ioc[.]one - OSINT Cyber Threat Intelligence Database

The Persistent Danger of Remcos RAT - CYFIRMA

Tags

cmtmf-attack-pattern:	Application Layer Protocol Process Injection
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Application Layer Protocol - T1437 Audio Capture - T1429 Botnet - T1583.005 Botnet - T1584.005 Bypass User Account Control - T1548.002 Clipboard Data - T1414 Credentials - T1589.001 Domains - T1583.001 Domains - T1584.001 File And Directory Discovery - T1420 Input Capture - T1417 Ip Addresses - T1590.005 Keylogging - T1056.001 Keylogging - T1417.001 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 System Information Discovery - T1426 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Process Injection - T1631 Registry Run Keys / Startup Folder - T1547.001 Screen Capture - T1513 Server - T1583.004 Server - T1584.004 Software - T1592.002 Web Protocols - T1071.001 Web Protocols - T1437.001 Tool - T1588.002 Vulnerabilities - T1588.006 Standard Application Layer Protocol - T1071 Audio Capture - T1123 Bypass User Account Control - T1088 Clipboard Data - T1115 Exfiltration Over Command And Control Channel - T1041 File And Directory Discovery - T1083 Input Capture - T1056 Modify Registry - T1112 Powershell - T1086 Process Injection - T1055 Screen Capture - T1113 System Information Discovery - T1082 Screen Capture

Show in Graph

Common Information

Type	Value
UUID	1e7ea35f-ea5a-483f-9685-fd62b432e87d
Fingerprint	b50419adae3f9f63
Analysis status	DONE
Considered CTI value	2
Text language
Published	Aug. 23, 2023, midnight
Added to db	Oct. 24, 2023, 1:14 p.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	The Persistent Danger of Remcos RAT
Title	The Persistent Danger of Remcos RAT - CYFIRMA
Detected Hints/Tags/Attributes	125/3/45

Source URLs

	Redirection	Url
Details	Source	https://www.cyfirma.com/outofband/the-persistent-danger-of-remcos-rat/

URL Provider

Details	Provider	Source level domain
Details	cyfirma.com	www.cyfirma.com

Attributes

Details	Type	#Events	Value
Details	Domain	12	geoplugin.net
Details	Domain	7	json.gp
Details	File	1	recover.bat
Details	File	3	riotgames.exe
Details	File	1	newpy.exe
Details	File	1	echo-4662-2df5.exe
Details	File	1	echo.exe
Details	File	10	123.exe
Details	File	2125	cmd.exe
Details	File	1	abc.png
Details	File	1	pp258.ico
Details	File	1208	powershell.exe
Details	File	1	%userprofile%\appdata\local\temp\riotgames.exe
Details	File	1	%userprofile%\appdata\local\temp directory and all files with the .exe
Details	File	1	terminal.exe
Details	File	13	logs.dat
Details	md5	1	5379d703170770355efdbce86dcdb1d3
Details	md5	1	b28167faf2bcf0150d5e816346abb42d
Details	md5	1	25fca21c810a8ffabf4fdf3b1755c73c
Details	md5	1	791545E6E3C5EB61DD12CCFBAE1B9982
Details	md5	1	4388789C81AFD593C5FC2F0249502153
Details	sha256	1	4fa02ec602055dfbdb1d639b3d265d8f7b20d6cd328fdb62dd77b7a1aad5829a
Details	sha256	1	9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5
Details	IPv4	3	141.95.16.111
Details	IPv4	1	145.95.16.111
Details	MITRE ATT&CK Techniques	409	T1566
Details	MITRE ATT&CK Techniques	365	T1204.002
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	380	T1547.001
Details	MITRE ATT&CK Techniques	550	T1112
Details	MITRE ATT&CK Techniques	86	T1548.002
Details	MITRE ATT&CK Techniques	440	T1055
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	1006	T1082
Details	MITRE ATT&CK Techniques	219	T1113
Details	MITRE ATT&CK Techniques	23	T1123
Details	MITRE ATT&CK Techniques	82	T1115
Details	MITRE ATT&CK Techniques	118	T1056.001
Details	MITRE ATT&CK Techniques	422	T1041
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	Url	3	http://141.95.16.111:8080/riotgames.exe
Details	Url	4	http://geoplugin.net/json.gp
Details	Windows Registry Key	98	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Details	Windows Registry Key	5	HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Details	Windows Registry Key	112	HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run