Microsoft Office files. Once downloaded, the files would prompt the users to activate the macros required for the execution of Ramcos to start.

Attackers who utilize this trojan are known to target specific organizations and sometimes go a long way to craft custom phishing emails designed to fool their victims. Corporations that are known to become targets of Remcos attacks include news agencies and businesses energy industry-related businesses.

If the victim does enable the macros, they reconstruct a small executable file which is then dropped to a pre-specified location and launched from there. This file then proceeds to download the main payload, which is Remcos itself, from a control server and then begin the execution process. Even though the location can vary from sample to sample, it usually includes one of the following locations, typical for malware creators: %APPDATA% and %TEMP%.

How to detect Remcos using ANY.RUN?

Cybersecurity specialists can easily detect Remcos – the trojan writes its name into a registry. Look at registry events: click on the process and then on the More Info button. If the Registry changes tab has a key like "HKEY_CURRENT_USER\Software\Remcos-{digits_letters}", you can be sure it’s Remcos.

remcos log file Figure 4: Remcos registry changes analysis

Conclusion

Remcos RAT is a dangerous trojan available to attackers for a relatively low price. Despite its accessibility, it comes equipped with enough robust features to allow attackers to set up their own effective botnets. What's more, it is modernized with updates released nearly every month by the owner company. Accessibility and powerful feature set helped to make Ramcos into a powerful and dangerous trojan.

Thankfully, malware hunting services such as ANY.RUN gives professionals an equally robust feature set to research threats like Ramcos and respond with effective countermeasures.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy