•  C2 IP: 141.95.16.111:2404
               •  Botnet Name: NewRem
               •  Copied File with name: Terminal.exe
               •  Folder where to Copy: Terminal
               •  Identifier/Mutex: Rmc-5HBYBR
               •  Key Log File: logs.dat

            The operational sequence of Remcos is to execute auto-start functions based on configuration block.
            These tasks encompass:

               •  Inclusion of Remcos within the system registry's auto-run group.
               •  Keylogging.
               •  Recording audio input via a connected microphone from the victim.
               •  Acquiring screenshots from the victim's device.
               •  Disabling User Account Control (UAC) on the victim's system.
               •  Alongside various additional actions.



            Establishing Persistence:

            The     Remcos      RAT     utilizes   the    Windows      Registry    "Run"     keys,    specifically
            “HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run”,
            “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”, to gain persistence. The entries points to
            the executable file “terminal.exe” located in the directory “C:\programdata\terminal\”.












            Cyber Defense eMagazine – October 2023 Edition                                                                                                                                                                                                          94
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.