| File name: | 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d |
| Full analysis: | https://app.any.run/tasks/3c72b564-e67c-421e-8107-f30a38ef4650 |
| Verdict: | Malicious activity |
| Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
| Analysis date: | April 24, 2025, 20:42:38 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections |
| MD5: | F9C57321468BAB33F05B3D7B032BA6E8 |
| SHA1: | BD592463B0819F60B37A857ACF7D07A7D64CA369 |
| SHA256: | 314789420EF5C18FDF4F3E8CB3AE6A75B76CC17D34F401C352C193102191A17D |
| SSDEEP: | 98304:o7GevXOjNW+QqZ8fAhSejQ4xrxcqtTqxxTv95ds5TP/0U6+4/Eqoe/QCVGtD+sDD:qxUlhROWRWxouwaS+EYI |
MALICIOUS
Executing a file with an untrusted certificate
- 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe (PID: 5512)
REMCOS has been detected (YARA)
- 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe (PID: 5512)
REMCOS has been detected (SURICATA)
- 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe (PID: 5512)
SUSPICIOUS
Connects to unusual port
- 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe (PID: 5512)
Contacting a server suspected of hosting an CnC
- 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe (PID: 5512)
INFO
Checks supported languages
- 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe (PID: 5512)
The sample compiled with english language support
- 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe (PID: 5512)
Reads the computer name
- 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe (PID: 5512)
Reads the machine GUID from the registry
- 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe (PID: 5512)
Compiled with Borland Delphi (YARA)
- 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe (PID: 5512)
Checks proxy server information
- slui.exe (PID: 632)
Detects InnoSetup installer (YARA)
- 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe (PID: 5512)
Reads the software policy settings
- slui.exe (PID: 632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 EXE PECompact compressed (generic) (53.4) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (35.5) |
| .exe | | | Win32 Executable (generic) (5.8) |
| .exe | | | Generic Win/DOS Executable (2.5) |
| .exe | | | DOS Executable Generic (2.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:03:28 06:19:29+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14 |
| CodeSize: | 310784 |
| InitializedDataSize: | 6685184 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2c9fa |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.1 |
| ProductVersionNumber: | 1.0.0.1 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | ASUSTeK COMPUTER INC. |
| FileDescription: | - |
| FileVersion: | 2024.10.143.0 |
| InternalName: | WirelessLan_DCH_Realtek_Z_V2024.10.143.0_42585.exe |
| LegalCopyright: | © ASUSTeK COMPUTER INC. All rights reserved. |
| OriginalFileName: | WirelessLan_DCH_Realtek_Z_V2024.10.143.0_42585.exe |
| ProductName: | Realtek WLAN Driver |
| ProductVersion: | 2024.10.143.0 |
Total processes
120
Monitored processes
2
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 632 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5512 | "C:\Users\admin\Desktop\314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe" | C:\Users\admin\Desktop\314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | explorer.exe | ||||||||||||
User: admin Company: ASUSTeK COMPUTER INC. Integrity Level: MEDIUM Version: 2024.10.143.0 Modules
| |||||||||||||||
Total events
7 067
Read events
7 064
Write events
3
Delete events
0
Modification events
| (PID) Process: | (5512) 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\ZoomUpdateService-8DUEEB |
| Operation: | write | Name: | licence |
Value: 101BCC94C42220B31CE32081FB8B1DEF | |||
| (PID) Process: | (5512) 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\ZoomUpdateService-8DUEEB |
| Operation: | write | Name: | time |
Value: | |||
| (PID) Process: | (5512) 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\ZoomUpdateService-8DUEEB |
| Operation: | write | Name: | UID |
Value: 66720068 | |||
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
286
DNS requests
4
Threats
538
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5512 | 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | 62.60.226.21:40106 | — | Iranian Research Organization for Science & Technology | HK | malicious |
5512 | 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | 62.60.226.101:40106 | — | Iranian Research Organization for Science & Technology | HK | malicious |
5512 | 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | 62.60.226.21:40105 | — | Iranian Research Organization for Science & Technology | HK | malicious |
5512 | 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | 62.60.226.101:40105 | — | Iranian Research Organization for Science & Technology | HK | malicious |
5512 | 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | 62.60.226.101:40104 | — | Iranian Research Organization for Science & Technology | HK | malicious |
5512 | 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | 62.60.226.21:40104 | — | Iranian Research Organization for Science & Technology | HK | malicious |
5512 | 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | 62.60.226.21:40103 | — | Iranian Research Organization for Science & Technology | HK | malicious |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
5512 | 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 6 |
5512 | 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | A Network Trojan was detected | REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash |
5512 | 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | Malware Command and Control Activity Detected | ET JA3 Hash - Remcos 3.x/4.x TLS Connection |
5512 | 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 6 |
5512 | 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | A Network Trojan was detected | REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash |
5512 | 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | A Network Trojan was detected | REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash |
5512 | 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | Malware Command and Control Activity Detected | ET JA3 Hash - Remcos 3.x/4.x TLS Connection |
5512 | 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | Malware Command and Control Activity Detected | ET JA3 Hash - Remcos 3.x/4.x TLS Connection |
5512 | 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | Malware Command and Control Activity Detected | ET JA3 Hash - Remcos 3.x/4.x TLS Connection |
5512 | 314789420ef5c18fdf4f3e8cb3ae6a75b76cc17d34f401c352c193102191a17d.exe | A Network Trojan was detected | REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash |