File name:	Payment_details_HSBC7412529828654.exe
Full analysis:	https://app.any.run/tasks/e60245e2-bf56-440b-b8e9-a33a39cc3026
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. Remcos ist eine Malware vom Typ RAT, mit der Angreifer aus der Ferne Aktionen auf infizierten Computern durchführen können. Diese Malware ist extrem aktiv und wird fast jeden Monat mit Updates auf den neuesten Stand gebracht. Malware Trends Tracker >>>
Analysis date:	April 10, 2025, 11:39:57
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	remcos rat netreactor remote
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	6CEBC7622DC1C098FF31B53F024E3AD8
SHA1:	6FB358A0D33F51A5FDE463649A2D334C96225E56
SHA256:	1630E8B9995D554A7B791DFA929F77C659C48E0358008FB7EB66FE54D63D86B3
SSDEEP:	49152:YsZ17+BWpLkqTDZ2U6RqQ8aZ9ktXwvDSLrmxq+LknBeocHnhQ3l7:Yy+BuZGZeXYDSKbL8AoMhQ3

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe	\|	Win64 Executable (generic) (23.8)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)
.exe	\|	Generic Win/DOS Executable (1.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:04:09 01:42:00+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	48
CodeSize:	1022976
InitializedDataSize:	101888
UninitializedDataSize:	-
EntryPoint:	0xfbb8e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	Microsoft
FileDescription:	BindingSourceAddingNew
FileVersion:	1.0.0.0
InternalName:	BdVf.exe
LegalCopyright:	Copyright © Microsoft 2015
LegalTrademarks:	-
OriginalFileName:	BdVf.exe
ProductName:	BindingSourceAddingNew
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(6040) Payment_details_HSBC7412529828654.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	javaruntime
Value: "C:\ProgramData\java-runtime\java.exe"
(PID) Process:	(6040) Payment_details_HSBC7412529828654.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	javaruntime
Value: "C:\ProgramData\java-runtime\java.exe"
(PID) Process:	(6040) Payment_details_HSBC7412529828654.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:	write	Name:	VBSFile
Value:
(PID) Process:	(4944) java.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	javaruntime
Value: "C:\ProgramData\java-runtime\java.exe"
(PID) Process:	(4944) java.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	javaruntime
Value: "C:\ProgramData\java-runtime\java.exe"
(PID) Process:	(4944) java.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Rmc-YUSJR4
Operation:	write	Name:	exepath
Value: C221E53C2C0070807867D3FA09554F88E58C5C1FAF9976566165537083E9E39548FFBD4913881BE3AD215C15462B28C4AD5BA7FBFA401EB193A1E677A6808506AE8AD3C337F4BF47BE4E
(PID) Process:	(4944) java.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Rmc-YUSJR4
Operation:	write	Name:	licence
Value: 7ADA0BDFC9DD341D1787EB19B588E107

PID	Process	Filename		Type
4608	Payment_details_HSBC7412529828654.exe	C:\Users\admin\AppData\Roaming\gYhPNwCWigZEK.exe		executable
		MD5:6CEBC7622DC1C098FF31B53F024E3AD8	SHA256:1630E8B9995D554A7B791DFA929F77C659C48E0358008FB7EB66FE54D63D86B3
4944	java.exe	C:\ProgramData\remcos\logs.dat		binary
		MD5:07C58E8C617B4A7AABE7170DF7815B48	SHA256:1BABE2DE559C9424147ADDDEFA44B3BDD7980AD9A53A7FF19D98A8FB6AB9ED95
5260	java.exe	C:\Users\admin\AppData\Local\Temp\tmp6176.tmp		xml
		MD5:581BDD135F03D960E4FE778A0DFC6BE4	SHA256:89185FA488071F5B4822652936D1D8CC4AD94D97D02A0679F2536B357A663495
6040	Payment_details_HSBC7412529828654.exe	C:\Users\admin\AppData\Local\Temp\install.vbs		binary
		MD5:76B8485D86144C83E1DA3BCFE4CAA2C4	SHA256:9E9BB949D81D96433A366DC063961A1122C78DD6A0E66F0D9E8E892071626674
4608	Payment_details_HSBC7412529828654.exe	C:\Users\admin\AppData\Local\Temp\tmp1BB3.tmp		xml
		MD5:581BDD135F03D960E4FE778A0DFC6BE4	SHA256:89185FA488071F5B4822652936D1D8CC4AD94D97D02A0679F2536B357A663495
6040	Payment_details_HSBC7412529828654.exe	C:\ProgramData\java-runtime\java.exe		executable
		MD5:6CEBC7622DC1C098FF31B53F024E3AD8	SHA256:1630E8B9995D554A7B791DFA929F77C659C48E0358008FB7EB66FE54D63D86B3

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6708	RUXIMICS.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	304	52.149.20.212:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	52.149.20.212:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
4464	SIHClient.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
4464	SIHClient.exe	GET	200	23.216.77.22:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
4464	SIHClient.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4464	SIHClient.exe	GET	200	23.216.77.22:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
—	—	GET	200	20.3.187.198:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
4464	SIHClient.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
4464	SIHClient.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
6708	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
—	—	20.190.160.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	20.190.160.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6708	RUXIMICS.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2112	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59	whitelisted
login.live.com	20.190.160.64 20.190.160.67 20.190.160.128 20.190.160.2 20.190.160.22 40.126.32.140 40.126.32.136 40.126.32.133	whitelisted
client.wns.windows.com	172.211.123.249 172.211.123.248	whitelisted
google.com	172.217.16.206	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.20 23.216.77.42 23.216.77.22 23.216.77.30 23.216.77.36	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
www.microsoft.com	2.23.181.156	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
nexusrules.officeapps.live.com	52.111.236.23	whitelisted

PID	Process	Class	Message
4944	java.exe	A Network Trojan was detected	REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
4944	java.exe	Malware Command and Control Activity Detected	ET JA3 Hash - Remcos 3.x/4.x TLS Connection
4944	java.exe	A Network Trojan was detected	REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
4944	java.exe	Malware Command and Control Activity Detected	ET JA3 Hash - Remcos 3.x/4.x TLS Connection
4944	java.exe	A Network Trojan was detected	REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
4944	java.exe	Malware Command and Control Activity Detected	ET JA3 Hash - Remcos 3.x/4.x TLS Connection
4944	java.exe	A Network Trojan was detected	REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
4944	java.exe	Malware Command and Control Activity Detected	ET JA3 Hash - Remcos 3.x/4.x TLS Connection
4944	java.exe	Malware Command and Control Activity Detected	ET JA3 Hash - Remcos 3.x/4.x TLS Connection
4944	java.exe	A Network Trojan was detected	REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash

General Info

Payment_details_HSBC7412529828654.exe

6CEBC7622DC1C098FF31B53F024E3AD8

6FB358A0D33F51A5FDE463649A2D334C96225E56

1630E8B9995D554A7B791DFA929F77C659C48E0358008FB7EB66FE54D63D86B3

49152:YsZ17+BWpLkqTDZ2U6RqQ8aZ9ktXwvDSLrmxq+LknBeocHnhQ3l7:Yy+BuZGZeXYDSKbL8AoMhQ3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses Task Scheduler to run other applications

REMCOS mutex has been found

Changes the autorun value in the registry

Deletes a file (SCRIPT)

Uses sleep, probably for evasion detection (SCRIPT)

REMCOS has been detected

REMCOS has been detected (YARA)

REMCOS has been detected (SURICATA)

SUSPICIOUS

Application launched itself

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

The process executes VB scripts

Runs shell command (SCRIPT)

Creates FileSystem object to access computer's file system (SCRIPT)

Gets full path of the running script (SCRIPT)

Starts CMD.EXE for commands execution

Contacting a server suspected of hosting an CnC

Connects to unusual port

There is functionality for taking screenshot (YARA)

INFO

Reads the computer name

Creates files or folders in the user directory

Checks supported languages

Create files in a temporary directory

.NET Reactor protector has been detected

Reads the machine GUID from the registry

Process checks computer location settings

Creates files in the program directory

Checks proxy server information

Reads the software policy settings

Malware configuration

Remcos

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Remcos

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files