File name:	Backdoor.exe
Full analysis:	https://app.any.run/tasks/bb28bb86-59b2-4b74-b2f5-7424b7468061
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. Remcos ist eine Malware vom Typ RAT, mit der Angreifer aus der Ferne Aktionen auf infizierten Computern durchführen können. Diese Malware ist extrem aktiv und wird fast jeden Monat mit Updates auf den neuesten Stand gebracht. Malware Trends Tracker >>>
Analysis date:	May 13, 2025, 17:15:56
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	remcos rat
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	E066D0A4E7271D4D8ACDD7081747E861
SHA1:	C2B66AB8535D443528EC9C71E97ED5ACE4BFA9FE
SHA256:	47F7EADA9469188FD392400751A8FBD1F988C43BCEAFBB7DFD76466C5A22AABB
SSDEEP:	3072:bGn3BLrjOSBOpP/ySDixvvvKNy/35ENLeiaD:inJqAvKNyhENLei

.exe	\|	Win32 Executable MS Visual C++ (generic) (35.8)
.exe	\|	Win64 Executable (generic) (31.7)
.scr	\|	Windows screen saver (15)
.dll	\|	Win32 Dynamic Link Library (generic) (7.5)
.exe	\|	Win32 Executable (generic) (5.1)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2017:01:05 19:50:18+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	61440
InitializedDataSize:	36864
UninitializedDataSize:	-
EntryPoint:	0xfd88
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

PID	CMD	Path	Indicators	Parent process
7460	"C:\Users\admin\Desktop\Backdoor.exe"	C:\Users\admin\Desktop\Backdoor.exe		explorer.exe
User: admin Integrity Level: MEDIUM Exit code: 0
7504	"C:\Windows\SysWOW64\eventvwr.exe"	C:\Windows\SysWOW64\eventvwr.exe	—	Backdoor.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 10.0.19041.1 (WinBuild.160101.0800)
7620	"C:\Windows\SysWOW64\eventvwr.exe"	C:\Windows\SysWOW64\eventvwr.exe		Backdoor.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
7652	"C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\eventvwr.msc"	C:\Windows\SysWOW64\mmc.exe	—	eventvwr.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Management Console Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
7708	"C:\WINDOWS\system32\eventvwr.msc" "C:\WINDOWS\system32\eventvwr.msc"	C:\Windows\System32\mmc.exe	—	mmc.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Management Console Version: 10.0.19041.1 (WinBuild.160101.0800)
8012	C:\WINDOWS\System32\slui.exe -Embedding	C:\Windows\System32\slui.exe		svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1852	RUXIMICS.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1852	RUXIMICS.exe	GET	200	2.20.245.139:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
1852	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1852	RUXIMICS.exe	2.20.245.139:80	crl.microsoft.com	Akamai International B.V.	SE	whitelisted
1852	RUXIMICS.exe	23.219.150.101:80	www.microsoft.com	AKAMAI-AS	CL	whitelisted
2140	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8012	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	216.58.206.78	whitelisted
crl.microsoft.com	2.20.245.139 2.20.245.137	whitelisted
www.microsoft.com	23.219.150.101	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

Backdoor.exe

E066D0A4E7271D4D8ACDD7081747E861

C2B66AB8535D443528EC9C71E97ED5ACE4BFA9FE

47F7EADA9469188FD392400751A8FBD1F988C43BCEAFBB7DFD76466C5A22AABB

3072:bGn3BLrjOSBOpP/ySDixvvvKNy/35ENLeiaD:inJqAvKNyhENLei

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

REMCOS mutex has been found

SUSPICIOUS

Reads security settings of Internet Explorer

INFO

Checks supported languages

Process checks computer location settings

Reads the computer name

Reads security settings of Internet Explorer

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings