{
	"id": "cb1ca4cd-4f71-4d11-b0b1-ca161aa42533",
	"created_at": "2026-04-06T00:14:48.154207Z",
	"updated_at": "2026-04-10T03:21:42.498202Z",
	"deleted_at": null,
	"sha1_hash": "ed2fefcf7c3a2fbdf94824ad6698560f2c3b14f0",
	"title": "Picking Apart Remcos Botnet-In-A-Box",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1925792,
	"plain_text": "Picking Apart Remcos Botnet-In-A-Box\r\nBy Edmund Brumaghin\r\nPublished: 2018-08-22 · Archived: 2026-04-05 15:51:19 UTC\r\nThis blog post was authored by Edmund Brumaghin and Holger Unterbrink with contributions from Eric Kuhla\r\nand Lilia Gonzalez Medina.\r\nOverview\r\nCisco Talos has recently observed multiple campaigns using the Remcos remote access tool (RAT) that is offered\r\nfor sale by a company called Breaking Security. While the company says it will only sell the software for\r\nlegitimate uses as described in comments in response to the article here and will revoke the licenses for users not\r\nfollowing their EULA, the sale of the RAT gives attackers everything they need to establish and run a potentially\r\nillegal botnet.\r\nRemcos' prices per license range from €58 to €389. Breaking Security also offers customers the ability to pay for\r\nthe RAT using a variety of digital currencies. This RAT can be used to fully control and monitor any Windows\r\noperating system, from Windows XP and all versions thereafter, including server editions.\r\nIn addition to Remcos, Breaking Security is also offering Octopus Protector, a cryptor designed to allow malicious\r\nsoftware to bypass detection by anti-malware products by encrypting the software on the disk. A YouTube video\r\navailable on the Breaking Security channel demonstrates the tool's ability to facilitate the bypass of several\r\nantivirus protections. Additional products offered by this company include a keylogger, which can be used to\r\nrecord and send the keystrokes made on an infected system, a mass mailer that can be used to send large volumes\r\nof spam emails, and a DynDNS service that can be leveraged for post-compromise command and control (C2)\r\ncommunications. These tools, when combined with Remcos provide all the tools and infrastructure needed to\r\nbuild and maintain a botnet.\r\nWithin Cisco's Advanced Malware Protection (AMP) telemetry, we have observed several instances of attempts to\r\ninstall this RAT on various endpoints. As described below, we have also seen multiple malware campaigns\r\ndistributing Remcos, with many of these campaigns using different methods to avoid detection. To help people\r\nwho became victims of a harmful use of Remcos, Talos is providing a decoder script that can extract the C2 server\r\naddresses and other information from the Remcos binary. Please see the Technical Details section below for more\r\ninformation.\r\nTechnical Details\r\nRemcos distribution in the wild\r\nTalos has observed several malware campaigns attempting to spread Remcos to various victims. Since Remcos is\r\nadvertised and sold on numerous hacking-related forums, we believe it is likely that multiple unrelated actors are\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 1 of 21\n\nleveraging this malware in their attacks using a variety of different methods to infect systems. Earlier this year,\r\nRiskIQ published a report regarding an attacker who was reportedly targeting defense contractors in Turkey. Since\r\nthen, this threat actor has continued to operate and has been observed targeting specific types of organizations.\r\nTalos has confirmed that in addition to defense contractors, this attacker has also targeted other organizations such\r\nas:\r\nInternational news agencies;\r\nDiesel equipment manufacturers and service providers operating within the maritime and energy sector;\r\nand\r\nHVAC service providers operating within the energy sector. In all of the observed campaigns, the attack\r\nbegins with specially crafted spear phishing emails written in Turkish. The emails appear as if they were\r\nsent from a Turkish government agency and purport to be related to tax reporting for the victim's\r\norganization. Below is an example of one of these email messages:\r\nThe attacker put effort into making the emails look as if they were official communications from Gelir İdaresi\r\nBaşkanlığı (GIB), the Turkish Revenue Administration, which operates under the Ministry of Finance and is\r\nresponsible for handling taxation functions in Turkey. The attacker even went as far to include official GIB\r\ngraphics and the text at the bottom which translates to:\r\n\"Thank you for your participation in the e-mail notification system of [the] Department of Revenue\r\nAdministration's e-mail service. This message has been sent to you by GIB Mail Notification System. Please do\r\nnot reply to this message.\"\r\nAs is common with many spear phishing campaigns, malicious Microsoft Office documents are attached to the\r\nemails. While the majority of these documents have been Excel spreadsheets, we have also observed the same\r\nattacker leveraging Word documents. In many cases, the contents of the document have been intentionally blurred\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 2 of 21\n\nas way to entice victims to enable macros and view the content. Below is an example of a Word document\r\nassociated with one of these campaigns that have been made to look as if it is a tax bill:\r\nMany of the Excel spreadsheets we analyzed were mostly blank, and only included the following image and\r\nwarning prompting the victim to enable macros in Turkish:\r\nWe have also observed campaigns that appear to be targeting English-speaking victims. Below is an example of\r\none of the malicious attachments that were made to appear as if it was an invoice on letterhead associated with\r\nIberia, which is the flagship airline in Spain.\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 3 of 21\n\nIn addition to the Iberia-themed malicious documents, we uncovered multiple malicious documents that were\r\ncreated to appear as if they were invoices associated with AMC Aviation, a Polish charter airline. Talos has\r\nobserved the following same itinerary decoy image used across both Excel and Word documents:\r\nAs described in the RiskIQ report, the macros in these files contain a small executable that is embedded into the\r\ndocument in the form of a series of arrays. When executed, the macros reconstruct the executable, save it to a\r\nspecific location on the system and execute it. The file location specified changes across malicious documents, but\r\nincludes directories commonly used by malware authors such as %APPDATA% and %TEMP%. The executable\r\nfilename also changes across documents.\r\nThe extracted executable is simple and functions as the downloader for the Remcos malware. It is a very basic\r\nprogram and is used to retrieve Remcos from an attacker-controlled server and execute it, thus infecting the\r\nsystem. An example of this is below:\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 4 of 21\n\nRemcos is a robust RAT that can be used to monitor keystrokes, take remote screen captures, manage files,\r\nexecute commands on infected systems and more. In several cases, the distribution servers associated with these\r\ncampaigns have been observed hosting several other malicious binaries in addition to Remcos.\r\nWho is behind Remcos?\r\nAs previously mentioned, a company called Breaking Security has been offering Remcos and other questionable\r\nsoftware for purchase on their website. There are no details about the company or the people behind it listed on its\r\nwebsite. The website does, however, list a value-added tax (VAT) number (DE308884780) which shows the\r\ncompany is registered in Germany. Interestingly, you can look up the name and address of companies in almost\r\nany European Union (EU) country except Germany on this website. Germany does not share this information due\r\nto privacy concerns. Because Breaking Security was registered in Germany, we were unable to identify the name\r\nand address of the individual behind this company. Nevertheless, we were able to identify several artifacts that\r\ngive us an idea as to who might be behind the company.\r\nComparison of Public and Private VAT Entries\r\nThe Breaking Security domain is hosted behind Cloudflare currently, and Whois privacy protects the registrant\r\ninformation. Quite a bit of effort has been put into attempting to mask who is behind this company and the\r\nassociated software. During our analysis, we were able to uncover several clues about the individual that we\r\nbelieve is behind this organization, either due to mistakes or very well organized false evidence on the internet.\r\nThe first thing we identified was the following email address and domain present in the Viotto Keylogger\r\nscreenshot below:\r\nlogs@viotto[.]it\r\nviotto-security[.]net\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 5 of 21\n\nWhile the viotto-security[.]net domain server and registrant information is protected similar to what was seen with\r\nthe breaking-security[.]net domain, the domain viotto[.]it listed in the \"Sender's e-mail\" text field is not. The\r\nWhois information associated with this domain can be seen in the screenshot below:\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 6 of 21\n\nNormally Talos would obfuscate this data however since it is public in so many places we have elected not to. We\r\nalso identified additional email, Jabber, and XMPP addresses that appear to be used by the author of Remcos by\r\nleveraging the data we collected from the website, as well as other sources:\r\nviotto@null[.]pm\r\nviotto24@hotmail[.]it\r\nviotto@xmpp[.]ru\r\nIn multiple cases, the domains investigated were leveraging the Cloudflare service. This often obscures the\r\naddress of servers hosting domains, as the DNS configuration typically points the name resolution to Cloudflare\r\nIPs rather than the IP of the web servers themselves. One common mistake is that while the domain itself may be\r\nprotected by Cloudflare, in many cases, a subdomain exists that does not point to Cloudflare servers, allowing the\r\nserver IP address to be unmasked.\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 7 of 21\n\nThis was the case with the breaking-security[.]net domain. While Cloudflare shields the domain, their mail\r\nsubdomains are not protected. The A record that was configured for the mail subdomains is as follows:\r\nmail[.]breaking-security[.]net. A 146.66.84[.]79\r\nwebmail[.]breaking-security[.]net A 146.66.84[.]79\r\nThe IP address 146.66.84[.]79 is hosted at SiteGround Amsterdam. After various testing, we are confident that this\r\nis also the IP address where the main breaking-security[.]net website is hosted.\r\nOne of the other domains we identified as being associated with Remcos was viotto-security[.]net. This domain is\r\ncurrently configured to redirect traffic to the main breaking-security[.]net domain. However, this was not always\r\nthe case. Searching for pages associated with this domain in the Wayback Machine, a website that allows users to\r\nview past versions of a web page, yields the following result in the form of a personal biography. There are\r\nmultiple clear overlaps between the interests of this individual and the developer of the various tools the company\r\nsells:\r\nWe also identified several instances where Viotto was advertising, selling and supporting Remcos on various\r\nhacking forums, including HackForums since at least 2016, which makes their intentions questionable. Below is\r\nan example of one of these threads.\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 8 of 21\n\nWhile the company states that they revoke user licenses if they were to use Remcos for illegal activity, as\r\nillustrated by the thread below the purported official reseller of Remcos doesn't seem to mind another user\r\ninforming it that they are using the software to control 200 bots.\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 9 of 21\n\nViotto also appears to be active on other hacking forums, including OpenSC, where he is a moderator. Below is a\r\nthread where this user is advertising Remcos and Octopus Protector.\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 10 of 21\n\nRemcos Technical Details:\r\nAs described in other blog posts, Remcos appears to be developed in C++.\r\nAs the release notes show, it is actively maintained. The authors release new versions on almost a monthly basis:\r\nv2.0.5 – July 14, 2018\r\nv2.0.4 – April 6, 2018\r\nv2.0.3 – March 29, 2018\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 11 of 21\n\nv2.0.1 – Feb. 10, 2018\r\nv2.0.0 – Feb. 2, 2018\r\nv1.9.9 – Dec. 17, 2017\r\nRemcos has the functionalities that are typical of a RAT. It is capable of hiding in the system and using malware\r\ntechniques that make it difficult for the typical user to detect the existence of Remcos.\r\nSeveral routines are looking like they were just copied and (best case) slightly modified from publicly available\r\nsources. A good example is the anti-analysis section:\r\nIt is checking for an outdated artifact, the 'SbieDll.dll'. In our opinion, there are not many analysts using\r\nSandboxie these days anymore. A closer look at the other functions is also showing a high code similarity to\r\npublicly available projects. Below you can see the Remcos VMware detection code:\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 12 of 21\n\nThe following is a code sample from aldeid.com:\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 13 of 21\n\nThe blog referenced above has already described several functions of Remcos features in detail. We would like to\r\nfocus on Remcos' cryptographic implementation. It uses RC4 pretty much everywhere when there is a need to\r\ndecode or encode any data. Examples are registry entries, C2 server network communication or file paths shown\r\nbelow:\r\nThe exepath registry data is base64-encoded, RC4-encrypted data. Decoded, it is the path of the executable:\r\nC:\\TEMP\\1cc8f8b1487893b2b0ff118faa2333e1826ae1495b626e206ef108460d4f0fe7.exe\r\nThe RC4 implementation is the standard RC4 implementation that can be found in many code examples on the\r\ninternet. They are first building the Key Scheduling Algorithms (KSA) S_array at 00402F01.\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 14 of 21\n\nThis can be converted into the typical RC4 pseudo code:\r\nfor i from 0 to 255\r\n S[i] := i\r\nendfor\r\nj := 0\r\nfor i from 0 to 255\r\n j := (j + S[i] + key[i mod keylength]) mod 256\r\n swap values of S[i] and S[j]\r\nendfor\r\nWhich is followed by the RC4 Pseudo-random generation algorithm (PRGA) at 00402F5B.\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 15 of 21\n\nWhich looks in pseudo code like this:\r\ni := 0\r\nj := 0\r\nwhile GeneratingOutput:\r\n i := (i + 1) mod 256\r\n j := (j + S[i]) mod 256\r\n swap values of S[i] and S[j]\r\n K := S[(S[i] + S[j]) mod 256]\r\n output K\r\nendwhile\r\nAs the screenshots above illustrate, Remcos is using RC4 to encrypt and decrypt its data, and it is using the PE\r\nresource section to store the initial encryption key in the 'SETTINGS' resource. This key can have a variable\r\nlength — we have seen short keys from 40 bytes to keys with more than 250 bytes.\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 16 of 21\n\nThey are storing the data in the following format:\r\n[Length of key]\r\n[Encryption Key]\r\n[Encrypted configuration data]\r\nThis encrypted configuration data section contains the command and control servers, RAT commands to execute\r\nand other data. Decoded, it looks like this:\r\nThe decoded data contains the C2 server, e.g. ejiroprecious[.]ddns[.]net, and the corresponding port number,\r\nfollowed by a password. This password is used to generate a separate S_array for the RC4 encrypted C2\r\ncommunication. The picture shows the relevant part of the RC4 Key Scheduling Algorithms (KSA) from above.\r\nEven if a stronger password is used than in the example above, using such a weak encryption algorithm means\r\nthat everyone who gets his or her hands on the binary file can extract the password and decrypt the C2 traffic or\r\ninject their own commands into the C2 channel to control the RAT. The good news is that companies who became\r\na victim of Remcos have a good chance to analyse the threat if they have stored the network traffic and the\r\nRemcos binary file.\r\nTo make the life of forensic investigators easier, we are providing a small decoder Python script that can decode\r\nthe config data from the resource section:\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 17 of 21\n\nAs mentioned above, Remcos is using the same encryption routine for all kinds of other functions, too. For this\r\nreason, the decoder program also offers an option to hand over encrypted bytes manually. This can be used to\r\ndecode, for example, the exepath registry key.\r\nWe have used this tool to extract all the IOCs below. It is tested with the latest 2.0.4 and 2.0.5 versions of Remcos,\r\nbut likely also works with other versions.\r\nThe user can also copy bytes from a network sniffer to a binary file, and hand it over to decrypt the bytes from the\r\nC2 communication to see which commands the C2 server has sent to the victim. Keep in mind to use the extracted\r\npassword, e.g. \"pass.\"\r\nConclusion\r\nWhile the organization that sells Remcos claims that the application is only for legal use, our research indicates it\r\nis still being used extensively by malicious attackers, as well. In some cases, attackers are strategically targeting\r\nvictims to attempt to gain access to organizations that operate as part of the supply chain for various critical\r\ninfrastructure sectors. Organizations should ensure that they are implementing security controls to combat\r\nRemcos, as well as other threats that are being used in the wild. Remcos is a robust tool that is being actively\r\ndeveloped to include new functionality increasing what the attackers can gain access to. To combat this,\r\norganizations should continue to be aware of this threat, as well as others like this that may be circulated on the\r\ninternet.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 18 of 21\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIndicators of Compromise (IOC)\r\nThe following IOCs are associated with various malware distribution campaigns that were observed during\r\nanalysis of Remcos activity.\r\nMalicious Office Documents:\r\n0409e5a5a78bfe510576b516069d4119b45a717728edb1cd346f65cfb53b2de2\r\n0ebfbcbf8c35ff8cbf36e38799b5129c7b70c6895d5f11d1ab562a511a2ec76e\r\n18f461b274aa21fc27491173968ebe87517795f24732ce977ccea5f627b116f9\r\n2f81f5483bbdd78d3f6c23ea164830ae263993f349842dd1d1e6e6d055822720\r\n3772fcfbb09ec55b4e701a5e5b4c5c9182656949e6bd96bbd758947dfdfeba62\r\n43282cb81e28bd2b7d4086f9ba4a3c538c3d875871bdcf881e58c6b0da017824\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 19 of 21\n\n48dec6683bd806a79493c7d9fc3a1b720d24ad8c6db4141bbec77e2aebad1396\r\n4938f6b52e34768e2834dfacbc6f1d577f7ab0136b01c6160dd120364a1f9e1a\r\n4e0bcef2b9251e2aaecbf6501c8df706bf449b0e12434873833c6091deb94f0e\r\n72578440a76e491e7f6c53e39b02bd041383ecf293c90538dda82e5d1417cad1\r\n77cf87134a04f759be3543708f0664b80a05bb8315acb19d39aaa519d1da8e92\r\n8abcb3084bb72c1cb49aebaf0a0c221a40538a062a1b8830c1b48d913211a403\r\n94ff6d708820dda59738401ea10eb1b0d7d98d104a998ba6cee70e728eb5f29f\r\n9cccdb290dbbedfe54beb36d6359e711aee1b20f6b2b1563b32fb459a92d4b95\r\naa7a3655dc5d9e0d69137cb8ba7cc18137eff290fde8c060ac678aa938f16ec7\r\nad78b68616b803243d56593e0fdd6adeb07bfc43d0715710a2c14417bba90033\r\nbb3e5959a76a82db52840c4c03ae2d1e766b834553cfb53ff6123331f0be5d12\r\nc5b9c3a3bbfa89c83e1fb3955492044fd8bf61f7061ce1a0722a393e974cec7c\r\nd3612813abf81d0911d0d9147a5fe09629af515bdb361bd42bc5a79d845f928f\r\ne302fb178314aa574b89da065204bc6007d16c29f1dfcddcb3b1c90026cdd130\r\ne7c3c8195ff950b0d3f7e9c23c25bb757668b9c131b141528183541fc125d613\r\nef5e1af8b3e0f7f6658a513a6008cbfb83710f54d8327423db4bb65fa03d3813\r\nf2c4e058a29c213c7283be382a2e0ad97d649d02275f3c53b67a99b262e48dd2\r\nStage 1 Executables:\r\n07380d9df664ef6f998ff887129ad2ac7b11d0aba15f0d72b6e150a776c6a1ef\r\n1e5d5226acaeac5cbcadba1faab4567b4e46b2e6724b61f8c705d99af80ca410\r\n224009a766eef638333fa49bb85e2bb9f5428d2e61e83425204547440bb6f58d\r\n27dd5a3466e4bade2238aa7f6d5cb7015110ceb10ba00c1769e4bc44fe80bcb8\r\n502c4c424c8f435254953c1d32a1f7ae1e67fb88ebd7a31594afc7278dcafde3\r\n5a9fa1448bc90a7d8f5e6ae49284cd99120c2cad714e47c65192d339dad2fc59\r\n91032c5ddbb0447e1c772ccbe22c7966174ee014df8ada5f01085136426a0d20\r\n9114a31330bb389fa242512ae4fd1ba0c9956f9bf9f33606d9d3561cc1b54722\r\n9fe46627164c0858ab72a7553cba32d2240f323d54961f77b5f4f59fe18be8fa\r\nc2307a9f18335967b3771028100021bbcf26cc66a0e47cd46b21aba4218b6f90\r\nc51677bed0c3cfd27df7ee801da88241b659b2fa59e1c246be6db277ce8844d6\r\nda352ba8731afee3fdbca199ce8c8916a31283c07b2f4ebaec504bda2966892b\r\nPE32 Executables:\r\nA text file containing a list of Remcos PE32 executable hashes can be found here.\r\nIP Addresses:\r\n109.232.227[.]138\r\n54.36.251[.]117\r\n86.127.159[.]17\r\n195.154.242[.]51\r\n51.15.229[.]127\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 20 of 21\n\n212.47.250[.]222\r\n191.101.22[.]136\r\n185.209.20[.]221\r\n92.38.86[.]175\r\n139.60.162[.]153\r\n192.0.2[.]2\r\n185.209.85[.]185\r\n82.221.105[.]125\r\n185.125.205[.]74\r\n77.48.28[.]223\r\n79.172.242[.]28\r\n79.172.242[.]28\r\n192.185.119[.]103\r\n181.52.113[.]172\r\n213.152.161[.]165\r\nDomains:\r\ndboynyz[.]pdns[.]cz\r\nstreetz[.]club\r\nmdformo[.]ddns[.]net\r\nmdformo1[.]ddns[.]net\r\nvitlop[.]ddns[.]net\r\nns1[.]madeinserverwick[.]club\r\nuploadtops[.]is\r\nprince[.]jumpingcrab[.]com\r\ntimmason2[.]com\r\nlenovoscanner[.]duckdns[.]org\r\nlenovoscannertwo[.]duckdns[.]org\r\nlenovoscannerone[.]duckdns[.]org\r\ngoogle[.]airdns[.]org\r\ncivita2[.]no-ip[.]biz\r\nwww[.]pimmas[.]com[.]tr\r\nwww[.]mervinsaat[.]com.tr\r\nsamurmakina[.]com[.]tr\r\nwww[.]paulocamarao[.]com\r\nmidatacreditoexperian[.]com[.]co\r\nwww[.]lebontour[.]com\r\nbusinesslisting[.]igg[.]biz\r\nunifscon[.]com\r\nSource: https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nhttps://blog.talosintelligence.com/2018/08/picking-apart-remcos.html\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html"
	],
	"report_names": [
		"picking-apart-remcos.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434488,
	"ts_updated_at": 1775791302,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ed2fefcf7c3a2fbdf94824ad6698560f2c3b14f0.pdf",
		"text": "https://archive.orkl.eu/ed2fefcf7c3a2fbdf94824ad6698560f2c3b14f0.txt",
		"img": "https://archive.orkl.eu/ed2fefcf7c3a2fbdf94824ad6698560f2c3b14f0.jpg"
	}
}