File name:	Remcos-v5.1.0-Light.zip
Full analysis:	https://app.any.run/tasks/45c79a8d-ccc0-4678-a22e-839114c6ff16
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. Remcos ist eine Malware vom Typ RAT, mit der Angreifer aus der Ferne Aktionen auf infizierten Computern durchführen können. Diese Malware ist extrem aktiv und wird fast jeden Monat mit Updates auf den neuesten Stand gebracht. Malware Trends Tracker >>>
Analysis date:	July 27, 2024, 09:19:48
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	ransomware evasion remcos rat
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	0CBBD1F2AED39B032719B9B6F4A0705B
SHA1:	AA47105A1B997CC028A644F26613190FE1BC20CE
SHA256:	35AFCC81505046A5572387993F57FCCA2DE3480CD5B7E4778521756DE88E6765
SSDEEP:	393216:SGvT7XZtjDpZF2r8CY1RHgbai3J/sWTZyp0TkX:SQ7XPDHFaQgbai+WbkX

ZipRequiredVersion:	20
ZipBitFlag:	0x0001
ZipCompression:	Deflated
ZipModifyDate:	2024:06:29 17:18:38
ZipCRC:	0x29df0f26
ZipCompressedSize:	40259661
ZipUncompressedSize:	40667136
ZipFileName:	Remcos v5.1.0 Light.exe


(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Remcos-v5.1.0-Light.zip
(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:	(3188) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:	write	Name:	LastFolder
Value: C:\Users\admin\Desktop

PID	Process	Filename		Type
1468	WinRAR.exe	C:\Users\admin\Desktop\Remcos v5.1.0 Light.exe		—
		MD5:—	SHA256:—
1468	WinRAR.exe	C:\Users\admin\Desktop\zip_password.txt		text
		MD5:9FD587FF1F1A40B278B64341B1887795	SHA256:BC52305FD2292EB8001BD03DE9225259B53CD5759E82E133240F1B508B31BC04
1468	WinRAR.exe	C:\Users\admin\Desktop\ReadMe.txt		text
		MD5:7E1F726D092C5572AE1A667A09B541EB	SHA256:58018082DC30315BBC09F006BC55F922D2388EF6B64885FB6D2D12CA97A0C510
3384	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIb3384.34723\zip_password.txt		text
		MD5:9FD587FF1F1A40B278B64341B1887795	SHA256:BC52305FD2292EB8001BD03DE9225259B53CD5759E82E133240F1B508B31BC04
6676	Remcos v5.1.0 Light.exe	C:\Users\admin\Desktop\BuilderProfiles\DefaultProfile.ini		text
		MD5:E2D57396C13D597855EB6FEA1122667A	SHA256:6422F98D8A559EC4F886892A806B427AF84B8814A114CDE4BBEC14B6B0B9AC50
6676	Remcos v5.1.0 Light.exe	C:\Users\admin\Desktop\remcos_a.exe		executable
		MD5:CC69CAC4B290FFE3A48EB97A84161C3C	SHA256:8DBAAF8394250340E282A70A69DAD00C21424E68D56CFC46816C1D0C2A2A0BD6
6676	Remcos v5.1.0 Light.exe	C:\Users\admin\Desktop\RCXEA24.tmp		executable
		MD5:9395F9FCACD028EB7834CA8E7A352B2E	SHA256:E61A2A89FDEF6054F50447D44510199D1B0D89FDB9F4668FF9AFEF23E95A9958
6676	Remcos v5.1.0 Light.exe	C:\Users\admin\Desktop\tls\remcos_client.key		text
		MD5:9CD76099652E85865E93601C4B859804	SHA256:8C0837D3C4C092484B902673EBA5F0DE481DF56D24548F6D35972EB755821B57
3140	remcos_a.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\json[1].json		binary
		MD5:6F58BABFF529D3227B88AF77233C5CB7	SHA256:B458788268E746F829FA03D07C5A38A0B43B0EAD3D4A2F12BBF03175B1C06300
6676	Remcos v5.1.0 Light.exe	C:\Users\admin\Desktop\tls\libeay32.dll		executable
		MD5:FA5DEF992198121D4BB5FF3BDE39FDC9	SHA256:5264A4A478383F501961F2BD9BEB1F77A43A487B76090561BBA2CBFE951E5305

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6676	Remcos v5.1.0 Light.exe	GET	200	95.172.86.122:80	http://breakingsec.io/Rmc/InternetCheck.php	unknown	—	—	suspicious
6676	Remcos v5.1.0 Light.exe	GET	200	95.172.86.122:80	http://breakingsec.io/Rmc/InternetCheck.php	unknown	—	—	suspicious
6676	Remcos v5.1.0 Light.exe	GET	200	95.172.86.122:80	http://breakingsec.io/GetIP.php	unknown	—	—	unknown
6676	Remcos v5.1.0 Light.exe	GET	200	95.172.86.122:80	http://breakingsec.io/Rmc/upd_free.txt	unknown	—	—	suspicious
6676	Remcos v5.1.0 Light.exe	GET	200	95.172.86.122:80	http://breakingsec.io/Rmc/InternetCheck.php	unknown	—	—	suspicious
6676	Remcos v5.1.0 Light.exe	GET	200	95.172.86.122:80	http://breakingsec.io/Rmc/InternetCheck.php	unknown	—	—	suspicious
6676	Remcos v5.1.0 Light.exe	GET	200	95.172.86.122:80	http://breakingsec.io/Rmc/InternetCheck.php	unknown	—	—	suspicious
3140	remcos_a.exe	GET	200	178.237.33.50:80	http://geoplugin.net/json.gp	unknown	—	—	whitelisted
—	—	POST	—	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	—	—	unknown
—	—	POST	200	20.189.173.18:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	binary	9 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	131.253.33.254:443	a-ring-fallback.msedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	184.86.251.14:443	www.bing.com	Akamai International B.V.	DE	unknown
—	—	40.91.76.224:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4132	OfficeClickToRun.exe	20.189.173.1:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
1544	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6676	Remcos v5.1.0 Light.exe	95.172.86.122:80	breakingsec.io	SINGLEHOP-LLC	GB	unknown

Domain	IP	Reputation
t-ring-fdv2.msedge.net	13.107.237.254	unknown
settings-win.data.microsoft.com	4.231.128.59	whitelisted
a-ring-fallback.msedge.net	131.253.33.254	unknown
www.bing.com	184.86.251.14 184.86.251.10 184.86.251.4 184.86.251.24 184.86.251.7 184.86.251.11 184.86.251.9 184.86.251.15 184.86.251.20	whitelisted
google.com	142.250.185.78	whitelisted
self.events.data.microsoft.com	20.189.173.1	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
breakingsec.io	95.172.86.122	unknown
geoplugin.net	178.237.33.50	malicious

General Info

Remcos-v5.1.0-Light.zip

0CBBD1F2AED39B032719B9B6F4A0705B

AA47105A1B997CC028A644F26613190FE1BC20CE

35AFCC81505046A5572387993F57FCCA2DE3480CD5B7E4778521756DE88E6765

393216:SGvT7XZtjDpZF2r8CY1RHgbai3J/sWTZyp0TkX:SQ7XPDHFaQgbai+WbkX

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

REMCOS has been detected

REMCOS has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Start notepad (likely ransomware note)

Creates files like ransomware instruction

Executable content was dropped or overwritten

Checks for external IP

There is functionality for taking screenshot (YARA)

INFO

Manual execution by a user

Reads Microsoft Office registry keys

Reads security settings of Internet Explorer

Checks supported languages

Reads Environment values

Reads the computer name

Checks proxy server information

Reads the machine GUID from the registry

Creates files or folders in the user directory

Malware configuration

Remcos

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Remcos

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings