Tracing Remcos RAT

The report investigates a suspected Remcos RAT infection delivered via phishing (filetransfer.io), analyzes the sample’s communications (e.g., 185.29.10.213:63650), and pivots across ASN 60567 and SSH fingerprint/port combinations to identify related infrastructure. It presents IP IOCs with mixed confidence—moderate for broader infrastructure leads and high for a small set of malware-communicating IPs—while cautioning that attribution to Remcos is not definitive due to overlapping use by varied threat activity.