Threat Intelligence Report: Remcos RAT C2 Infrastructure Investigation
TLP:CLEAR — This report may be freely shared without restriction.
Report Metadata
| Field | Details |
|---|---|
| Report ID | SDI-2025-001 |
| Date | March 5, 2025 |
| Analyst | Sam Dalgleish (CyberFrenchie) |
| Threat Category | Remote Access Trojan (RAT) |
| Primary IOC | 45.74.46.39 |
| Confidence Level | Medium |
| Classification | TLP:CLEAR |
1. Executive Summary
This report documents an investigation into a suspected Remcos RAT command-and-control (C2) infrastructure node. The investigation was triggered by the IP address 45.74.46.39 being flagged on ThreatFox as potentially linked to Remcos RAT activity.
Infrastructure analysis revealed the IP is associated with Secure Internet LLC and the VPN service PureVPN, with notable geolocation inconsistencies across multiple data sources suggesting use as a VPN exit node. A related malware sample was identified and analysed in a sandbox environment, exhibiting behaviour consistent with Remcos RAT.
2. Threat Background
Remcos RAT (Remote Control and Surveillance) is a commercially available remote access tool that has been widely weaponised by threat actors for malicious purposes since approximately 2016. It is frequently delivered via phishing campaigns and malicious document attachments.
Key capabilities:
- Full remote access and system control
- Keylogging and screen capture
- Credential harvesting
- Persistence via registry modifications
- Encrypted C2 communications
Remcos is commonly used in targeted attacks against businesses and individuals, and is frequently distributed by initial access brokers.
3. Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
45.74.46.39 |
IP Address | Possible VPN exit node linked to Remcos RAT C2 |
d9015194f6a3d0f5b47447924127b970690bb1ea0d957ce412e0c83ba604c9aa |
SHA-256 | Remcos RAT sample linked to this infrastructure |
B965E1923D49B795629EC84D738A6A0C4ECC9F3D0820779E0A54A7825951FDD6 |
SHA-256 | Outer ZIP archive (AES encrypted) |
66D40E6537F67347E9450E064A8CED33 |
MD5 | Outer ZIP archive |
602E60900DC364E9A2F3FF3620FAB500F5CE6110 |
SHA-1 | Outer ZIP archive |
purevpn.com |
Domain | VPN service potentially used for obfuscation |
5985/tcp |
Open Port | WinRM — Windows Remote Management |
4. Infrastructure Analysis
4.1 WHOIS
| Field | Value |
|---|---|
| IP | 45.74.46.39 |
| Owner | Secure Internet LLC (SIL-69) |
| Country | United States |
| Abuse Contact | admin@pointtoserver.com |
The organisation claims to be a hosting provider. The association with PureVPN suggests this IP may be used for anonymisation of attacker traffic.
4.2 Shodan
| Field | Value |
|---|---|
| Location | Frankfurt am Main, Germany |
| OS | Windows Server 2012 R2 (Build 6.3.9600) |
| Organisation | COREBACKBONE-SE |
| Open Ports | 5985/tcp (WinRM) |
Port 5985 (WinRM) indicates the machine is remotely manageable, which aligns with Remcos RAT operational requirements for C2 communication.
4.3 Geolocation Analysis
| Source | Location |
|---|---|
| Shodan | Frankfurt am Main, Germany |
| IPInfoDB | Stockholm, Sweden |
| WHOIS | United States (organisation) |
The significant geolocation discrepancies across three independent sources strongly suggest this IP is a VPN exit node, being used to obscure the true origin of attacker infrastructure.
5. Malware Analysis
5.1 Sample Details
| Field | Value |
|---|---|
| File Type | ZIP archive (AES Encrypted) |
| SHA-256 | B965E1923D49B795629EC84D738A6A0C4ECC9F3D0820779E0A54A7825951FDD6 |
| MD5 | 66D40E6537F67347E9450E064A8CED33 |
| SHA-1 | 602E60900DC364E9A2F3FF3620FAB500F5CE6110 |
| Analysis Date | March 5, 2025 |
| Environment | Windows 10 Professional (Build 19045, 64-bit) |
🔍 Full Any.Run Sandbox Report: View Analysis
5.2 Behavioural Indicators
- Process Execution — Multiple child processes spawned to establish system control
- Network Activity — Outbound connection attempts consistent with C2 communication
- Persistence — Registry modifications and file drops to survive reboots
- Encryption — AES-encrypted ZIP delivery to evade static detection
6. Attribution Assessment
| Assessment | Confidence |
|---|---|
| IP is a VPN exit node used to mask C2 traffic | Medium |
| IP is part of active Remcos RAT C2 infrastructure | Medium |
| Windows Server 2012 R2 host may be compromised | Low–Medium |
The use of PureVPN infrastructure and geolocation inconsistency makes definitive attribution difficult. The IP is assessed as likely being used as an anonymisation layer rather than a directly controlled server.
7. Recommended Actions
- Block IP
45.74.46.39at perimeter firewall if not already - Scan endpoints for the identified file hashes using EDR/XDR tooling
- Monitor outbound traffic for connections to this IP and associated domains
- Alert on WinRM (5985/tcp) outbound connections to external IPs
- Report abuse to admin@pointtoserver.com and PureVPN
- Patch and harden systems against WinRM exploitation
8. Confidence Assessment
Overall Confidence: Medium
Corroborated across ThreatFox, Shodan, VirusTotal, IPInfoDB, and sandbox analysis (Any.Run). Confidence is limited to Medium due to the VPN exit node hypothesis — the true attacker infrastructure origin cannot be confirmed from available open-source data.