File name:

RFQ.exe

Full analysis: https://app.any.run/tasks/09ae6f67-af9c-487d-a8d9-b8acfd6938a1
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 09, 2024, 13:16:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
remcos
remote
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

40F0B9DC3AA0C66A2EACD624E48B9B7E

SHA1:

74CC4F4D435B783421EE7ACAD65072FCDF607CD5

SHA256:

1BA77700F52814F80220F283D24E00284875FF6D25B374CC641876408F047462

SSDEEP:

49152:M6WNkebmEFhOHGo4uh68QqyxBXSCXPGms1lw3F0YmKDSd0ujsE58Vq84wE8hnHkK:f4kEm2O0uh68QqoBXSCXPGms1lw3F0YL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • RFQ.exe (PID: 3968)

    • REMCOS has been detected

      • svchost.exe (PID: 4092)

    • Create files in the Startup directory

      • RFQ.exe (PID: 4072)

    • REMCOS has been detected (YARA)

      • svchost.exe (PID: 4092)

  • SUSPICIOUS

    • Connects to unusual port

      • svchost.exe (PID: 4092)

    • Device Retrieving External IP Address Detected

      • svchost.exe (PID: 4092)

    • Checks for external IP

      • svchost.exe (PID: 4092)

  • INFO

    • Checks supported languages

      • RFQ.exe (PID: 3968)
      • RFQ.exe (PID: 4072)
      • wmpnscfg.exe (PID: 1772)

    • Reads mouse settings

      • RFQ.exe (PID: 3968)
      • RFQ.exe (PID: 4072)

    • Create files in a temporary directory

      • RFQ.exe (PID: 3968)
      • RFQ.exe (PID: 4072)

    • Creates files or folders in the user directory

      • RFQ.exe (PID: 3968)
      • RFQ.exe (PID: 4072)

    • Reads the machine GUID from the registry

      • RFQ.exe (PID: 3968)

    • Manual execution by a user

      • RFQ.exe (PID: 4072)
      • wmpnscfg.exe (PID: 1772)

    • Checks proxy server information

      • svchost.exe (PID: 4092)

    • Reads the computer name

      • wmpnscfg.exe (PID: 1772)

    • Reads security settings of Internet Explorer

      • svchost.exe (PID: 4092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(4092) svchost.exe
C2 (1)bossnacarpet.com:30902
BotnetRFQ
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueFalse
Hide_fileFalse
Mutex_namechrome-XH1EHP
Keylog_flag0
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:09 09:17:32+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 581632
InitializedDataSize: 718336
UninitializedDataSize: -
EntryPoint: 0x2800a
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 2.2.9.3
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
FileVersion: 2.2.9.3
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rfq.exe no specs rfq.exe #REMCOS svchost.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1772"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3968"C:\Users\admin\Desktop\RFQ.exe" C:\Users\admin\Desktop\RFQ.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
2.2.9.3
Modules
Images
c:\users\admin\desktop\rfq.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
4072"C:\Users\admin\Desktop\RFQ.exe" C:\Users\admin\Desktop\RFQ.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
2.2.9.3
Modules
Images
c:\users\admin\desktop\rfq.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
4092"C:\Users\admin\Desktop\RFQ.exe" C:\Windows\System32\svchost.exe
RFQ.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Remcos
(PID) Process(4092) svchost.exe
C2 (1)bossnacarpet.com:30902
BotnetRFQ
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueFalse
Hide_fileFalse
Mutex_namechrome-XH1EHP
Keylog_flag0
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
Total events
1 009
Read events
980
Write events
23
Delete events
6

Modification events

(PID) Process:(4092) svchost.exeKey:HKEY_CURRENT_USER\Software\chrome-XH1EHP
Operation:writeName:exepath
Value:
9DD3FB9F9DA9A296454EDBB7B1FFFE04B77EE4A8A1D4D31033819C6A84593F553E04C6211915D2AFF43BD5E2C5490D5E3F4E803CFF4DAD53C8D3E00C2C149847
(PID) Process:(4092) svchost.exeKey:HKEY_CURRENT_USER\Software\chrome-XH1EHP
Operation:writeName:licence
Value:
C90245FEC67A6F41723337BDF4A60126
(PID) Process:(4092) svchost.exeKey:HKEY_CURRENT_USER\Software\chrome-XH1EHP
Operation:writeName:time
Value:
(PID) Process:(4092) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(4092) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(4092) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(4092) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(4092) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(4092) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4092) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
8
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4092svchost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\json[1].jsonbinary
MD5:3A1A00A92CB0E36312E7F4E53CBD6A03
SHA256:16D4E0892CF01AE70D8DEC428A5784FDCBEB6FBD67291D6DECCA38F25D6DBAFB
3968RFQ.exeC:\Users\admin\AppData\Local\Temp\aut3C02.tmpbinary
MD5:445508DB0A1A66E98A01414C1AD28FC5
SHA256:9E4743214C6F46C5B3700485E979EADAF35AA8E2F8A98084CFE378D67042F775
4072RFQ.exeC:\Users\admin\AppData\Local\Temp\aut20BF.tmpbinary
MD5:5E49CD9AB4861E8619AF7CC17193C6CE
SHA256:D1377768AE0CC1E4B8B5ED76BB63BA29F73995D8142181F480104A38D50CA7CC
3968RFQ.exeC:\Users\admin\AppData\Local\Temp\vitraillisttext
MD5:B8177C67A331D5697463460482EBE6A7
SHA256:E01BA9D21CEFF74B3F310CE81A84BA78EC0DB1319B9A04B024FF2ADA1D58EC63
4072RFQ.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.vbsbinary
MD5:DB54146D4CAD8BB4AB67D9F5A637C6B6
SHA256:28A65FE04CF3055AE790FBF61C7083CC48A12394C8F6A323BF03D1B7142EACC9
4072RFQ.exeC:\Users\admin\AppData\Local\Temp\aut20FE.tmpbinary
MD5:445508DB0A1A66E98A01414C1AD28FC5
SHA256:9E4743214C6F46C5B3700485E979EADAF35AA8E2F8A98084CFE378D67042F775
4092svchost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\json[1].jsonbinary
MD5:3A1A00A92CB0E36312E7F4E53CBD6A03
SHA256:16D4E0892CF01AE70D8DEC428A5784FDCBEB6FBD67291D6DECCA38F25D6DBAFB
3968RFQ.exeC:\Users\admin\AppData\Local\Temp\outvauntsbinary
MD5:EFECA381B759E39927159ADEAC746703
SHA256:7D0BCAED09800F3C9CA3BBD5FD354B4F6F69990EEE7577C473EAF3DCFFA7B665
3968RFQ.exeC:\Users\admin\AppData\Local\Temp\aut3BA3.tmpbinary
MD5:5E49CD9AB4861E8619AF7CC17193C6CE
SHA256:D1377768AE0CC1E4B8B5ED76BB63BA29F73995D8142181F480104A38D50CA7CC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
9
DNS requests
3
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4092
svchost.exe
GET
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
unknown
4092
svchost.exe
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
unknown
4092
svchost.exe
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
4092
svchost.exe
107.173.4.18:30902
bossnacarpet.com
AS-COLOCROSSING
US
unknown
4092
svchost.exe
178.237.33.50:80
geoplugin.net
Schuberg Philis B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
bossnacarpet.com
  • 107.173.4.18
malicious
geoplugin.net
  • 178.237.33.50
malicious

Threats

PID
Process
Class
Message
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS JA3 Hash
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS JA3 Hash
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS JA3 Hash
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
RFQ.exe