Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
12
Global rank
9 infographic chevron month
Month rank
10 infographic chevron week
Week rank
0
IOCs

Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.

Trojan
Type
ex-USSR territory
Origin
1 June, 2016
First seen
29 October, 2025
Last seen

How to analyze Remcos with ANY.RUN

Type
ex-USSR territory
Origin
1 June, 2016
First seen
29 October, 2025
Last seen

IOCs

IP addresses
193.161.193.99
91.192.100.9
185.9.19.107
79.134.225.9
91.207.102.163
213.152.161.5
79.134.225.97
37.120.217.243
185.189.112.27
206.189.80.59
37.120.210.219
103.73.64.115
185.65.134.165
141.98.255.145
199.195.253.181
185.65.135.178
185.65.134.182
23.105.131.206
141.95.84.40
76.8.53.133
Hashes
d7c8588a79f8cc097fbe35b568d63f26cdc01d67d3feabafcc5376a02fea1eb3
45a66e28d52a509d19451ab3e8f617e7bf8747bcfa402342f329e8c3c2753691
1a7f0956fbfc7c7f2d27d3c1c2d0fca034c4a1189199f271bab6afa86f1c09f1
ea58d993cbcf1eed9a1704d4d1c9214287d443fcc4ceb07fff8b1eb612a7ad25
40416b7202af7f08da4247ba4476c05deb3dff3ce0d4fed0b5a85de08cc70305
542f221b9fa1256adc485b6ec8903ce98d7e603ad2f952136e623b241dbd23b5
4fe66537aaf6e90d6a7ed832a1173a0f492e5368c32fb4a558f8c84419d0a445
bfcb1958250aa9d1fac83c6d07f7e488013b5e2ed56e85520930c55eb3f9add4
cf58d04112b783312525fb71ca8b1a0cf2980d2acc90333ea6c8383fecd95c6b
76a556858762323948f2f327262cad46d28cc587339757ba20215013c28c2377
f7e76688d21158c2dad451208687133fadb92491675c1fb25e03379b19811b43
c395c460b10a425db80c8a011fc8bade417c891014297d39fd8088de1ced23fc
e125b6501a04f121606acff83a6f9d1ed60c6e9609ff288c64ac5f5139576020
a9e39635327d85706bdb626e574f10b0fcdbee3514f339502c9ae39fa17742aa
7cb8c35f08015af2a11768e9320bf4b0daa44cc90e4518a9b7c7ae5d04551a43
2007c8c0133383ca826574b0c2196c5cd94b91fc3d94acecb5d1fb0e05ce954f
f73ac7847eef2a24bc5924c24e1faad909c88bc2f26926db343a2c96275e870a
db2be633864e40fb6373053344179e3011de80431252752355f5dcbcb1bca648
0ba2140f6bfc8b6a3ed5251a91da0a02b49a610d36991f0c1ff69f19be202a41
db8aecd0e1653c6c295e0a340774d170697fdce5b47325dea53572895b99c4ec
Domains
logisctismes.duckdns.org
0.tcp.ngrok.io
0.tcp.eu.ngrok.io
2.tcp.ngrok.io
bestsuccess.ddns.net
severdops.ddns.net
4.tcp.ngrok.io
fresh01.ddns.net
whatgodcannotdodoestnotexist.duckdns.org
niiarmah.kozow.com
4.tcp.eu.ngrok.io
6.tcp.ngrok.io
8.tcp.ngrok.io
0.tcp.sa.ngrok.io
5.tcp.eu.ngrok.io
arxyz-40280.portmap.host
ziggynas10.ddns.net
runam.ddns.net
widda1.ddns.net
windda.ddns.net
URLs
http://77.91.124.20/store/games/Plugins/cred64.dll
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/logaccess.php
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/OnlineCheck-v4.php
http://94.156.69.174:7459/
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/upd_free.txt
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/login.php
http://170.205.31.90:3333/
Last Seen at
Last Seen at

Recent blog posts

post image
5 SOC Challenges and How Threat Intelligence...
watchers 257
comments 0
post image
ANY.RUN Recognized as Threat Intelligence Com...
watchers 557
comments 0
post image
ANY.RUN & ThreatQ: Boost Detection Rate,...
watchers 511
comments 0

What is Remcos trojan?

Remcos is a remote access trojan – a malware used to take remote control over infected PCs. This malicious software has been operational since 2016 when it first became available for sale in the underground hacker communities on the dark web.

Remcos RAT has been receiving substantial updates throughout its lifetime. In fact, this malware is being maintained extremely actively, with new releases coming out almost every month. In April 2019, the malware was available for purchase for as little as just over 60 dollars up to over 400 dollars depending on the selected package.

In Q2 2024, Remcos was named the second most popular malware according to ANY.RUN's report on the current threat landscape.

General description of Remcos trojan

This trojan is created and sold to clients by a “business” called Breaking Security. Although Breaking Security promises that the program is only available to those who intend to use it for legal purposes, in reality, Remcos RAT gives clients all necessary features to launch potentially destructive attacks. The malware can be purchased with different cryptocurrencies. The program can remotely control PCs with any Windows OS, including XP and newer. It can also capture screenshots, record keystrokes on infected machines, and send the collected information to host servers.

What’s more, it comes equipped with a crypto program that enables the malware to stay hidden from antivirus software. In fact, Breaking Security has released a video on its YouTube channel which demonstrates the analysis of how multiple antiviruses fail to detect the presence of the Remcos RAT. In addition, Breaking Security provides attackers with a keylogger that can be used to remotely record keystrokes of the victim, a mass mailer program that can be used to carry out distribution campaigns, and a DynDNS service with a client-server connection. With all additional services combined, purchasers gain all they need to create their own functioning botnets.

The company responsible for selling Remcos RAT to the criminals is registered in Germany. Germany is the only country out of all European Union members that do not allow looking up company details online. Therefore founders of Breaking Security are still not identified. The website itself does not provide any information about the company or the team behind Remcos. The domain name of the website itself is hosted on Cloudflare, and all information related to it is protected by the privacy policy of the hosting organization. Clearly, the people behind Breaking Security have taken a lot of effort to stay anonymous.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Remcos malware analysis

Remcos RAT execution and analysis can be watched in-depth in a video recorded in the ANY.RUN malware hunting service. Moreover, you can also research other malicious families there such as AZORult and Adwind.

process graph of the Remcos execution Figure 1: Displays the lifecycle of Remcos as presented by a visual graph generated by ANY.RUN

text report 0f the Remcos trojan analysis Figure 2: A customizable text report generated by ANY.RUN is a feature specifically developed to simplify the sharing of analysis results.

Remcos trojan execution process

Remcos trojan can be delivered in different forms. Based on RAT's analysis, it can be spread as an executable file with the name that should convince users to open it, or it pretends to be a Microsoft Word file that exploits vulnerabilities to download and execute the main payload, obfuscate the server component.

In our analysis, after Remcos made its way to infect the device and begin the execution process, it started VBS script execution. Script ran command line and proceeded to drop an executable file from it. remcos execution process tree Figure 3: Execution processes of Remcos as displayed by the ANY.RUN malware analysis service

This file was the main payload, and it carried out the main malicious activities – stealing information, changing the autorun value in the registry, and connecting to the C2 server.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

How to detect Remcos using ANY.RUN?

Cybersecurity specialists can easily detect Remcos – the trojan writes its name into a registry. Look at registry events: click on the process and then on the More Info button. If the Registry changes tab has a key like "HKEY_CURRENT_USER\Software\Remcos-{digits_letters}", you can be sure it’s Remcos.

remcos log file Figure 4: Remcos registry changes analysis

Gathering threat intelligence on Remcos malware

To collect up-to-date intelligence on Remcos, use Threat Intelligence Lookup.

This service gives you access to a vast database filled with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox.

With over 40 customizable search parameters, including IPs, domains, file names, and process artifacts, you can efficiently gather relevant data on threats like Remcos.

Remcos ANY.RUN Search results for Remcos in Threat Intelligence Lookup

For example, you can search directly for the threat name or use related indicators like hash values or network connections. Submitting a query such as threatName:"remcos" AND domainName:"" will generate a list of files, events, domain names, and other data extracted from Remcos samples along with sandbox sessions that you can explore in detail to gain comprehensive insights into this malware’s behavior.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Distribution of Remcos

Although being distributed using multiple methods, being provided in a bundle with mass mailer software, the analysis proves that Remcos RAT usually gets into victims’ machines through malicious attachments in spam email campaigns. The attackers normally use phishing techniques to try and trick users into downloading file attachments, commonly – contaminated Microsoft Office files. Once downloaded, the files would prompt the users to activate the macros required for the execution of Ramcos to start.

Attackers who utilize this trojan are known to target specific organizations and sometimes go a long way to craft custom phishing emails designed to fool their victims. Corporations that are known to become targets of Remcos attacks include news agencies and businesses energy industry-related businesses.

If the victim does enable the macros, they reconstruct a small executable file which is then dropped to a pre-specified location and launched from there. This file then proceeds to download the main payload, which is Remcos itself, from a control server and then begin the execution process. Even though the location can vary from sample to sample, it usually includes one of the following locations, typical for malware creators: %APPDATA% and %TEMP%.

Conclusion

Remcos RAT is a dangerous trojan available to attackers for a relatively low price. Despite its accessibility, it comes equipped with enough robust features to allow attackers to set up their own effective botnets. What's more, it is modernized with updates released nearly every month by the owner company. Accessibility and powerful feature set helped to make Ramcos into a powerful and dangerous trojan.

Thankfully, malware hunting services such as ANY.RUN gives professionals an equally robust feature set to research threats like Ramcos and respond with effective countermeasures.

Create your free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

Botnet screenshot
Botnet
botnet
A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.
Read More
Jigsaw screenshot
Jigsaw
jigsaw
The Jigsaw ransomware, initially detected in 2016, encrypts files on compromised systems and requires a ransom payment in Bitcoin. If the ransom is not paid, the malware starts deleting files, increasing the pressure on victims to comply. Its source code is publicly accessible, allowing various threat actors to customize and repurpose the malware for different objectives.
Read More
Orcus RAT screenshot
Orcus RAT
orcus rat trojan
Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.
Read More
Mamba 2FA screenshot
Mamba 2FA
mamba
Mamba 2FA is an advanced phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) and target Microsoft 365 accounts. It focuses on intercepting authentication flows in real-time and enables threat actors to hijack user sessions and access sensitive systems even when additional security measures are in place.
Read More
SSLoad screenshot
SSLoad
ssload
SSLoad is a malicious loader or downloader that is used to infiltrate target systems through phishing emails, perform reconnaissance and transmit it back to its operators delivering malicious payloads. To avoid detection, SSLoad employs various encryption methods and delivery techniques highlighting its versatile nature and complexity. It is believed to be a part of Malware-as-a-Service (MaaS) operation given its diverse delivery methods and implemented techniques.
Read More
BTMOB RAT screenshot
BTMOB RAT
btmob
BTMOB RAT is a remote access Trojan (RAT) designed to give attackers full control over infected devices. It targets Windows and Android endpoints. Its modular structure allows operators to tailor capabilities, making it suitable for espionage, credential theft, financial fraud, and establishing long-term footholds in corporate networks.
Read More