Remcos RAT Activity

    Date: 03/12/2025

    Severity: High

    Summary

    Email continues to be a common method for malware distribution, with most malicious messages intercepted by spam traps and security filters. Threat actors constantly adapt their techniques to bypass these defenses, including altering file extensions for attached zip archives. In this case, the email contained a zip archive disguised with a 7-Zip file extension. On a Windows 11 system, File Manager successfully extracted the malware despite the archive using a .7z extension and 7-Zip not being installed.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    hftook7lmaroutsg1.duckdns.org

    http://geoplugin.net/json.gp

    IP Address : 

    54.38.59.202

    206.123.152.51 

    Hash : 

    f21e796e0ea71e76542d7196593ad8337012760d9183eb5abdb78c74e4702531
    
    f6946b226d21d0f716980980d61ef1a6ca429bed0c42c4ad51c9d813ee626469
    
    1b0eb55bb50d0286b192accbe408826c4c2e6c59a78d52743ce4f84ac0b1d6d0

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs :

    userdomainname like "http://geoplugin.net/json.gp" or url like "http://geoplugin.net/json.gp" or userdomainname like "hftook7lmaroutsg1.duckdns.org" or url like "hftook7lmaroutsg1.duckdns.org"

    IP Address : 

    dstipaddress IN ("54.38.59.202","206.123.152.51") or ipaddress IN ("54.38.59.202","206.123.152.51") or publicipaddress IN ("54.38.59.202","206.123.152.51") or srcipaddress IN ("54.38.59.202","206.123.152.51")

    Hash :

    sha256hash IN ("f21e796e0ea71e76542d7196593ad8337012760d9183eb5abdb78c74e4702531","f6946b226d21d0f716980980d61ef1a6ca429bed0c42c4ad51c9d813ee626469","1b0eb55bb50d0286b192accbe408826c4c2e6c59a78d52743ce4f84ac0b1d6d0")

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-03-10-IOCs-for-Remcos-RAT-activity.txt


    Tags

    MalwareRATREMCOS

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags