File name:

037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588

Full analysis: https://app.any.run/tasks/3065350c-d13e-4b14-a0e1-0f1db98be197
Verdict: Malicious activity
Threats:

First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.

Malware Trends Tracker     >>>
Analysis date: November 17, 2024, 08:46:59
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remcos
rat
purecrypter
netreactor
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

12045633292C69D63C710B4A00A6BE72

SHA1:

15E15462C382468C7CAA231A3D6F3F64CCE2777B

SHA256:

037C825DE0105C556885EA655349E8470B6FBEAB00612B3952F9C4C37AD37588

SSDEEP:

1536:n7evce2rJ3psU5fcCpT0IvplJ+odxYrzsQ4iagz6KoRRRKwKsWeSu+/dD464hlCz:7evcvgRRgJRRRKD464hlC1XG06E002+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PURECRYPTER has been detected (YARA)

      • 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exe (PID: 1732)

    • Create files in the Startup directory

      • 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exe (PID: 1732)

    • REMCOS mutex has been found

      • InstallUtil.exe (PID: 5564)

    • REMCOS has been detected (YARA)

      • InstallUtil.exe (PID: 5564)

    • REMCOS has been detected (SURICATA)

      • InstallUtil.exe (PID: 5564)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exe (PID: 1732)

    • Connects to unusual port

      • InstallUtil.exe (PID: 5564)

    • Contacting a server suspected of hosting an CnC

      • InstallUtil.exe (PID: 5564)

  • INFO

    • Reads the machine GUID from the registry

      • 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exe (PID: 1732)

    • Reads the computer name

      • 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exe (PID: 1732)

    • Disables trace logs

      • 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exe (PID: 1732)

    • Checks supported languages

      • 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exe (PID: 1732)

    • Checks proxy server information

      • 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exe (PID: 1732)

    • .NET Reactor protector has been detected

      • 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exe (PID: 1732)

    • Creates files or folders in the user directory

      • 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exe (PID: 1732)

    • Manual execution by a user

      • InstallUtil.exe (PID: 5564)

    • Reads the software policy settings

      • 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exe (PID: 1732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(5564) InstallUtil.exe
C2 (1)212.162.149.42:7118
BotnetRemoteHost
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueRemcos
Hide_fileFalse
Mutex_nameRmc-YP127Q
Keylog_flag0
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
Max_keylog_file100000
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:07 08:23:02+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 73216
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x13bfe
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: pagamento.UniCredit.Bank.pdf
FileVersion: 1.0.0.0
InternalName: pagamento.UniCredit.Bank.pdf.exe
LegalCopyright: Copyright © 2018
LegalTrademarks: -
OriginalFileName: pagamento.UniCredit.Bank.pdf.exe
ProductName: pagamento.UniCredit.Bank.pdf
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #PURECRYPTER 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exe #REMCOS installutil.exe

Process information

PID
CMD
Path
Indicators
Parent process
1732"C:\Users\admin\Desktop\037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exe" C:\Users\admin\Desktop\037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
pagamento.UniCredit.Bank.pdf
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5564"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Framework installation utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Remcos
(PID) Process(5564) InstallUtil.exe
C2 (1)212.162.149.42:7118
BotnetRemoteHost
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueRemcos
Hide_fileFalse
Mutex_nameRmc-YP127Q
Keylog_flag0
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
Max_keylog_file100000
Total events
3 997
Read events
3 981
Write events
16
Delete events
0

Modification events

(PID) Process:(1732) 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1732) 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1732) 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1732) 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1732) 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1732) 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1732) 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1732) 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1732) 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1732) 037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1732037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exeC:\Users\admin\AppData\Roaming\TypeId.exeexecutable
MD5:12045633292C69D63C710B4A00A6BE72
SHA256:037C825DE0105C556885EA655349E8470B6FBEAB00612B3952F9C4C37AD37588
1732037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbstext
MD5:9D608CD1F64AE38186AE154430E32471
SHA256:6908DE6483DBD6A873DA9F4B4F4044FBFA3545A81CCDFA0B55EECE80BE8EE160
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
25
DNS requests
8
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1584
RUXIMICS.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1584
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
64.31.43.234:443
https://inspirecollege.co.uk/trashss/Uanforw.pdf
unknown
binary
1.12 Mb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1584
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6944
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
1732
037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588.exe
64.31.43.234:443
inspirecollege.co.uk
LIMESTONENETWORKS
US
malicious
6944
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1584
RUXIMICS.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
whitelisted
inspirecollege.co.uk
  • 64.31.43.234
unknown
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
self.events.data.microsoft.com
  • 20.189.173.2
whitelisted

Threats

PID
Process
Class
Message
5564
InstallUtil.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
5564
InstallUtil.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
5564
InstallUtil.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
5564
InstallUtil.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
5564
InstallUtil.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
5564
InstallUtil.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
037c825de0105c556885ea655349e8470b6fbeab00612b3952f9c4c37ad37588