Backdoor.Remcos
![detection icon](https://www.malwarebytes.com/wp-content/themes/malwarebytes/assets/src/images/malware-detection.png)
Short bio
Backdoor.Remcos is Malwarebytes’ detection name for a family of Backdoor Trojans that allow remote access and control over the affected system.
Type and source of the infection
Backdoor.Remcos is a Remote Administration Tool (RAT). Backdoor.Remcos can arrive as a malicious email attachment or be downloaded by other malware.
Aftermath
Backdoor.Remcos gives the threat actor full control over the infected system and allows them to run keyloggers and surveillance (audio + screenshots) mode. This means:
- Data/information about the system may have been stolen
- User credentials may have been stolen
- Digital coins may have been stolen
- Affected system may be susceptible to further attacks and/or infection due to a backdoor that was opened
Protection
![block Backdoor.Remcos](https://www.malwarebytes.com/wp-content/uploads/sites/2/2019/06/backdoorremcosblock.png)
Malwarebytes blocks Backdoor.Remcos
Home remediation
Malwarebytes can detect and remove Backdoor.Remcos without further user interaction.
- Please download Malwarebytes to your desktop.
- Double-click MBSetup.exe and follow the prompts to install the program.
- When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
- Click on the Get started button.
- Click Scan to start a Threat Scan.
- Click Quarantine to remove the found threats.
- Reboot the system if prompted to complete the removal process.
Business remediation
How to remove Backdoor.Remcos with the Malwarebytes Nebula console
You can use the Malwarebytes Anti-Malware Nebula console to scan endpoints.
![endpoint menu](https://www.malwarebytes.com/wp-content/uploads/sites/2/2018/04/endpointmenu.png)
Nebula endpoint tasks menu
Choose the Scan + Quarantine option. Afterwards you can check the Detections page to see which threats were found.
![Nebula detections](https://www.malwarebytes.com/wp-content/uploads/sites/2/2017/08/Nebula_new.png)
On the Quarantine page you can see which threats were quarantined and restore them if necessary.
![Nebula Quarantaine](https://www.malwarebytes.com/wp-content/uploads/sites/2/2017/08/quarantine1.png)
Traces/IOCs
Folder:
%Appdata%remcoslogs.dat
C&C:
remcos2.legacyrealestateadvisors.net remcos.legacyrealestateadvisors.net