File name:	198b63cb0b21f5dcbde993a904d483d2544c314a9b9fe4b627a8301c13fbae31
Full analysis:	https://app.any.run/tasks/d1460d11-d7f6-48de-80d9-ede340ff7296
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. Remcos ist eine Malware vom Typ RAT, mit der Angreifer aus der Ferne Aktionen auf infizierten Computern durchführen können. Diese Malware ist extrem aktiv und wird fast jeden Monat mit Updates auf den neuesten Stand gebracht. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 20:56:42
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	remcos rat
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	FB0B57E2384FC19739BB45994CE5463A
SHA1:	79906A1307E8ED7543541F68F10A944BC7D9629C
SHA256:	198B63CB0B21F5DCBDE993A904D483D2544C314A9B9FE4B627A8301C13FBAE31
SSDEEP:	49152:e7f0tu7IfpNZvOXyfrkNfVImhQSWwudyq4sWKxEtfiv:Sf0t+IcX4rkNfeSQVy6Lv

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2017:03:26 23:56:46+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	705024
InitializedDataSize:	71680
UninitializedDataSize:	-
EntryPoint:	0xae0fe
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	14.59.101.2
ProductVersionNumber:	14.59.101.2
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	Amd K8
CompanyName:	Company & Sons
FileDescription:	AMD Processor
FileVersion:	14.59.101.2
InternalName:	AMD Processor.exe
LegalCopyright:	Copyright © 2002-2017 by Company & Sons
OriginalFileName:	AMD Processor.exe
ProductName:	AMD Processor
ProductVersion:	14.59.101.2
AssemblyVersion:	14.59.101.2


(PID) Process:	(7728) 198b63cb0b21f5dcbde993a904d483d2544c314a9b9fe4b627a8301c13fbae31.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Application
Value: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
(PID) Process:	(8116) sbietrcl.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\remcos_sccafsoidz
Operation:	write	Name:	origmsc
Value: ßf$®´ú\Jïà¥Áí(ÈÇ›–¿/™$Bè¥Üºkíïã÷
(PID) Process:	(5352) mmc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{b05566ad-fe9c-4363-be05-7a4cbb7cb510}
Operation:	write	Name:	HelpTopic
Value: C:\WINDOWS\Help\eventviewer.chm
(PID) Process:	(5352) mmc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{b05566ad-fe9c-4363-be05-7a4cbb7cb510}
Operation:	write	Name:	LinkedHelpTopics
Value: C:\WINDOWS\Help\eventviewer.chm
(PID) Process:	(5352) mmc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{b05566ae-fe9c-4363-be05-7a4cbb7cb510}
Operation:	write	Name:	HelpTopic
Value: C:\WINDOWS\Help\eventviewer.chm
(PID) Process:	(5352) mmc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{b05566ae-fe9c-4363-be05-7a4cbb7cb510}
Operation:	write	Name:	LinkedHelpTopics
Value: C:\WINDOWS\Help\eventviewer.chm

PID	Process	Filename		Type
8044	sbietrcl.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE		binary
		MD5:3B5E0BD6640456A749D9155E6C135727	SHA256:C362A3D2B661C6066A02FC169FAAA1976C2F6160DA5837C7E68B7E0F67B794ED
7728	198b63cb0b21f5dcbde993a904d483d2544c314a9b9fe4b627a8301c13fbae31.exe	C:\Users\admin\AppData\Local\Temp\mscorsvw1.exe		executable
		MD5:BA428E7084F97B488865397D11059748	SHA256:3E824F0D325FD32F8100DDF6B506AD6250BE48286AC20726DCB23A9CEDF3E4C1
8044	sbietrcl.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956		binary
		MD5:1EA27366E034EB9447A33CE639C01489	SHA256:788D210EF206A4D11B6B506BF52124EE03FCA4E8A9389FAD43772202A7E29452
7728	198b63cb0b21f5dcbde993a904d483d2544c314a9b9fe4b627a8301c13fbae31.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl_signed.exe		executable
		MD5:D1E41AF4548DFF8A9D03AC0B28EA79D0	SHA256:00E6D8B884C81F20423F247322BCE6997FCA4F36961FD78EF0CC363F7371C66B
8044	sbietrcl.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE		binary
		MD5:BF9ED0A16246F31125D2B996E0FF43D9	SHA256:E0E700ADA3B8336ACB2BF46AF5185EDC0FFA791B2DC91FE7A8D506C7D14CC04D
8044	sbietrcl.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956		binary
		MD5:6F18923D84273BE0CC3B757BFACE08AA	SHA256:0BD72CF69E21EFBAAF207C7E05A3930C00DBBF78BB7BEC356F6919FB2479F1C9
7728	198b63cb0b21f5dcbde993a904d483d2544c314a9b9fe4b627a8301c13fbae31.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe		executable
		MD5:FB0B57E2384FC19739BB45994CE5463A	SHA256:198B63CB0B21F5DCBDE993A904D483D2544C314A9B9FE4B627A8301C13FBAE31

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
8044	sbietrcl.exe	GET	200	23.48.23.189:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
8044	sbietrcl.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	23.48.23.189:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	23.48.23.189:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
8044	sbietrcl.exe	23.48.23.189:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
8044	sbietrcl.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
7536	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5588	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	142.250.186.142	whitelisted
crl.microsoft.com	23.48.23.189 23.48.23.179 23.48.23.194 23.48.23.141 23.48.23.166 23.48.23.175 23.48.23.174 23.48.23.146 23.48.23.138	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

General Info

198b63cb0b21f5dcbde993a904d483d2544c314a9b9fe4b627a8301c13fbae31

FB0B57E2384FC19739BB45994CE5463A

79906A1307E8ED7543541F68F10A944BC7D9629C

198B63CB0B21F5DCBDE993A904D483D2544C314A9B9FE4B627A8301C13FBAE31

49152:e7f0tu7IfpNZvOXyfrkNfVImhQSWwudyq4sWKxEtfiv:Sf0t+IcX4rkNfeSQVy6Lv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Changes the autorun value in the registry

REMCOS mutex has been found

REMCOS has been detected

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Application launched itself

INFO

Reads the computer name

Reads the machine GUID from the registry

Create files in a temporary directory

Creates files or folders in the user directory

Reads the software policy settings

The sample compiled with english language support

Process checks computer location settings

Checks supported languages

Checks proxy server information

Creates files in the program directory

Reads security settings of Internet Explorer

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings