BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
9
Global rank
3 infographic chevron month
Month rank
2 infographic chevron week
Week rank
2671
IOCs

Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.

Trojan
Type
ex-USSR territory
Origin
1 June, 2016
First seen
14 July, 2024
Last seen

How to analyze Remcos with ANY.RUN

Type
ex-USSR territory
Origin
1 June, 2016
First seen
14 July, 2024
Last seen

IOCs

IP addresses
204.10.160.230
172.93.218.178
45.66.231.218
185.196.9.78
104.250.180.178
192.161.184.21
20.193.136.174
94.156.65.182
103.237.87.156
147.124.212.130
192.3.95.204
103.237.87.40
103.186.116.90
212.162.149.42
62.204.41.246
77.48.28.227
103.237.87.32
62.102.148.166
64.188.26.202
103.237.87.159
Hashes
d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486
9271b609db698f886795f121d1d110acf0a4959eaf5d94a93ade96b6a6cf0a95
6cb42cc70376a4ba12627c2f6755d4235beffe85a6600dc91ffd7c22cb61df96
a5a88cbc89b94a0c071a828120d7247b72135d881b0d06efa2d114b988b41c36
7fd1e285f1e5ce2a63513d7122f54b4c02bec1645aab6ae3b74139a60805bd4c
3da90b636e39cd1f67e3542c60d813c6ff8152f7f740b3ef4ef086ef120836df
a662577f902f877793cb9ab2a7a6101344f8026d62a69dedcdbff8b1930089bf
3b1e9fdaa4498632c2bba540bfd00bb27a5301cd53eb7d298169c6a80beec3d8
0da9e22388ed115d5e70170880ce75efcc2c05be05f720b02e7dbfe351ebe92a
7cd77a765069b1826b7594f693608500096f6f902c25b7994fa4d58bfe91be66
e24cc9fe89d82b303593dd7aa9557fc98d3550d54a6c34dcca79a64b28d5b5a8
1a42950011efa48efad99c53904d84f0d89ee37077edce320f9781a68cfa9c4f
1420740ae60f1f20553571bdf43e379698e2cb81bbf925e4ea5da93238f54f4a
d5a1b80f534871efd0a4f5d8f2dd169e8e35751ef0416dcd4af929daa82e5687
56d0325f0952f20ec5db961bcc263238ba251e8cf8f6bb5105466ee46c2db313
a11f84458eb6e2663905a5f98596fb495ae8b813cd28f3cda787377976168453
d9246f695e49b01a500e99375148b40689fdd119cad9b137e7edee2d8d75ebd3
7a4b3aacae75e9cfe374cbdcf74f6b1b0dc2dea8bd57833f82a1a3ef21e9b6c3
40f0963509067366045fc473e8f6743f84aa4594d819be515f0775aca593b640
897a97b958884456ec4bc6222c29db3057ab0df05c31de0ad02fa1b0ab6a4730
Domains
logisctismes.duckdns.org
areaseguras.con-ip.com
5.tcp.eu.ngrok.io
marli27.duckdns.org
miguel2025.kozow.com
higlkgligliygligly.con-ip.com
mfjnfijndifsiisihddd.con-ip.com
kknuhdbsusuuhdbds.con-ip.com
jantasagasa.duckdns.org
remcoss2024feb.duckdns.org
kezdns.pro
aero9just.online
tydyjtdfjhtf.con-ip.com
vegetachcnc.com
bossnacarpet.com
www.dpm-sael.com
transportation-instructor.gl.at.ply.gg
newskingdomz.live
jesusgabrielahumadalora09.con-ip.com
newssssssssssssss.duckdns.org
URLs
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/logaccess.php
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/OnlineCheck-v4.php
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/upd_free.txt
http://p4-preview.runhosting.com/breakingsec02.co.nf/Remcos/login.php
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q2, 2024 
watchers 1341
comments 0
post image
A Guide to Common Encryption Algorithms in Mo...
watchers 360
comments 0
post image
Search for Network Threats by Suricata in TI...
watchers 684
comments 0

What is Remcos trojan?

Remcos is a remote access trojan – a malware used to take remote control over infected PCs. This malicious software has been operational since 2016 when it first became available for sale in the underground hacker communities on the dark web.

Remcos RAT has been receiving substantial updates throughout its lifetime. In fact, this malware is being maintained extremely actively, with new releases coming out almost every month. In April 2019, the malware was available for purchase for as little as just over 60 dollars up to over 400 dollars depending on the selected package.

General description of Remcos trojan

This trojan is created and sold to clients by a “business” called Breaking Security. Although Breaking Security promises that the program is only available to those who intend to use it for legal purposes, in reality, Remcos RAT gives clients all necessary features to launch potentially destructive attacks. The malware can be purchased with different cryptocurrencies. The program can remotely control PCs with any Windows OS, including XP and newer. It can also capture screenshots, record keystrokes on infected machines, and send the collected information to host servers.

What’s more, it comes equipped with a crypto program that enables the malware to stay hidden from antivirus software. In fact, Breaking Security has released a video on its YouTube channel which demonstrates the analysis of how multiple antiviruses fail to detect the presence of the Remcos RAT. In addition, Breaking Security provides attackers with a keylogger that can be used to remotely record keystrokes of the victim, a mass mailer program that can be used to carry out distribution campaigns, and a DynDNS service with a client-server connection. With all additional services combined, purchasers gain all they need to create their own functioning botnets.

The company responsible for selling Remcos RAT to the criminals is registered in Germany. Germany is the only country out of all European Union members that do not allow looking up company details online. Therefore founders of Breaking Security are still not identified. The website itself does not provide any information about the company or the team behind Remcos. The domain name of the website itself is hosted on Cloudflare, and all information related to it is protected by the privacy policy of the hoster organization. Clearly, the people behind Breaking Security have taken a lot of effort to stay anonymous.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

Remcos malware analysis

Remcos RAT execution and analysis can be watched in-depth in a video recorded in the ANY.RUN malware hunting service. Moreover, you can also research other malicious families there such as AZORult and Adwind.

process graph of the Remcos execution Figure 1: Displays the lifecycle of Remcos as presented by a visual graph generated by ANY.RUN

text report 0f the Remcos trojan analysis Figure 2: A customizable text report generated by ANY.RUN is a feature specifically developed to simplify the sharing of analysis results.

Remcos trojan execution process

Remcos trojan can be delivered in different forms. Based on RAT's analysis, it can be spread as an executable file with the name that should convince users to open it, or it pretends to be a Microsoft Word file that exploits vulnerabilities to download and execute the main payload, obfuscate the server component. In our analysis, after Remcos made its way to infect the device and begin the execution process, it started VBS script execution. Script ran command line and proceeded to drop an executable file from it. This file was the main payload, and it carried out the main malicious activities – stealing information, changing the autorun value in the registry, and connecting to the C2 server.

remcos execution process tree Figure 3: Execution processes of Remcos as displayed by the ANY.RUN malware analysis service

Distribution of Remcos

Although being distributed using multiple methods, being provided in a bundle with mass mailer software, the analysis proves that Remcos RAT usually gets into victims’ machines through malicious attachments in spam email campaigns. The attackers normally use phishing techniques to try and trick users into downloading file attachments, commonly – contaminated Microsoft Office files. Once downloaded, the files would prompt the users to activate the macros required for the execution of Ramcos to start.

Attackers who utilize this trojan are known to target specific organizations and sometimes go a long way to craft custom phishing emails designed to fool their victims. Corporations that are known to become targets of Remcos attacks include news agencies and businesses energy industry-related businesses.

If the victim does enable the macros, they reconstruct a small executable file which is then dropped to a pre-specified location and launched from there. This file then proceeds to download the main payload, which is Remcos itself, from a control server and then begin the execution process. Even though the location can vary from sample to sample, it usually includes one of the following locations, typical for malware creators: %APPDATA% and %TEMP%.

How to detect Remcos using ANY.RUN?

Cybersecurity specialists can easily detect Remcos – the trojan writes its name into a registry. Look at registry events: click on the process and then on the More Info button. If the Registry changes tab has a key like "HKEY_CURRENT_USER\Software\Remcos-{digits_letters}", you can be sure it’s Remcos.

remcos log file Figure 4: Remcos registry changes analysis

Conclusion

Remcos RAT is a dangerous trojan available to attackers for a relatively low price. Despite its accessibility, it comes equipped with enough robust features to allow attackers to set up their own effective botnets. What's more, it is modernized with updates released nearly every month by the owner company. Accessibility and powerful feature set helped to make Ramcos into a powerful and dangerous trojan.

Thankfully, malware hunting services such as ANY.RUN gives professionals an equally robust feature set to research threats like Ramcos and respond with effective countermeasures.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy