File name:	227a43c2aba0529be0a0689b4d9b63e45dc1ec11db9d463b2ef3fd3ea00eea3a
Full analysis:	https://app.any.run/tasks/fff8e899-d1c4-4635-807a-af8c20cebea7
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. Remcos ist eine Malware vom Typ RAT, mit der Angreifer aus der Ferne Aktionen auf infizierten Computern durchführen können. Diese Malware ist extrem aktiv und wird fast jeden Monat mit Updates auf den neuesten Stand gebracht. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 29, 2025, 20:04:49
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	remcos rat auto-reg stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	149DAE8B7103F230E317BC04DDA71998
SHA1:	99900839A2D692AE224F9778D0B3615479C6624B
SHA256:	227A43C2ABA0529BE0A0689B4D9B63E45DC1EC11DB9D463B2EF3FD3EA00EEA3A
SSDEEP:	98304:9rkN/eSQVyQf0t+IcXPgVCBJAmiQfWNzVd6:9

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2017:03:26 23:56:46+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	714752
InitializedDataSize:	71680
UninitializedDataSize:	-
EntryPoint:	0xb06ee
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	14.59.101.2
ProductVersionNumber:	14.59.101.2
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	Amd K8
CompanyName:	Company & Sons
FileDescription:	AMD Processor
FileVersion:	14.59.101.2
InternalName:	AMD Processor.exe
LegalCopyright:	Copyright © 2002-2017 by Company & Sons
OriginalFileName:	AMD Processor.exe
ProductName:	AMD Processor
ProductVersion:	14.59.101.2
AssemblyVersion:	14.59.101.2


(PID) Process:	(6436) 227a43c2aba0529be0a0689b4d9b63e45dc1ec11db9d463b2ef3fd3ea00eea3a.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Application
Value: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
(PID) Process:	(5504) sbietrcl.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\remcos_sccafsoidz
Operation:	write	Name:	origmsc
Value: ßf$®´ú\Jïà¥Áí(ÈÇ›–¿/™$Bè¥Üºkíïã÷
(PID) Process:	(1328) mmc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{b05566ad-fe9c-4363-be05-7a4cbb7cb510}
Operation:	write	Name:	HelpTopic
Value: C:\WINDOWS\Help\eventviewer.chm
(PID) Process:	(1328) mmc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{b05566ad-fe9c-4363-be05-7a4cbb7cb510}
Operation:	write	Name:	LinkedHelpTopics
Value: C:\WINDOWS\Help\eventviewer.chm
(PID) Process:	(1328) mmc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{b05566ae-fe9c-4363-be05-7a4cbb7cb510}
Operation:	write	Name:	HelpTopic
Value: C:\WINDOWS\Help\eventviewer.chm
(PID) Process:	(1328) mmc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{b05566ae-fe9c-4363-be05-7a4cbb7cb510}
Operation:	write	Name:	LinkedHelpTopics
Value: C:\WINDOWS\Help\eventviewer.chm
(PID) Process:	(5072) sbietrcl.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\remcos_sccafsoidz
Operation:	write	Name:	EXEpath
Value: ¹ˆ³å¼0RZ§Õ¸äß,Ý2•Ý«Ž•\,Sãâ¢Ò3¬½©Ô˜+£I¹4lYajýUc®qüá<Œ˜¡&¬Æêz%ü{Û
(PID) Process:	(5072) sbietrcl.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\remcos_sccafsoidz
Operation:	write	Name:	FR
Value: 1

PID	Process	Filename		Type
6436	227a43c2aba0529be0a0689b4d9b63e45dc1ec11db9d463b2ef3fd3ea00eea3a.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD		binary
		MD5:6872FAE8288DB34207D9E7EE350157F4	SHA256:50795B027E2BC566D3B7ACB89913F8EFD23B70615C9DB9BF5B23323AD3132A7D
2656	sbietrcl.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956		binary
		MD5:05B2EFF390B1950694D6D14B9572A818	SHA256:08E3B62FD5334F5BAD49DF9A329C4D1C5DE4B9519A4399520BAADABBD79E2B8C
6436	227a43c2aba0529be0a0689b4d9b63e45dc1ec11db9d463b2ef3fd3ea00eea3a.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl_signed.exe		executable
		MD5:2E14580FAF7845BA45B57E90D3A8FB9F	SHA256:AA79368781ADB8A24FD07BA52D168356B5CE238BB3CE0610AD8A2FE4831DC51D
6436	227a43c2aba0529be0a0689b4d9b63e45dc1ec11db9d463b2ef3fd3ea00eea3a.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD		binary
		MD5:8E394BDC0BD63A90FD03AB67A0D2B617	SHA256:AE26C0E6D949126554D7D307A15FADF872020972E3CF15446B0D3E702178C2B9
6436	227a43c2aba0529be0a0689b4d9b63e45dc1ec11db9d463b2ef3fd3ea00eea3a.exe	C:\Users\admin\AppData\Local\Temp\mscorsvw1.exe		executable
		MD5:BA428E7084F97B488865397D11059748	SHA256:3E824F0D325FD32F8100DDF6B506AD6250BE48286AC20726DCB23A9CEDF3E4C1
6436	227a43c2aba0529be0a0689b4d9b63e45dc1ec11db9d463b2ef3fd3ea00eea3a.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7396C420A8E1BC1DA97F1AF0D10BAD21		binary
		MD5:2DA1410D6FF72B629F2E1EBFDF214F57	SHA256:B16B4C15118CF3D3C8F7FCED3D4FCC796B63D050B6BE027299F97B57FC12CCDD
2656	sbietrcl.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE		binary
		MD5:924CD0C304755B3E1ADA187225502238	SHA256:3813FC084AA49263D4DA9D43CBCD6B11DD2B14065D24933C45AE959AD3A46DAD
6436	227a43c2aba0529be0a0689b4d9b63e45dc1ec11db9d463b2ef3fd3ea00eea3a.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe		executable
		MD5:149DAE8B7103F230E317BC04DDA71998	SHA256:227A43C2ABA0529BE0A0689B4D9B63E45DC1EC11DB9D463B2EF3FD3EA00EEA3A
6436	227a43c2aba0529be0a0689b4d9b63e45dc1ec11db9d463b2ef3fd3ea00eea3a.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7396C420A8E1BC1DA97F1AF0D10BAD21		binary
		MD5:E07178901A4EAAC2816BB238EC3A80DB	SHA256:EEBD04C1272661E1091084108083CE44F7C961013791892D866B2F92EE3DEDA8
2656	sbietrcl.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956		binary
		MD5:9B2509CFF42DFCEC25276BCC225CC4A4	SHA256:7335A1BD971D1CAF943246E1705CE2D10F83FE6A34438128D2C0CF3738FEE8AB

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.216.77.8:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6436	227a43c2aba0529be0a0689b4d9b63e45dc1ec11db9d463b2ef3fd3ea00eea3a.exe	GET	200	23.216.77.8:80	http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	unknown	—	—	whitelisted
6436	227a43c2aba0529be0a0689b4d9b63e45dc1ec11db9d463b2ef3fd3ea00eea3a.exe	GET	200	23.216.77.8:80	http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	unknown	—	—	whitelisted
2656	sbietrcl.exe	GET	200	23.216.77.8:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2656	sbietrcl.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl	unknown	—	—	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	23.216.77.8:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6436	227a43c2aba0529be0a0689b4d9b63e45dc1ec11db9d463b2ef3fd3ea00eea3a.exe	23.216.77.8:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2656	sbietrcl.exe	23.216.77.8:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2656	sbietrcl.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
google.com	216.58.206.46	whitelisted
crl.microsoft.com	23.216.77.8 23.216.77.6 23.216.77.15 23.216.77.7 23.216.77.13 23.216.77.18 23.216.77.42 23.216.77.5 23.216.77.19	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

General Info

227a43c2aba0529be0a0689b4d9b63e45dc1ec11db9d463b2ef3fd3ea00eea3a

149DAE8B7103F230E317BC04DDA71998

99900839A2D692AE224F9778D0B3615479C6624B

227A43C2ABA0529BE0A0689B4D9B63E45DC1EC11DB9D463B2EF3FD3EA00EEA3A

98304:9rkN/eSQVyQf0t+IcXPgVCBJAmiQfWNzVd6:9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Changes the autorun value in the registry

REMCOS mutex has been found

REMCOS has been detected

Actions looks like stealing of personal data

REMCOS has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Process drops legitimate windows executable

Application launched itself

Connects to unusual port

There is functionality for taking screenshot (YARA)

INFO

Reads the machine GUID from the registry

Reads the software policy settings

Checks supported languages

Reads the computer name

Creates files or folders in the user directory

Create files in a temporary directory

Checks proxy server information

The sample compiled with english language support

Auto-launch of the file from Registry key

Process checks computer location settings

Reads security settings of Internet Explorer

Manual execution by a user

Creates files in the program directory

Malware configuration

Remcos

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Remcos

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests