{
	"id": "a4f521be-eca4-4610-a79b-bdb92c25df91",
	"created_at": "2026-04-06T01:29:47.1747Z",
	"updated_at": "2026-04-10T03:21:19.557109Z",
	"deleted_at": null,
	"sha1_hash": "d52b75e9a803f7f7da4ecb3dd0bf64c5e6bdfd25",
	"title": "Remcos RAT New TTPS – Detection \u0026 Response - Security Investigation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 161303,
	"plain_text": "Remcos RAT New TTPS – Detection \u0026 Response - Security\r\nInvestigation\r\nBy BalaGanesh\r\nPublished: 2022-08-29 · Archived: 2026-04-06 00:31:06 UTC\r\nRemcos is a remote access trojan – a malware used to take remote control over infected PCs.This trojan is created\r\nand sold to clients by a “business” called Breaking Security. \r\nAlthough Breaking Security promises that the program is only available to those who intend to use it for legal\r\npurposes, in reality, Remcos RAT gives clients all the necessary features to launch potentially destructive attacks.\r\nThe malware can be purchased with different cryptocurrencies.\r\nAlso Read: Latest IOCs – Threat Actor URLs , IP’s \u0026 Malware Hashes\r\nIt can also capture screenshots, record keystrokes on infected machines, and send the collected information to host\r\nservers.\r\nRemcos trojan can be delivered in different forms. Based on RAT’s analysis, it can be spread as an executable file\r\nwith the name that should convince users to open it, or it pretends to be a Microsoft Word file to download and\r\nexecute the main payload.\r\nRecent distributions of malware work with both executable and Image files as payloads.\r\nAlso Read: Process Injection Techniques used by Malware – Detection \u0026 Analysis\r\nhttps://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/\r\nPage 1 of 4\n\nExecutable files as Payload\r\nInfected machines leverage windows defaults such as Sctasks.exe which enables an administrator to create, delete,\r\nquery, change, run, and end scheduled tasks on a local and vbc.exe software component of the Microsoft .NET\r\nframework located at C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\vbc.exe to Compile attacker code on\r\nthe system. Bypass defensive countermeasures. \r\nAlso Read: What is a WAF? | Web Application Firewall Explained\r\nImage files as Payload\r\nThe second method uses ISO similar to Qbot. Infected machines will take UAC bypass techniques with\r\neasinvoker.exe and malicious Image files are mounted via \\Device\\CdRom and malware is getting executed.\r\nSource: https://twitter.com/SBousseaden\r\nAlso Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST\r\nIndicators of Compromise\r\nFile hashes:\r\n6d25e04e66cccb61648f34728af7c2f2\r\nF331c18c3f685d245d40911d3bd20519\r\n8cea687c5c02c9b71303c53dc2641f03\r\nhttps://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/\r\nPage 2 of 4\n\nDomains:\r\nhttp[:]//geoplugin.net/json.gp\r\nfalimore001[.]hopto.org\r\nIP addresses:\r\n178[.]237.33.50\r\n194[.]147.140.29\r\nSplunk:\r\nsource=\"WinEventLog:*\" AND (((TargetFilename=\"*.iso\" OR TargetFilename=\"*.img\" OR TargetFilename=\"*.exe\") AND (\r\nQradar:\r\nSELECT UTF8(payload) from events where (LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' an\r\nElastic Query:\r\n((file.path.text:(*.iso OR *.img OR *.exe) AND file.path.text:(*\\\\Users\\*\\\\Downloads\\* OR *\\\\Users\\*\\\\Content.O\r\nCarbonBlack:\r\n((filemod_name:(*.iso OR *.img OR *.exe) AND filemod_name:(*\\\\Users\\*\\\\Downloads\\* OR *\\\\Users\\*\\\\Content.Outlo\r\nGrayLog:\r\n((TargetFilename.keyword:(*.iso *.img *.exe) AND TargetFilename.keyword:(*\\\\Users\\*\\\\Downloads\\* *\\\\Users\\*\\\\Co\r\nLogpoint:\r\n((TargetFilename IN [\"*.iso\", \"*.img\", \"*.exe\"] TargetFilename IN [\"*\\\\Users\\*\\\\Downloads\\*\", \"*\\\\Users\\*\\\\Cont\r\nMicrosoft Sentinel:\r\nSecurityEvent | where (((TargetFilename endswith '.iso' or TargetFilename endswith '.img' or TargetFilename end\r\nRSA Netwitness:\r\nhttps://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/\r\nPage 3 of 4\n\n(((TargetFilename contains '.iso', '.img', '.exe') \u0026\u0026 (TargetFilename regex '.*\\\\Users\\.*\\\\Downloads\\.*', '.*\\\\\r\nSecuronix:\r\nindex = archive AND (rg_functionality = \"Microsoft Windows\" AND (((rawevent CONTAINS \".iso\" OR rawevent CONTAIN\r\nSumoLogic:\r\n(_sourceCategory=*windows* AND ((((\".iso\" OR \".img\" OR \".exe\") AND ((\"\\Users\\\" AND \"\\Downloads\\\") OR (\"\\Users\\\"\r\nRemcos RAT is a dangerous trojan available to attackers for a relatively low price. Despite its accessibility, it\r\ncomes equipped with enough robust features to allow attackers to set up their own effective botnets. What’s more,\r\nit is modernized with updates released nearly every month by the owner company.\r\nSource: https://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/\r\nhttps://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/"
	],
	"report_names": [
		"remcos-rat-new-ttps-detection-response"
	],
	"threat_actors": [],
	"ts_created_at": 1775438987,
	"ts_updated_at": 1775791279,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d52b75e9a803f7f7da4ecb3dd0bf64c5e6bdfd25.pdf",
		"text": "https://archive.orkl.eu/d52b75e9a803f7f7da4ecb3dd0bf64c5e6bdfd25.txt",
		"img": "https://archive.orkl.eu/d52b75e9a803f7f7da4ecb3dd0bf64c5e6bdfd25.jpg"
	}
}