File name:	Remcos-v5.1.0-Light.zip
Full analysis:	https://app.any.run/tasks/45c79a8d-ccc0-4678-a22e-839114c6ff16
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. Remcos ist eine Malware vom Typ RAT, mit der Angreifer aus der Ferne Aktionen auf infizierten Computern durchführen können. Diese Malware ist extrem aktiv und wird fast jeden Monat mit Updates auf den neuesten Stand gebracht. Malware Trends Tracker >>>
Analysis date:	July 27, 2024, 09:19:48
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	ransomware evasion remcos rat
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	0CBBD1F2AED39B032719B9B6F4A0705B
SHA1:	AA47105A1B997CC028A644F26613190FE1BC20CE
SHA256:	35AFCC81505046A5572387993F57FCCA2DE3480CD5B7E4778521756DE88E6765
SSDEEP:	393216:SGvT7XZtjDpZF2r8CY1RHgbai3J/sWTZyp0TkX:SQ7XPDHFaQgbai+WbkX

ZipRequiredVersion:	20
ZipBitFlag:	0x0001
ZipCompression:	Deflated
ZipModifyDate:	2024:06:29 17:18:38
ZipCRC:	0x29df0f26
ZipCompressedSize:	40259661
ZipUncompressedSize:	40667136
ZipFileName:	Remcos v5.1.0 Light.exe


(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Remcos-v5.1.0-Light.zip
(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:	write	Name:	LastFolder
Value: C:\Users\admin\Desktop

PID	Process	Filename		Type
1468	WinRAR.exe	C:\Users\admin\Desktop\Remcos v5.1.0 Light.exe		—
		MD5:—	SHA256:—
6676	Remcos v5.1.0 Light.exe	C:\Users\admin\Desktop\tls\ssleay32.dll		executable
		MD5:2117E31688AEF8ECF267978265BFCDCD	SHA256:0A4031AB00664CC5E202C8731798800F0475EF76800122CEBD71D249655D725F
3384	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIb3384.34723\zip_password.txt		text
		MD5:9FD587FF1F1A40B278B64341B1887795	SHA256:BC52305FD2292EB8001BD03DE9225259B53CD5759E82E133240F1B508B31BC04
6676	Remcos v5.1.0 Light.exe	C:\Users\admin\Desktop\Remcos_Settings.ini		text
		MD5:5EF6EDD2053BA7DAE1C9B137DEDDFF92	SHA256:4EF0B5F5085EE7B911B8F64A66C40C45CC3049B74E1E8154ACC8338337AB717F
1468	WinRAR.exe	C:\Users\admin\Desktop\ReadMe.txt		text
		MD5:7E1F726D092C5572AE1A667A09B541EB	SHA256:58018082DC30315BBC09F006BC55F922D2388EF6B64885FB6D2D12CA97A0C510
6676	Remcos v5.1.0 Light.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\upd_free[1].txt		text
		MD5:4D3B38441D3358E49E5DFE9F45D3DCC7	SHA256:74144AD0A6F9EE30760DCB1BB618E0CDBDE208F2F4DE7155FFA8B606B761F51F
1468	WinRAR.exe	C:\Users\admin\Desktop\zip_password.txt		text
		MD5:9FD587FF1F1A40B278B64341B1887795	SHA256:BC52305FD2292EB8001BD03DE9225259B53CD5759E82E133240F1B508B31BC04
6676	Remcos v5.1.0 Light.exe	C:\Users\admin\Desktop\BuilderProfiles\DefaultProfile.ini		text
		MD5:E2D57396C13D597855EB6FEA1122667A	SHA256:6422F98D8A559EC4F886892A806B427AF84B8814A114CDE4BBEC14B6B0B9AC50
6676	Remcos v5.1.0 Light.exe	C:\Users\admin\Desktop\tls\WBATZ2YG.crt		text
		MD5:181467B2D55F3AF4B5395B38BE9C8110	SHA256:4C99356C265EE06C0AE0502E74D38231263513726D001CFE28EA25E70AF2CC7F
6676	Remcos v5.1.0 Light.exe	C:\Users\admin\Desktop\tls\libeay32.dll		executable
		MD5:FA5DEF992198121D4BB5FF3BDE39FDC9	SHA256:5264A4A478383F501961F2BD9BEB1F77A43A487B76090561BBA2CBFE951E5305

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6676	Remcos v5.1.0 Light.exe	GET	200	95.172.86.122:80	http://breakingsec.io/GetIP.php	unknown	—	—	unknown
6676	Remcos v5.1.0 Light.exe	GET	200	95.172.86.122:80	http://breakingsec.io/Rmc/InternetCheck.php	unknown	—	—	suspicious
6676	Remcos v5.1.0 Light.exe	GET	200	95.172.86.122:80	http://breakingsec.io/Rmc/upd_free.txt	unknown	—	—	suspicious
6676	Remcos v5.1.0 Light.exe	GET	200	95.172.86.122:80	http://breakingsec.io/Rmc/InternetCheck.php	unknown	—	—	suspicious
6676	Remcos v5.1.0 Light.exe	GET	200	95.172.86.122:80	http://breakingsec.io/Rmc/InternetCheck.php	unknown	—	—	suspicious
6676	Remcos v5.1.0 Light.exe	GET	200	95.172.86.122:80	http://breakingsec.io/Rmc/InternetCheck.php	unknown	—	—	suspicious
6676	Remcos v5.1.0 Light.exe	GET	200	95.172.86.122:80	http://breakingsec.io/Rmc/InternetCheck.php	unknown	—	—	suspicious
6676	Remcos v5.1.0 Light.exe	GET	200	95.172.86.122:80	http://breakingsec.io/Rmc/InternetCheck.php	unknown	—	—	suspicious
3140	remcos_a.exe	GET	200	178.237.33.50:80	http://geoplugin.net/json.gp	unknown	—	—	whitelisted
6676	Remcos v5.1.0 Light.exe	GET	200	95.172.86.122:80	http://breakingsec.io/Rmc/InternetCheck.php	unknown	—	—	suspicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	131.253.33.254:443	a-ring-fallback.msedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	184.86.251.14:443	www.bing.com	Akamai International B.V.	DE	unknown
—	—	40.91.76.224:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4132	OfficeClickToRun.exe	20.189.173.1:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
1544	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6676	Remcos v5.1.0 Light.exe	95.172.86.122:80	breakingsec.io	SINGLEHOP-LLC	GB	unknown

Domain	IP	Reputation
t-ring-fdv2.msedge.net	13.107.237.254	unknown
settings-win.data.microsoft.com	4.231.128.59	whitelisted
a-ring-fallback.msedge.net	131.253.33.254	unknown
www.bing.com	184.86.251.14 184.86.251.10 184.86.251.4 184.86.251.24 184.86.251.7 184.86.251.11 184.86.251.9 184.86.251.15 184.86.251.20	whitelisted
google.com	142.250.185.78	whitelisted
self.events.data.microsoft.com	20.189.173.1	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
breakingsec.io	95.172.86.122	unknown
geoplugin.net	178.237.33.50	malicious

General Info

Remcos-v5.1.0-Light.zip

0CBBD1F2AED39B032719B9B6F4A0705B

AA47105A1B997CC028A644F26613190FE1BC20CE

35AFCC81505046A5572387993F57FCCA2DE3480CD5B7E4778521756DE88E6765

393216:SGvT7XZtjDpZF2r8CY1RHgbai3J/sWTZyp0TkX:SQ7XPDHFaQgbai+WbkX

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

REMCOS has been detected

REMCOS has been detected (YARA)

SUSPICIOUS

Start notepad (likely ransomware note)

Reads security settings of Internet Explorer

Creates files like ransomware instruction

Executable content was dropped or overwritten

Checks for external IP

There is functionality for taking screenshot (YARA)

INFO

Manual execution by a user

Reads Microsoft Office registry keys

Reads security settings of Internet Explorer

Reads Environment values

Checks supported languages

Reads the computer name

Checks proxy server information

Reads the machine GUID from the registry

Creates files or folders in the user directory

Malware configuration

Remcos

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Remcos

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings