popup

Cyber Threat Trends

  1. Day Week

conference CrowdStrike 북한

Summary: 2025/04/19 12:36

First reported date: 2021/05/07
Inquiry period : 2025/03/20 12:36 ~ 2025/04/19 12:36 (1 months), 1 search results

전 기간대비 신규 트렌드를 보이고 있습니다.
악성코드 유형 RemcosRAT NetWireRC Remcos 도 새롭게 확인됩니다.
기타 Low abusech httpstcouvC httpstcoP 신규 키워드도 확인됩니다.

Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.

참고로 동일한 그룹의 악성코드 타입은 Remcos njRAT QuasarRAT 등 110개 종이 확인됩니다.

Trend graph by period


Related keyword cloud
Top 100
# Trend Count Comparison
1RemcosRAT 1 ▲ new
2Low 1 ▲ new
3abusech 1 ▲ new
4httpstcouvC 1 ▲ new
5httpstcoP 1 ▲ new
6NetWireRC 1 ▲ new
7Remcos 1 ▲ new
Special keyword group
Top 5
Malware Type
Malware Type

This is the type of malware that is becoming an issue.

Keyword Average Label
RemcosRAT
1 (33.3%)
NetWireRC
1 (33.3%)
Remcos
1 (33.3%)
Attacker & Actors
Attacker & Actors

The status of the attacker or attack group being issued.

No data.

Attack technique
Technique

This is an attack technique that is becoming an issue.

No data.

Country & Company
Country & Company

This is a country or company that is an issue.

No data.

Malware Family
Top 5

A malware family is a group of applications with similar attack techniques.
In this trend, it is classified into Ransomware, Stealer, RAT or Backdoor, Loader, Botnet, Cryptocurrency Miner.

Threat info
Last 5

SNS

(Total : 1)
  Total keyword

RemcosRAT NetWireRC Remcos

No Title Date
1Szabolcs Schmidt @smica83
Low detected #RemcosRAT @abuse_ch https://t.co/uvC4VTJ7mm https://t.co/P6021ENBgA		2025.04.15

News

(Total : 0)

No data.

Additional information

No Request Hash(md5) Report No Date
1 remcos_a.exe
Client SW User Data Stealer Backdoor RemcosRAT Browser Login Data Stealer browser info stealer Generic Malware Google Chrome User Data Downloader Malicious Library Malicious Packer UPX Create Service Socket Escalate priviledges PWS Sniff Audio DNS Interne 		e3aecc3188eac24edb8e34f5044b3a6a589982025.04.14
2 pdf.ps1
Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Hide_EXE Generic Malware Google Chrome User Data Downloader Malicious Library .NET framework(MSIL) Antivirus Create Service Socket ScreenShot Escalate priviledges PWS Sniff Audio DNS Inte 		642647cf863119977d7bd52e848e0cfe583952025.03.31
3 kent.ps1
Client SW User Data Stealer Backdoor RemcosRAT Formbook browser info stealer Hide_EXE Generic Malware Google Chrome User Data Downloader Malicious Library Confuser .NET Antivirus Create Service Socket ScreenShot Escalate priviledges PWS Sniff Audio DNS Co 		432719ce1459add67ebe4c01b47310f2580592025.03.13
4 nyoilsafkjawd.exe
Client SW User Data Stealer Backdoor RemcosRAT Browser Login Data Stealer browser info stealer Generic Malware Google Chrome User Data Downloader Malicious Library Malicious Packer UPX Create Service Socket ScreenShot Escalate priviledges PWS Sniff Audio 		0bea38a3f664f5c8d72ab74db022aacd580452025.03.12
5 crossings.exe
Client SW User Data Stealer Backdoor RemcosRAT Browser Login Data Stealer browser info stealer Generic Malware Google Chrome User Data Downloader Malicious Library Malicious Packer UPX Create Service Socket ScreenShot Escalate priviledges PWS Sniff Audio 		db59bfef32bc15d53bdf499dd1ae62c4580442025.03.12
View only the last 5
Level Description
danger File has been identified by 66 AntiVirus engines on VirusTotal as malicious
danger The process wscript.exe wrote an executable file to disk which it then attempted to execute
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger Executed a process and injected code into it
warning Disables Windows Security features
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch One or more non-whitelisted processes were created
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Checks whether any human activity is being performed by constantly checking whether the foreground window changed
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice One or more potentially interesting buffers were extracted
notice Terminates another process
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
No data
No URL CC ASN Co Reporter Date
1https://cml.lk/doc/r.txt
DBatLoader ModiLoader opendir rat RemcosRAT 		SG SGDIGITALOCEAN-ASNabuse_ch2025.04.17
2https://drive.google.com/uc?export=download&id=1drYJjwMm-iXdwPf_dl6qZkSgLKRNxZhC
encrypted GuLoader rat RemcosRAT 		US USGOOGLEabuse_ch2025.04.17
3http://84.252.123.137/music/output.txt
ascii Encoded rat RemcosRAT 		DE DEAixit GmbHabuse_ch2025.04.17
4http://www.nawatbsc.com/output/output.txt
ascii Encoded rat RemcosRAT 		CH CHSimple Carrier LLCabuse_ch2025.04.17
5https://downloadthecorrectversion.space/vickk/r.txt
ascii rat RemcosRAT 		US USMULTIBAND-NEWHOPEabuse_ch2025.04.16
View only the last 5
Beta Service, If you select keyword, you can check detailed information.