File name:	dc9375a06ad99fe6bf0f7ba9f425404303b525ce5b0d2ab6554d3a98c6317a8d
Full analysis:	https://app.any.run/tasks/59af88c7-1ff7-433f-bab1-24d584236138
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. Remcos ist eine Malware vom Typ RAT, mit der Angreifer aus der Ferne Aktionen auf infizierten Computern durchführen können. Diese Malware ist extrem aktiv und wird fast jeden Monat mit Updates auf den neuesten Stand gebracht. Malware Trends Tracker >>>
Analysis date:	April 29, 2025, 19:58:37
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg remcos rat
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:	0FC1C3545DE115D3F43A2547C3EB177C
SHA1:	CA7A75FFB9634541A35C7569392A9AC9FFA82489
SHA256:	46044E481BF35D33BBFB30C894A595770DB913208AE752B08AF014571BD95F1D
SSDEEP:	12288:iVVVVVeIS4utRhABCTZ3dUWQvHftPgFFBemW2WeTVVVVVt:vIS4utLABgtnEHftPEFBemW2WeH

.exe	\|	Win32 Executable Microsoft Visual Basic 6 (84.4)
.dll	\|	Win32 Dynamic Link Library (generic) (6.7)
.exe	\|	Win32 Executable (generic) (4.6)
.exe	\|	Generic Win/DOS Executable (2)
.exe	\|	DOS Executable Generic (2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:05:23 01:51:59+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	360448
InitializedDataSize:	24576
UninitializedDataSize:	-
EntryPoint:	0x12bc
OSVersion:	4
ImageVersion:	9.3
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	9.3.0.1
ProductVersionNumber:	9.3.0.1
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	sIemENs
ProductName:	mem0
FileVersion:	9.03.0001
ProductVersion:	9.03.0001
InternalName:	ste0
OriginalFileName:	ste0.exe


(PID) Process:	(6388) nas0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:	write	Name:	men0
Value: wscript "C:\Users\admin\AppData\Local\Temp\nas0.vbs"
(PID) Process:	(2236) dc9375a06ad99fe6bf0f7ba9f425404303b525ce5b0d2ab6554d3a98c6317a8d.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2236) dc9375a06ad99fe6bf0f7ba9f425404303b525ce5b0d2ab6554d3a98c6317a8d.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2236) dc9375a06ad99fe6bf0f7ba9f425404303b525ce5b0d2ab6554d3a98c6317a8d.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2236) dc9375a06ad99fe6bf0f7ba9f425404303b525ce5b0d2ab6554d3a98c6317a8d.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(5124) nas0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	remcos
Value: "C:\Users\admin\AppData\Roaming\remcos\remcos.exe"
(PID) Process:	(5124) nas0.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:	write	Name:	Userinit
Value: C:\WINDOWS\system32\userinit.exe, "C:\Users\admin\AppData\Roaming\remcos\remcos.exe"
(PID) Process:	(5124) nas0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:	write	Name:	VBSFile
Value:
(PID) Process:	(5124) nas0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(5124) nas0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

PID	Process	Filename		Type
2236	dc9375a06ad99fe6bf0f7ba9f425404303b525ce5b0d2ab6554d3a98c6317a8d.exe	C:\Users\admin\AppData\Local\Temp\nas0.exe		executable
		MD5:B57DC693A092B6AC0A574056C116C3E6	SHA256:B5BFECDFF7D6EA0AB0F9DA49C9FA818B9FC0802C55E4EE8E9AF175975D1C5556
6644	dc9375a06ad99fe6bf0f7ba9f425404303b525ce5b0d2ab6554d3a98c6317a8d.exe	C:\Windows\win.ini		binary
		MD5:6BF517432F65EB7F0D18D574BF14124C	SHA256:6E2B70DFCCABF3CC651545676A3A566C9CFAE03F15F772886646ABCE1DA35B46
2236	dc9375a06ad99fe6bf0f7ba9f425404303b525ce5b0d2ab6554d3a98c6317a8d.exe	C:\Users\admin\AppData\Local\VirtualStore\Windows\win.ini		binary
		MD5:6BF517432F65EB7F0D18D574BF14124C	SHA256:6E2B70DFCCABF3CC651545676A3A566C9CFAE03F15F772886646ABCE1DA35B46
6644	dc9375a06ad99fe6bf0f7ba9f425404303b525ce5b0d2ab6554d3a98c6317a8d.exe	C:\Users\admin\AppData\Local\Temp\~DFBD38E47705C76334.TMP		binary
		MD5:04C1415D3344CC34F51763F132956894	SHA256:C852EF5871720E1F3EE651687020B35FE8744ACA0CF3FEB64089F7A3F0FDA299
2236	dc9375a06ad99fe6bf0f7ba9f425404303b525ce5b0d2ab6554d3a98c6317a8d.exe	C:\Users\admin\AppData\Local\Temp\~DFE92E18BA021B382E.TMP		binary
		MD5:04C1415D3344CC34F51763F132956894	SHA256:C852EF5871720E1F3EE651687020B35FE8744ACA0CF3FEB64089F7A3F0FDA299
6388	nas0.exe	C:\Users\admin\AppData\Local\Temp\~DFC3A7BF99AA65A7A6.TMP		binary
		MD5:04C1415D3344CC34F51763F132956894	SHA256:C852EF5871720E1F3EE651687020B35FE8744ACA0CF3FEB64089F7A3F0FDA299
5124	nas0.exe	C:\Users\admin\AppData\Local\Temp\~DF7D5A6F4C6CECFA72.TMP		binary
		MD5:04C1415D3344CC34F51763F132956894	SHA256:C852EF5871720E1F3EE651687020B35FE8744ACA0CF3FEB64089F7A3F0FDA299
5720	remcos.exe	C:\Users\admin\AppData\Local\Temp\~DF97A47BE48E23EFE0.TMP		binary
		MD5:04C1415D3344CC34F51763F132956894	SHA256:C852EF5871720E1F3EE651687020B35FE8744ACA0CF3FEB64089F7A3F0FDA299
6652	nas0.exe	C:\Users\admin\AppData\Local\Temp\~DFD9AFF1C6678CD84B.TMP		binary
		MD5:04C1415D3344CC34F51763F132956894	SHA256:C852EF5871720E1F3EE651687020B35FE8744ACA0CF3FEB64089F7A3F0FDA299
2236	dc9375a06ad99fe6bf0f7ba9f425404303b525ce5b0d2ab6554d3a98c6317a8d.exe	C:\Users\admin\AppData\Local\Temp\nas0.vbs		text
		MD5:9FAA21CC9D5456A442BFDE22B9BB04FF	SHA256:7E64C45254BFE67FB7D0445E9D2B5ED93F38176A2C6971B8C9937A5E22EFC67F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1116	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
644	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.184.238	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

dc9375a06ad99fe6bf0f7ba9f425404303b525ce5b0d2ab6554d3a98c6317a8d

0FC1C3545DE115D3F43A2547C3EB177C

CA7A75FFB9634541A35C7569392A9AC9FFA82489

46044E481BF35D33BBFB30C894A595770DB913208AE752B08AF014571BD95F1D

12288:iVVVVVeIS4utRhABCTZ3dUWQvHftPgFFBemW2WeTVVVVVt:vIS4utLABgtnEHftPEFBemW2WeH

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

REMCOS mutex has been found

REMCOS has been detected

Changes the autorun value in the registry

Deletes a file (SCRIPT)

Uses sleep, probably for evasion detection (SCRIPT)

Changes the login/logoff helper path in the registry

SUSPICIOUS

Application launched itself

Executable content was dropped or overwritten

Reads the date of Windows installation

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Creates FileSystem object to access computer's file system (SCRIPT)

Gets full path of the running script (SCRIPT)

Runs shell command (SCRIPT)

The executable file from the user directory is run by the CMD process

The process executes VB scripts

Starts itself from another location

INFO

Create files in a temporary directory

The sample compiled with english language support

Reads the computer name

Checks supported languages

Auto-launch of the file from Registry key

Reads Environment values

Creates files or folders in the user directory

Process checks computer location settings

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings