File name:

2025-05-15_cd889758105a511dae6ce6ed44ba3df9_amadey_black-basta_elex_luca-stealer_mespinoza_remcos_smoke-loader

Full analysis: https://app.any.run/tasks/b2048aa1-53b5-4573-82d9-ce9041fe03a9
Verdict: Malicious activity
Threats:

Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 21:30:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
remcos
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

CD889758105A511DAE6CE6ED44BA3DF9

SHA1:

DEF301BF7C2EB773F944E79F6A9C687552B3D8E5

SHA256:

3F9EBBC5767D73B0BC1F4A7269030D492CEF4CB0F056501FAC36F1B1ECC00FED

SSDEEP:

12288:cSCXTjKaIG5M++FPsnglLXKnc5AcYmZtLXpWVVVVVVVVVVVVVVVVVqq:3CXTjeFPPlD5ZZFXpk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REMCOS has been detected (YARA)

      • 2025-05-15_cd889758105a511dae6ce6ed44ba3df9_amadey_black-basta_elex_luca-stealer_mespinoza_remcos_smoke-loader.exe (PID: 7388)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • 2025-05-15_cd889758105a511dae6ce6ed44ba3df9_amadey_black-basta_elex_luca-stealer_mespinoza_remcos_smoke-loader.exe (PID: 7388)

    • Connects to unusual port

      • 2025-05-15_cd889758105a511dae6ce6ed44ba3df9_amadey_black-basta_elex_luca-stealer_mespinoza_remcos_smoke-loader.exe (PID: 7388)

  • INFO

    • Checks supported languages

      • 2025-05-15_cd889758105a511dae6ce6ed44ba3df9_amadey_black-basta_elex_luca-stealer_mespinoza_remcos_smoke-loader.exe (PID: 7388)

    • Reads the computer name

      • 2025-05-15_cd889758105a511dae6ce6ed44ba3df9_amadey_black-basta_elex_luca-stealer_mespinoza_remcos_smoke-loader.exe (PID: 7388)

    • Checks proxy server information

      • slui.exe (PID: 7724)

    • Reads the software policy settings

      • slui.exe (PID: 7724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(7388) 2025-05-15_cd889758105a511dae6ce6ed44ba3df9_amadey_black-basta_elex_luca-stealer_mespinoza_remcos_smoke-loader.exe
C2 (1)62.60.226.190:31114
BotnetLightAuto_v5
Options
Connect_interval2
Install_flagTrue
Install_HKCU\RunTrue
Install_HKLM\Explorer\Run0
Install_HKLM\Winlogon\Shell10000
Install_HKLM\Winlogon\UserinitTrue
Setup_path%LOCALAPPDATA%
Copy_fileSlackUpdater.exe
Startup_valueFalse
Hide_fileFalse
Mutex_nameWechatNotify-BSYIMZ
Keylog_flag1
Keylog_path%TEMP%
Keylog_filelogs.dat
Keylog_cryptTrue
Hide_keylogFalse
Screenshot_flagTrue
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%TEMP%
Screenshot_fileSteamErrors
Screenshot_cryptTrue
Mouse_optionFalse
Delete_fileTrue
Audio_record_time5
Audio_path1
Audio_dirMicRecords
Connect_delay2
Copy_dirSteamNotifyService
Keylog_dirOriginLog
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:06 19:19:38+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 310784
InitializedDataSize: 130048
UninitializedDataSize: -
EntryPoint: 0x2c9fb
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #REMCOS 2025-05-15_cd889758105a511dae6ce6ed44ba3df9_amadey_black-basta_elex_luca-stealer_mespinoza_remcos_smoke-loader.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7388"C:\Users\admin\Desktop\2025-05-15_cd889758105a511dae6ce6ed44ba3df9_amadey_black-basta_elex_luca-stealer_mespinoza_remcos_smoke-loader.exe" C:\Users\admin\Desktop\2025-05-15_cd889758105a511dae6ce6ed44ba3df9_amadey_black-basta_elex_luca-stealer_mespinoza_remcos_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-05-15_cd889758105a511dae6ce6ed44ba3df9_amadey_black-basta_elex_luca-stealer_mespinoza_remcos_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Remcos
(PID) Process(7388) 2025-05-15_cd889758105a511dae6ce6ed44ba3df9_amadey_black-basta_elex_luca-stealer_mespinoza_remcos_smoke-loader.exe
C2 (1)62.60.226.190:31114
BotnetLightAuto_v5
Options
Connect_interval2
Install_flagTrue
Install_HKCU\RunTrue
Install_HKLM\Explorer\Run0
Install_HKLM\Winlogon\Shell10000
Install_HKLM\Winlogon\UserinitTrue
Setup_path%LOCALAPPDATA%
Copy_fileSlackUpdater.exe
Startup_valueFalse
Hide_fileFalse
Mutex_nameWechatNotify-BSYIMZ
Keylog_flag1
Keylog_path%TEMP%
Keylog_filelogs.dat
Keylog_cryptTrue
Hide_keylogFalse
Screenshot_flagTrue
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%TEMP%
Screenshot_fileSteamErrors
Screenshot_cryptTrue
Mouse_optionFalse
Delete_fileTrue
Audio_record_time5
Audio_path1
Audio_dirMicRecords
Connect_delay2
Copy_dirSteamNotifyService
Keylog_dirOriginLog
7724C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 575
Read events
3 572
Write events
3
Delete events
0

Modification events

(PID) Process:(7388) 2025-05-15_cd889758105a511dae6ce6ed44ba3df9_amadey_black-basta_elex_luca-stealer_mespinoza_remcos_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\WechatNotify-BSYIMZ
Operation:writeName:licence
Value:
E7246DB50B4BB850BB209934E4FDCD9D
(PID) Process:(7388) 2025-05-15_cd889758105a511dae6ce6ed44ba3df9_amadey_black-basta_elex_luca-stealer_mespinoza_remcos_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\WechatNotify-BSYIMZ
Operation:writeName:time
Value:
(PID) Process:(7388) 2025-05-15_cd889758105a511dae6ce6ed44ba3df9_amadey_black-basta_elex_luca-stealer_mespinoza_remcos_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\WechatNotify-BSYIMZ
Operation:writeName:UID
Value:
523279730
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
29
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7388
2025-05-15_cd889758105a511dae6ce6ed44ba3df9_amadey_black-basta_elex_luca-stealer_mespinoza_remcos_smoke-loader.exe
62.60.226.190:31114
Iranian Research Organization for Science & Technology
HK
unknown
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7204
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7724
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.29
  • 23.216.77.19
  • 23.216.77.16
  • 23.216.77.27
  • 23.216.77.22
  • 23.216.77.28
  • 23.216.77.30
  • 23.216.77.13
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_cd889758105a511dae6ce6ed44ba3df9_amadey_black-basta_elex_luca-stealer_mespinoza_remcos_smoke-loader