{ "name": "Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four", "slug": "dissecting-remcos-rat-an-in-depth-analysis-of-a-widespread-2024-malware-part-four", "description": "This comprehensive analysis provides a thorough examination of the REMCOS Remote Access Trojan (RAT), a prominent malware threat that gained significant prevalence in 2024. The analysis delves into the malware's configuration structure, command and control capabilities, persistence mechanisms, and evasion techniques, while also offering insights into effective detection strategies using Elastic technologies.", "published": "2024-05-09T13:14:19+00:00", "created_at": "2024-05-09T13:14:19+00:00", "modified_at": "2024-05-09T14:24:12+00:00", "created_at_opencti": "2024-05-09T13:14:19+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-05-04", "2024-05-05", "2024-05-06", "2024-05-07", "2024-05-08", "2024-05-09", "credential-theft", "evasion", "persistence", "rat", "remcos", "remote access" ], "related_entities": { "observables": [ { "id": "", "name": "77.105.132.70" }, { "id": "", "name": "185.70.104.90" }, { "id": "", "name": "104.250.180.178" }, { "id": "", "name": "43.230.202.33" }, { "id": "", "name": "122.176.133.66" }, { "id": "", "name": "107.175.229.139" }, { "id": "", "name": "http://remchukwugixiemu4.duckdns.org:57846" }, { "id": "", "name": "http://remchukwugixiemu4.duckdns.org:57844" }, { "id": "", "name": "http://remchukwugix231fgh.duckdns.org:57846" }, { "id": "", "name": "http://remchukwugix231fgh.duckdns.org:57844" }, { "id": "", "name": "http://money001.duckdns.org:9596" }, { "id": "", "name": "http://77.105.132.70:8080" }, { "id": "", "name": "http://77.105.132.70:80" }, { "id": "", "name": "http://77.105.132.70:465" }, { "id": "", "name": "http://77.105.132.70:2404" }, { "id": "", "name": "http://43.230.202.33:7056" }, { "id": "", "name": "http://185.70.104.90:8080" }, { "id": "", "name": "http://185.70.104.90:80" }, { "id": "", "name": "http://185.70.104.90:465" }, { "id": "", "name": "http://185.70.104.90:2404" }, { "id": "", "name": "http://122.176.133.66:2667" }, { "id": "", "name": "http://122.176.133.66:2404" }, { "id": "", "name": "http://107.175.229.139:8087" }, { "id": "", "name": "http://104.250.180.178:7902" }, { "id": "", "name": "remchukwugixiemu4.duckdns.org" }, { "id": "", "name": "remchukwugix231fgh.duckdns.org" }, { "id": "", "name": "money001.duckdns.org" }, { "id": "", "name": "ba6ee802d60277f655b3c8d0215a2abd73d901a34e3c97741bc377199e3a8670" }, { "id": "", "name": "b1a149e11e9c85dd70056d62b98b369f0776e11b1983aed28c78c7d5189cfdbf" }, { "id": "", "name": "95dfdb588c7018babd55642c48f6bed1c281cecccbd522dd40b8bea663686f30" }, { "id": "", "name": "8c9202885700b55d73f2a76fbf96c1b8590d28b061efbadf9826cdd0e51b9f26" }, { "id": "", "name": "517f65402d3cf185037b858a5cfe274ca30090550caa39e7a3b75be24e18e179" }, { "id": "", "name": "3e32447ea3b5f07c7f6a180269f5443378acb32c5d0e0bf01a5e39264f691587" }, { "id": "", "name": "0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5" } ], "malware": [ { "id": "legacy:malware:196436899fefaba3", "name": "REMCOS", "slug": "remcos" } ], "intrusion_sets": [ { "id": "e578e7f3-f3e5-4bd1-a77f-94f7455e12f4", "name": "REMCOS", "slug": "remcos" } ], "attack_patterns": [ { "id": "02abb0a8-0ebf-433b-987f-e25675af60d6", "name": "T1055.001" }, { "id": "d048ac4b-dd28-4c66-b62b-fe25cefef481", "name": "T1548.002" }, { "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd", "name": "T1059.005" }, { "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7", "name": "T1555" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "a7262c61-4567-4a00-8cec-aae6264234a9", "name": "T1218" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ] }, "external_refs": [ "https://www.elastic.co/security-labs/dissecting-remcos-rat-part-four", "https://otx.alienvault.com/pulse/663ce84b45726f40153555b3" ] }