analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

71ed434a1de69486a0dbda5927ec39a7

Full analysis: https://app.any.run/tasks/a6d696ea-54f8-4f86-9442-24a6928d2f3d
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: November 08, 2019, 15:59:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
remcos
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

71ED434A1DE69486A0DBDA5927EC39A7

SHA1:

371EBC875A0819A2AE35A168CABBED02BF1A4B34

SHA256:

01B32123C893E59856A526031EC3153726F1509E3B49502CE025DDA4258A8A64

SSDEEP:

12288:ecmvLLmRFgbTrfR+oHA//bAsUp9vnsZyFE1WbRDXQUYlAMYgeILISdjq:ecmvvhTD1HYTA8Ie1YDXJY/YgLLIZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • Viceformnds2.exe (PID: 1012)

    • REMCOS was detected

      • Viceformnds2.exe (PID: 2120)

  • SUSPICIOUS

    • Starts itself from another location

      • 71ed434a1de69486a0dbda5927ec39a7.exe (PID: 2256)

    • Executable content was dropped or overwritten

      • 71ed434a1de69486a0dbda5927ec39a7.exe (PID: 2256)

    • Connects to unusual port

      • Viceformnds2.exe (PID: 2120)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

OriginalFileName: deallokere.exe
InternalName: deallokere
ProductVersion: 1
FileVersion: 1
ProductName: koeksistenserne
CharacterSet: Unicode
LanguageCode: Chinese (Traditional)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 1
OSVersion: 4
EntryPoint: 0x10e0
UninitializedDataSize: -
InitializedDataSize: 28672
CodeSize: 1351680
LinkerVersion: 6
PEType: PE32
TimeStamp: 2004:12:15 04:22:31+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 15-Dec-2004 03:22:31
Detected languages:
  • Chinese - Taiwan
ProductName: koeksistenserne
FileVersion: 1.00
ProductVersion: 1.00
InternalName: deallokere
OriginalFilename: deallokere.exe

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000B0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 15-Dec-2004 03:22:31
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00149E54
0x0014A000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.90134
.data
0x0014B000
0x00002218
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0014E000
0x00003D30
0x00004000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.07912

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.07192
504
Unicode (UTF 16LE)
Chinese - Taiwan
RT_VERSION
30001
5.07026
3752
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30002
5.63879
1384
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30003
4.49735
9640
Unicode (UTF 16LE)
UNKNOWN
RT_ICON

Imports

MSVBVM60.DLL
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start 71ed434a1de69486a0dbda5927ec39a7.exe no specs 71ed434a1de69486a0dbda5927ec39a7.exe viceformnds2.exe #REMCOS viceformnds2.exe

Process information

PID
CMD
Path
Indicators
Parent process
960"C:\Users\admin\AppData\Local\Temp\71ed434a1de69486a0dbda5927ec39a7.exe" C:\Users\admin\AppData\Local\Temp\71ed434a1de69486a0dbda5927ec39a7.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
2256"C:\Users\admin\AppData\Local\Temp\71ed434a1de69486a0dbda5927ec39a7.exe" C:\Users\admin\AppData\Local\Temp\71ed434a1de69486a0dbda5927ec39a7.exe
71ed434a1de69486a0dbda5927ec39a7.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
1012"C:\Users\admin\Dveskolerne7\Viceformnds2.exe" C:\Users\admin\Dveskolerne7\Viceformnds2.exe
71ed434a1de69486a0dbda5927ec39a7.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
2120"C:\Users\admin\Dveskolerne7\Viceformnds2.exe" C:\Users\admin\Dveskolerne7\Viceformnds2.exe
Viceformnds2.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.00
Total events
119
Read events
112
Write events
7
Delete events
0

Modification events

(PID) Process:(2256) 71ed434a1de69486a0dbda5927ec39a7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2256) 71ed434a1de69486a0dbda5927ec39a7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(1012) Viceformnds2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Hysterorrhexis
Value:
wscript "C:\Users\admin\Dveskolerne7\Viceformnds2.vbs"
(PID) Process:(2120) Viceformnds2.exeKey:HKEY_CURRENT_USER\Software\Remcos-P9UP5M
Operation:writeName:exepath
Value:
7F29C1781FB41D389C5C3AF9FA9AB89EC18C4265579CAC69EC88E8F60AE27B36EAACED8773CA787EB81B8B1439C08D2F97D7644E3D38E43D44D09D300368D61BBA1DC8AC3000DE0B1751EF670B4A3E42689E75282CA9BB8D8AB3
(PID) Process:(2120) Viceformnds2.exeKey:HKEY_CURRENT_USER\Software\Remcos-P9UP5M
Operation:writeName:licence
Value:
E5B16ACB4E99E3B6F214881887156D61
Executable files
1
Suspicious files
3
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
225671ed434a1de69486a0dbda5927ec39a7.exeC:\Users\admin\Dveskolerne7\Viceformnds2.exeexecutable
MD5:71ED434A1DE69486A0DBDA5927EC39A7
SHA256:01B32123C893E59856A526031EC3153726F1509E3B49502CE025DDA4258A8A64
1012Viceformnds2.exeC:\Users\admin\AppData\Local\Temp\~DF14752174B3F8DFEA.TMPbinary
MD5:26A9FE8AF8B95059C77523456333CF99
SHA256:8BBE5C082F093DA3E16081A993E742D3D945725A7A5EB787C27C518FC64C6410
96071ed434a1de69486a0dbda5927ec39a7.exeC:\Users\admin\AppData\Local\Temp\~DF0E070CF83A541A16.TMPbinary
MD5:26A9FE8AF8B95059C77523456333CF99
SHA256:8BBE5C082F093DA3E16081A993E742D3D945725A7A5EB787C27C518FC64C6410
225671ed434a1de69486a0dbda5927ec39a7.exeC:\Users\admin\AppData\Local\Temp\~DF9AE79AD63CA9D1D1.TMPbinary
MD5:26A9FE8AF8B95059C77523456333CF99
SHA256:8BBE5C082F093DA3E16081A993E742D3D945725A7A5EB787C27C518FC64C6410
225671ed434a1de69486a0dbda5927ec39a7.exeC:\Users\admin\Dveskolerne7\Viceformnds2.vbstext
MD5:9E61C536DCC66FD8EA0E5AB572A6AE05
SHA256:6D2D434DE0C1A2702137E0A16DFCBCC057709C8BEB059D2888A5A3088FAB4D6A
1012Viceformnds2.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\win.initext
MD5:D2A2412BDDBA16D60EC63BD9550D933F
SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A
96071ed434a1de69486a0dbda5927ec39a7.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\win.initext
MD5:D2A2412BDDBA16D60EC63BD9550D933F
SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A
2120Viceformnds2.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\win.initext
MD5:D2A2412BDDBA16D60EC63BD9550D933F
SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A
225671ed434a1de69486a0dbda5927ec39a7.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\win.initext
MD5:D2A2412BDDBA16D60EC63BD9550D933F
SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2120
Viceformnds2.exe
79.134.225.69:2724
rc2724.duckdns.org
Andreas Fink trading as Fink Telecom Services
CH
malicious
79.134.225.69:2724
rc2724.duckdns.org
Andreas Fink trading as Fink Telecom Services
CH
malicious

DNS requests

Domain
IP
Reputation
rc2724.duckdns.org
  • 79.134.225.69
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
71ed434a1de69486a0dbda5927ec39a7