File name:

13533b986d24ba176e64c6e7f8baa0a0.exe

Full analysis: https://app.any.run/tasks/f910a280-0b02-4f3d-9383-f93e6515e6e0
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: October 08, 2024, 17:30:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
remcos
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

13533B986D24BA176E64C6E7F8BAA0A0

SHA1:

20B1526C6DF49A5B7B6EB3F456A8F29F011F9C6F

SHA256:

33DAE786B8B7DEBB0443F3FFD7922A3366072C0F3CB8C5A14CB6168938F0EECF

SSDEEP:

98304:K/H96qYa9DMj6r/Kf1ZvXQUHdxybzbBFX4CgnBxQ3HMuy7mvC1:mzr6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REMCOS has been detected (SURICATA)

      • 13533b986d24ba176e64c6e7f8baa0a0.exe (PID: 3732)

    • Connects to the CnC server

      • 13533b986d24ba176e64c6e7f8baa0a0.exe (PID: 3732)

    • REMCOS has been detected (YARA)

      • 13533b986d24ba176e64c6e7f8baa0a0.exe (PID: 3732)

  • SUSPICIOUS

    • Contacting a server suspected of hosting an CnC

      • 13533b986d24ba176e64c6e7f8baa0a0.exe (PID: 3732)

    • Application launched itself

      • 13533b986d24ba176e64c6e7f8baa0a0.exe (PID: 2808)

    • Connects to unusual port

      • 13533b986d24ba176e64c6e7f8baa0a0.exe (PID: 3732)

    • Checks for external IP

      • 13533b986d24ba176e64c6e7f8baa0a0.exe (PID: 3732)

    • There is functionality for taking screenshot (YARA)

      • 13533b986d24ba176e64c6e7f8baa0a0.exe (PID: 3732)

  • INFO

    • Checks supported languages

      • 13533b986d24ba176e64c6e7f8baa0a0.exe (PID: 2808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(3732) 13533b986d24ba176e64c6e7f8baa0a0.exe
C2 (1)segurosbolivar24.con-ip.com:2006
BotnetOCTU
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell10000000
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueTrue
Hide_fileFalse
Mutex_nameljnghvfghujkvgnasftnz-X8YJ1F
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_fileregistros.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileCapturas de pantalla
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirregist
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:06:24 10:13:41+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 3070976
InitializedDataSize: 1677312
UninitializedDataSize: -
EntryPoint: 0x2ee378
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 3.4.3.146
ProductVersionNumber: 3.4.3.146
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
CompanyName: Crystal Rich Ltd
FileDescription: LockHunter - a foolproof file unlocker
FileVersion: 3.4.3.146
InternalName: LockHunter
LegalCopyright: Copyright © 2021 by Crystal Rich Ltd
ProductName: LockHunter
ProductVersion: 3.4.3.146
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 13533b986d24ba176e64c6e7f8baa0a0.exe no specs #REMCOS 13533b986d24ba176e64c6e7f8baa0a0.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2172C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2808"C:\Users\admin\Desktop\13533b986d24ba176e64c6e7f8baa0a0.exe" C:\Users\admin\Desktop\13533b986d24ba176e64c6e7f8baa0a0.exeexplorer.exe
User:
admin
Company:
Crystal Rich Ltd
Integrity Level:
MEDIUM
Description:
LockHunter - a foolproof file unlocker
Exit code:
0
Version:
3.4.3.146
Modules
Images
c:\users\admin\desktop\13533b986d24ba176e64c6e7f8baa0a0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
3732"C:\Users\admin\Desktop\13533b986d24ba176e64c6e7f8baa0a0.exe"C:\Users\admin\Desktop\13533b986d24ba176e64c6e7f8baa0a0.exe
13533b986d24ba176e64c6e7f8baa0a0.exe
User:
admin
Company:
Crystal Rich Ltd
Integrity Level:
MEDIUM
Description:
LockHunter - a foolproof file unlocker
Version:
3.4.3.146
Modules
Images
c:\users\admin\desktop\13533b986d24ba176e64c6e7f8baa0a0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Remcos
(PID) Process(3732) 13533b986d24ba176e64c6e7f8baa0a0.exe
C2 (1)segurosbolivar24.con-ip.com:2006
BotnetOCTU
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell10000000
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueTrue
Hide_fileFalse
Mutex_nameljnghvfghujkvgnasftnz-X8YJ1F
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_fileregistros.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileCapturas de pantalla
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirregist
Total events
621
Read events
614
Write events
7
Delete events
0

Modification events

(PID) Process:(3732) 13533b986d24ba176e64c6e7f8baa0a0.exeKey:HKEY_CURRENT_USER\SOFTWARE\ljnghvfghujkvgnasftnz-X8YJ1F
Operation:writeName:exepath
Value:
3E95D4A1F5AFF778C8322E9CF6C3194169378750AA7E3371D04B836F0D7D4733A6E9E77AA4FF2F2D2A0475373C5AB7480F7200ABB043EC598BC80FED81C5B308A55D3E63EFC22BE88B3DE5EAC516A0A99715EEAF107497B283263629E5A44F5696574FDB4C5C520A769D4FF40B9D6A619630BB0D6A8A3F83
(PID) Process:(3732) 13533b986d24ba176e64c6e7f8baa0a0.exeKey:HKEY_CURRENT_USER\SOFTWARE\ljnghvfghujkvgnasftnz-X8YJ1F
Operation:writeName:licence
Value:
F273B648551AE369A1D767CB8954FBC7
(PID) Process:(3732) 13533b986d24ba176e64c6e7f8baa0a0.exeKey:HKEY_CURRENT_USER\SOFTWARE\ljnghvfghujkvgnasftnz-X8YJ1F
Operation:writeName:time
Value:
(PID) Process:(3732) 13533b986d24ba176e64c6e7f8baa0a0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3732) 13533b986d24ba176e64c6e7f8baa0a0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3732) 13533b986d24ba176e64c6e7f8baa0a0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2808) 13533b986d24ba176e64c6e7f8baa0a0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SpeedDesignerEditor
Value:
C:\Users\admin\Music\SpeedDesignerUpdater\SpeedVideo.exe
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
280813533b986d24ba176e64c6e7f8baa0a0.exeC:\Users\admin\Music\SpeedDesignerUpdater\SpeedVideo.exe
MD5:
SHA256:
373213533b986d24ba176e64c6e7f8baa0a0.exeC:\ProgramData\regist\registros.datbinary
MD5:2C7EC2E8E105886A35FD34B87A0A6AC3
SHA256:5340495AEA5A72EB82B0DF6AE4B59F28D5AA6EA84127AE9F07BCF48FAA424951
373213533b986d24ba176e64c6e7f8baa0a0.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\json[1].jsonbinary
MD5:0D000C38722EF73BEEC349158C6A3C80
SHA256:6BA50E759DDD52016E13C3DCD9B56C8EDED8608B43EDEF7CB36D761E39992CBC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
17
DNS requests
7
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5700
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3732
13533b986d24ba176e64c6e7f8baa0a0.exe
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5700
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5700
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
segurosbolivar24.con-ip.com
  • 181.141.41.0
malicious
geoplugin.net
  • 178.237.33.50
malicious
self.events.data.microsoft.com
  • 20.42.65.90
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Potentially Bad Traffic
ET INFO DNS Redirection Service Domain in DNS Lookup (con-ip .com)
3732
13533b986d24ba176e64c6e7f8baa0a0.exe
Malware Command and Control Activity Detected
ET MALWARE Remcos 3.x Unencrypted Server Response
3732
13533b986d24ba176e64c6e7f8baa0a0.exe
Malware Command and Control Activity Detected
ET MALWARE Remcos 3.x Unencrypted Checkin
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
13533b986d24ba176e64c6e7f8baa0a0.exe