SYMBOLCOMMON_NAMEaka. SYNONYMS
win.remcos (Back to overview)

Remcos

aka: RemcosRAT

Actor(s): APT33, The Gorgon Group

URLhaus          

There is no description at this point.

References
2020-03-20BitdefenderLiviu Arsene
@online{arsene:20200320:5:46813c6, author = {Liviu Arsene}, title = {{5 Times More Coronavirus-themed Malware Reports during March}}, date = {2020-03-20}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-03-26} } 5 Times More Coronavirus-themed Malware Reports during March
ostap GuLoader HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos
2020-03-18ProofpointAxel F, Sam Scholten
@online{f:20200318:coronavirus:8fe12a3, author = {Axel F and Sam Scholten}, title = {{Coronavirus Threat Landscape Update}}, date = {2020-03-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update}, language = {English}, urldate = {2020-03-26} } Coronavirus Threat Landscape Update
Agent Tesla Get2 GuLoader ISFB Remcos
2019-10-21FortinetXiaopeng Zhang, Chris Navarrete
@online{zhang:20191021:new:b72bcde, author = {Xiaopeng Zhang and Chris Navarrete}, title = {{New Variant of Remcos RAT Observed In the Wild}}, date = {2019-10-21}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html}, language = {English}, urldate = {2019-11-21} } New Variant of Remcos RAT Observed In the Wild
Remcos
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
@online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-09-07Dissecting MalwareMarius Genheimer
@online{genheimer:20190907:malicious:37195ec, author = {Marius Genheimer}, title = {{Malicious RATatouille}}, date = {2019-09-07}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/malicious-ratatouille.html}, language = {English}, urldate = {2020-03-27} } Malicious RATatouille
Remcos
2019-08-22Youtube (OALabs)Sergei Frankoff
@online{frankoff:20190822:remcos:b86c5bd, author = {Sergei Frankoff}, title = {{Remcos RAT Unpacked From VB6 With x64dbg Debugger}}, date = {2019-08-22}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=DIH4SvKuktM}, language = {English}, urldate = {2020-01-10} } Remcos RAT Unpacked From VB6 With x64dbg Debugger
Remcos
2019-06-19Check PointKobi Eisenkraft, Moshe Hayun
@online{eisenkraft:20190619:check:0a79b2b, author = {Kobi Eisenkraft and Moshe Hayun}, title = {{Check Point’s Threat Emulation Stops Large-Scale Phishing Campaign in Germany}}, date = {2019-06-19}, organization = {Check Point}, url = {https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/}, language = {English}, urldate = {2020-01-08} } Check Point’s Threat Emulation Stops Large-Scale Phishing Campaign in Germany
Remcos
2019-05-08VMRayFrancis Montesino
@online{montesino:20190508:get:ed8ceb4, author = {Francis Montesino}, title = {{Get Smart with Enhanced Memory Dumping in VMRay Analyzer 3.0}}, date = {2019-05-08}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/smart-memory-dumping/}, language = {English}, urldate = {2020-01-13} } Get Smart with Enhanced Memory Dumping in VMRay Analyzer 3.0
Remcos
2019-03-27SymantecSecurity Response Attack Investigation Team
@online{team:20190327:elfin:836cc39, author = {Security Response Attack Investigation Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-01-06} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33
2018-08-22Cisco TalosEdmund Brumaghin, Holger Unterbrink, Eric Kuhla, Lilia Gonzalez Medina
@online{brumaghin:20180822:picking:925912d, author = {Edmund Brumaghin and Holger Unterbrink and Eric Kuhla and Lilia Gonzalez Medina}, title = {{Picking Apart Remcos Botnet-In-A-Box}}, date = {2018-08-22}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html}, language = {English}, urldate = {2019-10-23} } Picking Apart Remcos Botnet-In-A-Box
Remcos
2018-08-02Palo Alto Networks Unit 42Robert Falcone, David Fuertes, Josh Grunzweig, Kyle Wilhoit
@online{falcone:20180802:gorgon:06112b1, author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit}, title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}}, date = {2018-08-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/}, language = {English}, urldate = {2019-12-20} } The Gorgon Group: Slithering Between Nation State and Cybercrime
Loki Password Stealer (PWS) Nanocore RAT NjRAT Quasar RAT Remcos Revenge RAT
2018-03-02KrabsOnSecurityMr. Krabs
@online{krabs:20180302:analysing:7b1f12f, author = {Mr. Krabs}, title = {{Analysing Remcos RAT’s executable}}, date = {2018-03-02}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/}, language = {English}, urldate = {2019-07-31} } Analysing Remcos RAT’s executable
Remcos
2018-03-01My Online SecurityMy Online Security
@online{security:20180301:fake:7f835ef, author = {My Online Security}, title = {{Fake order spoofed from Finchers ltd Sankyo-Rubber delivers Remcos RAT via ACE attachments}}, date = {2018-03-01}, organization = {My Online Security}, url = {https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/}, language = {English}, urldate = {2020-01-13} } Fake order spoofed from Finchers ltd Sankyo-Rubber delivers Remcos RAT via ACE attachments
Remcos
2018-01-23RiskIQYonathan Klijnsma
@online{klijnsma:20180123:espionage:f3d28b0, author = {Yonathan Klijnsma}, title = {{Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors}}, date = {2018-01-23}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/}, language = {English}, urldate = {2019-12-24} } Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors
Remcos
2017-12-22Malware Traffic AnalysisBrad Duncan
@online{duncan:20171222:malspam:4a3fd87, author = {Brad Duncan}, title = {{MALSPAM USES CVE-2017-0199 TO DISTRIBUTE REMCOS RAT}}, date = {2017-12-22}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/12/22/index.html}, language = {English}, urldate = {2019-07-11} } MALSPAM USES CVE-2017-0199 TO DISTRIBUTE REMCOS RAT
Remcos
2017-07-01Secrary Bloglasha
@online{lasha:20170701:remcos:984d85c, author = {lasha}, title = {{Remcos RAT}}, date = {2017-07-01}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/RemcosRAT/}, language = {English}, urldate = {2020-01-09} } Remcos RAT
Remcos
2017-02-14FortinetFloser Bacurio, Joie Salvio
@online{bacurio:20170214:remcos:e924c55, author = {Floser Bacurio and Joie Salvio}, title = {{REMCOS: A New RAT In The Wild}}, date = {2017-02-14}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2}, language = {English}, urldate = {2020-01-09} } REMCOS: A New RAT In The Wild
Remcos
Yara Rules
[TLP:WHITE] win_remcos_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_remcos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { ff7510 2b4508 6a0c 99 59 f7f9 }
            // n = 6, score = 1000
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   2b4508               | sub                 eax, dword ptr [ebp + 8]
            //   6a0c                 | push                0xc
            //   99                   | cdq                 
            //   59                   | pop                 ecx
            //   f7f9                 | idiv                ecx

        $sequence_1 = { 8d45c8 6a0f 50 ff15???????? 50 8d4de8 }
            // n = 6, score = 1000
            //   8d45c8               | lea                 eax, [ebp - 0x38]
            //   6a0f                 | push                0xf
            //   50                   | push                eax
            //   ff15????????         |                     
            //   50                   | push                eax
            //   8d4de8               | lea                 ecx, [ebp - 0x18]

        $sequence_2 = { 8bf8 ff15???????? 3bf8 729b eb2f }
            // n = 5, score = 1000
            //   8bf8                 | mov                 edi, eax
            //   ff15????????         |                     
            //   3bf8                 | cmp                 edi, eax
            //   729b                 | jb                  0xffffff9d
            //   eb2f                 | jmp                 0x31

        $sequence_3 = { 8d4ddc 50 e8???????? 8d4d0c }
            // n = 4, score = 1000
            //   8d4ddc               | lea                 ecx, [ebp - 0x24]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d4d0c               | lea                 ecx, [ebp + 0xc]

        $sequence_4 = { 03c1 f6401720 7505 6a01 58 }
            // n = 5, score = 1000
            //   03c1                 | add                 eax, ecx
            //   f6401720             | test                byte ptr [eax + 0x17], 0x20
            //   7505                 | jne                 7
            //   6a01                 | push                1
            //   58                   | pop                 eax

        $sequence_5 = { 56 8bf1 8d45ff 57 50 8d4de8 ff15???????? }
            // n = 7, score = 1000
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   8d45ff               | lea                 eax, [ebp - 1]
            //   57                   | push                edi
            //   50                   | push                eax
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   ff15????????         |                     

        $sequence_6 = { 8bcc 50 ff15???????? 83ec10 8d45c4 8bcc 50 }
            // n = 7, score = 1000
            //   8bcc                 | mov                 ecx, esp
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83ec10               | sub                 esp, 0x10
            //   8d45c4               | lea                 eax, [ebp - 0x3c]
            //   8bcc                 | mov                 ecx, esp
            //   50                   | push                eax

        $sequence_7 = { e8???????? 83c418 015e08 5f }
            // n = 4, score = 1000
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   015e08               | add                 dword ptr [esi + 8], ebx
            //   5f                   | pop                 edi

        $sequence_8 = { 803e00 0f8485000000 8d45fc 6a0a 50 56 ff15???????? }
            // n = 7, score = 1000
            //   803e00               | cmp                 byte ptr [esi], 0
            //   0f8485000000         | je                  0x8b
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   6a0a                 | push                0xa
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_9 = { 7410 ff7510 8bce ff15???????? 83c610 }
            // n = 5, score = 1000
            //   7410                 | je                  0x12
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   8bce                 | mov                 ecx, esi
            //   ff15????????         |                     
            //   83c610               | add                 esi, 0x10

    condition:
        7 of them
}
Download all Yara Rules