216.73.217.22

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four

· Published 09/05/2024 15:14 · Modified 09/05/2024 16:24

Export JSON

Essential information

Published
09/05/2024 15:14
Modified
09/05/2024 16:24
Tags
2024-05-04 2024-05-05 2024-05-06 2024-05-07 2024-05-08 2024-05-09 credential-theft evasion persistence rat remcos remote access
Related entities
34 observables, 1 intrusion sets (apt), 8 techniques (mitre), 1 malware

Description

This comprehensive analysis provides a thorough examination of the Trojan (), a prominent malware threat that gained significant prevalence in 2024. The analysis delves into the malware's configuration structure, command and control capabilities, mechanisms, and techniques, while also offering insights into effective detection strategies using Elastic technologies.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (34)

  • 77.105.132.70
  • 185.70.104.90
  • 104.250.180.178
  • 43.230.202.33
  • 122.176.133.66
  • 107.175.229.139
  • http://remchukwugixiemu4.duckdns.org:57846
  • http://remchukwugixiemu4.duckdns.org:57844
  • http://remchukwugix231fgh.duckdns.org:57846
  • http://remchukwugix231fgh.duckdns.org:57844
  • http://money001.duckdns.org:9596
  • http://77.105.132.70:8080
  • http://77.105.132.70:80
  • http://77.105.132.70:465
  • http://77.105.132.70:2404
  • http://43.230.202.33:7056
  • http://185.70.104.90:8080
  • http://185.70.104.90:80
  • http://185.70.104.90:465
  • http://185.70.104.90:2404
  • http://122.176.133.66:2667
  • http://122.176.133.66:2404
  • http://107.175.229.139:8087
  • http://104.250.180.178:7902
  • remchukwugixiemu4.duckdns.org
  • remchukwugix231fgh.duckdns.org
  • money001.duckdns.org
  • ba6ee802d60277f655b3c8d0215a2abd73d901a34e3c97741bc377199e3a8670
  • b1a149e11e9c85dd70056d62b98b369f0776e11b1983aed28c78c7d5189cfdbf
  • 95dfdb588c7018babd55642c48f6bed1c281cecccbd522dd40b8bea663686f30
  • 8c9202885700b55d73f2a76fbf96c1b8590d28b061efbadf9826cdd0e51b9f26
  • 517f65402d3cf185037b858a5cfe274ca30090550caa39e7a3b75be24e18e179
  • 3e32447ea3b5f07c7f6a180269f5443378acb32c5d0e0bf01a5e39264f691587
  • 0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5

Intrusion sets (APT) (1)

  • REMCOS
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 04:37 · Modified 21/12/2025 04:37

Techniques (MITRE) (8)

  • T1055.001
    Dynamic-link Library Injection
  • T1548.002
    Bypass User Account Control
  • T1059.005
    Visual Basic
  • T1555
    Credentials from Password Stores
  • T1573
    Encrypted Channel
  • T1218
    System Binary Proxy Execution
  • T1055
    Process Injection
  • T1059
    Command and Scripting Interpreter

Malware (1)

  • Remcos
    Family
    Published 05/05/2026 18:45 · Modified 05/05/2026 18:45

External references