ThreatFox IOC Database
You are viewing the ThreatFox database entry for ip:port 161.248.146.16:2245.
Database Entry
| IOC ID: | 1808262 |
|---|---|
| IOC: | 161.248.146.16:2245 |
| IOC Type : | ip:port |
| Threat Type : | botnet_cc |
| Malware: | Remcos |
| Malware alias: | RemcosRAT, Remvio, Socmer |
| Confidence Level : | Confidence level is high (100%) |
| Is compromised? : | False |
| ASN: | AS135918 DVS-AS-VN |
| Country: |  VN |
| First seen: | 2026-05-07 19:03:25 UTC |
| Last seen: | never |
| UUID: | 6caa54c6-4a47-11f1-8759-42010aa4000a |
| Reporter |  TomU |
| Reward | 5 credits from ThreatFox |
| Tags: | remcos |
TomU
filename: RFQ.xlsmd5: 4c7f69abfc6c17ab9840d8a16d3072c5
sha1: 78b14c00f2544079567de0c022c1847c59bc8171
sha256: 927a405869e09366dfb053b2d80f3b7ddd97dee75bbe39fc1ed47edf93fbc243
{'Remcos': {'Version': ['6.0.0 Pro'], 'Control': ['tcp://161.248.146.16:2245'], 'Password': ['1'], 'Botnet': ['Nostartup'], 'Connect interval': ['1'], 'Install flag': ['Disable'], 'Setup HKCU\\Run': ['Enable'], 'Setup HKLM\\Run': ['Enable'], 'Setup HKLM\\Explorer\\Run': ['Disable'], 'Keylog file max size': ['100000'], 'Install parent directory': ['%ProgramData%'], 'Install filename': ['remcos.exe'], 'Startup value': ['Disable'], 'Hide file': ['Disable'], 'Process injection flag': ['0'], 'Mutex': ['Rmc-70FYX5'], 'Keylogger mode': ['0'], 'Keylogger parent directory': ['%ProgramData%'], 'Keylogger filename': ['logs.dat'], 'Keylog crypt': ['Disable'], 'Hide keylog file': ['Disable'], 'Screenshot flag': ['Disable'], 'Screenshot time': ['10'], 'Take Screenshot option': ['Disable'], 'Take screenshot title': [''], 'Take screenshot time': ['5'], 'Screenshot parent directory': ['%AppData%'], 'Screenshot folder': ['Screenshots'], 'Screenshot crypt flag': ['Disable'], 'Mouse option': ['Disable'], 'Unknown29': ['Disable'], 'Delete file': ['Disable'], 'Unknown31': ['Disable'], 'Unknown32': ['Disable'], 'Unknown33': ['Disable'], 'Unknown34': ['Disable'], 'Audio recording flag': ['Disable'], 'Audio record time': ['5'], 'Audio parent directory': ['<CurrentMalwareDirectory>'], 'Audio folder': ['MicRecords'], 'Disable UAC flage': ['Disable'], 'Logging mode': ['0'], 'Connect delay': ['0'], 'Keylogger specific window names': [''], 'Browser cleaning on startup flag': ['Disable'], 'Browser cleaning only for the first run flag': ['Enable'], 'Browser cleaning sleep time in minutes': ['0'], 'UAC bypass flag': ['Disable'], 'Unkown47': ['1'], 'Install directory': ['Remcos'], 'Keylogger root directory': ['remcos'], 'Watchdog flag': ['Disable'], 'Unknown51': ['Disable'], 'License': ['D5B929833D74756B1A7B97D0EA034EBF'], 'Screenshot mouse drawing flag': ['Disable'], 'TLS raw certificate (base64)': ['MIH/MIGmoAMCAQICEE+VUYnFAyjt2ne+2ECDhxowCgYIKoZIzj0EAwIwADAiGA8xOTcwMDEwMTAwMDAwMFoYDzIwOTAxMjMxMDAwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoz9InW5w49JUAWq/lMxPrqe5uUBYDkPKqXQxlANW1GThQMxfimAvgQ3bDBstabcQw1knHOxPD196q1SYO7EZ5zAKBggqhkjOPQQDAgNIADBFAiEAkLhJWX5oX9R0a/Jw9WOVpb8Veo5m+OGzYk6iBftJNWECIFvh91kailRM54vbS3T0JW6rqZGfWg/GIHlo1PBPWkaa'], 'TLS key (base64)': ['MHcCAQEEIC4yIYqJtiFClF15uIEfDaSKL/Y4UUpah/VfzKSVVos/oAoGCCqGSM49AwEHoUQDQgAEoz9InW5w49JUAWq/lMxPrqe5uUBYDkPKqXQxlANW1GThQMxfimAvgQ3bDBstabcQw1knHOxPD196q1SYO7EZ5w=='], 'TLS raw peer certificate (base64)': ['MIH+MIGmoAMCAQICEGAk8NDRWw+/QdZsEjX9mikwCgYIKoZIzj0EAwIwADAiGA8xOTcwMDEwMTAwMDAwMFoYDzIwOTAxMjMxMDAwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZz2JzdheagsrFu2bueiZo6p4sC03padHfc0bB2tLLx8lNHbxeEcJwa9YwLatxvkR86TO0rd4AFIJCtWvgINgxTAKBggqhkjOPQQDAgNHADBEAiBLhczYQgZsuRoqD/qxI/btknYwhPIxVIFnI96KwlJi4wIgDiozivcAB2K/z5owYf8tZZPDZWm75sVvFTKWXQD3Vj8='], 'TLS client private key (base64)': ['']}}