File name:

Backdoor.exe

Full analysis: https://app.any.run/tasks/37999c1f-5580-4da4-94a3-6dce7067d1f1
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: September 30, 2024, 19:30:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
remcos
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
MD5:

719462CE5560C1CB249DEE9564A1F34C

SHA1:

B5A9519184036CDA5756518E64DECFAAD60A2441

SHA256:

4A3338704AD09413D9FD5B62CF4181D87A4707A018232F3F63AF922125BB262C

SSDEEP:

768:hFa2klu2GgzTBedNcIiLe5cwfRC3yMaJU5tfj/AXGzk+LG:HXvCz1OcheVf7VUfkck+LG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REMCOS has been detected

      • Backdoor.exe (PID: 6412)
      • remcos.exe (PID: 2468)
      • remcos.exe (PID: 2468)

    • Changes the autorun value in the registry

      • Backdoor.exe (PID: 6412)
      • remcos.exe (PID: 2468)

    • REMCOS has been detected (SURICATA)

      • remcos.exe (PID: 2468)

    • REMCOS has been detected (YARA)

      • remcos.exe (PID: 2468)

    • Connects to the CnC server

      • remcos.exe (PID: 2468)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Backdoor.exe (PID: 6412)

    • Executing commands from a ".bat" file

      • Backdoor.exe (PID: 6412)

    • Reads security settings of Internet Explorer

      • Backdoor.exe (PID: 6412)

    • Starts CMD.EXE for commands execution

      • Backdoor.exe (PID: 6412)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 3188)

    • The executable file from the user directory is run by the CMD process

      • remcos.exe (PID: 2468)

    • Contacting a server suspected of hosting an CnC

      • remcos.exe (PID: 2468)

    • Connects to unusual port

      • remcos.exe (PID: 2468)

  • INFO

    • Creates files or folders in the user directory

      • Backdoor.exe (PID: 6412)
      • remcos.exe (PID: 2468)

    • Checks supported languages

      • Backdoor.exe (PID: 6412)
      • remcos.exe (PID: 2468)

    • Reads the computer name

      • Backdoor.exe (PID: 6412)
      • remcos.exe (PID: 2468)

    • Create files in a temporary directory

      • Backdoor.exe (PID: 6412)

    • Process checks computer location settings

      • Backdoor.exe (PID: 6412)

    • The process uses the downloaded file

      • Backdoor.exe (PID: 6412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:01:05 19:50:13+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 61440
InitializedDataSize: 28672
UninitializedDataSize: -
EntryPoint: 0x172ec
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #REMCOS backdoor.exe cmd.exe no specs conhost.exe no specs ping.exe no specs #REMCOS remcos.exe

Process information

PID
CMD
Path
Indicators
Parent process
2468"C:\Users\admin\AppData\Roaming\remcos\remcos.exe" C:\Users\admin\AppData\Roaming\remcos\remcos.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\roaming\remcos\remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3188C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\install.bat" "C:\Windows\SysWOW64\cmd.exeBackdoor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4236PING 127.0.0.1 -n 2 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4492\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6412"C:\Users\admin\Desktop\Backdoor.exe" C:\Users\admin\Desktop\Backdoor.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\backdoor.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
646
Read events
641
Write events
5
Delete events
0

Modification events

(PID) Process:(6412) Backdoor.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:remcos
Value:
"C:\Users\admin\AppData\Roaming\remcos\remcos.exe"
(PID) Process:(6412) Backdoor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:remcos
Value:
"C:\Users\admin\AppData\Roaming\remcos\remcos.exe"
(PID) Process:(2468) remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:remcos
Value:
"C:\Users\admin\AppData\Roaming\remcos\remcos.exe"
(PID) Process:(2468) remcos.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:remcos
Value:
"C:\Users\admin\AppData\Roaming\remcos\remcos.exe"
(PID) Process:(2468) remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\remcos_bzblukwtnxokphw
Operation:writeName:EXEpath
Value:
NšÅ8ç BWêÈïSµ^ÌyÇŽ·#?“Lù×òòâÈûäúÑlÝÝËS+¼Ý"
Executable files
1
Suspicious files
0
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6412Backdoor.exeC:\Users\admin\AppData\Local\Temp\install.battext
MD5:4BE8E47D35A08B8B6AD69312F7B4E077
SHA256:428B8E9AF103691C24E02AA1F514D45763C29FD1F83EA77DAB7DEF653545FB60
6412Backdoor.exeC:\Users\admin\AppData\Roaming\remcos\remcos.exeexecutable
MD5:719462CE5560C1CB249DEE9564A1F34C
SHA256:4A3338704AD09413D9FD5B62CF4181D87A4707A018232F3F63AF922125BB262C
2468remcos.exeC:\Users\admin\AppData\Roaming\remcos\logs.dattext
MD5:89B5667E995FBEB88EDDA0BAC2FD47C4
SHA256:EE321AE724EA998CADB15526D3573191C892653D28A8AA7DE43413AE2DCE5E79
2468remcos.exeC:\Users\admin\AppData\Roaming\Screens\1.pngimage
MD5:1C3D24CFF8F3D5C28F8AC382DEEAFA6F
SHA256:7449AE72FE36850E504B062B40945CCB981D5E6C63A6E19C7F06AF0C3252C538
2468remcos.exeC:\Users\admin\AppData\Roaming\Screens\2.pngimage
MD5:456E6F9A9749FE2DBA47E084FEDFE4DA
SHA256:A4EDB132A7F3950CC5E327D3631A6827BE6696E1473118CF998FA0783445A9DB
2468remcos.exeC:\Users\admin\AppData\Roaming\Screens\0.pngimage
MD5:F39566D90F6DCCADFBA9D961704FDE35
SHA256:4993F7C2911425180CF39A377BCB3A27D56EA4A80342D63C7F6C73285C9E1A62
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
30
DNS requests
6
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3924
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3924
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2468
remcos.exe
74.215.232.65:2404
FUSE-NET
US
malicious
3924
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 172.217.18.110
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
Malware Command and Control Activity Detected
ET MALWARE Remcos RAT Checkin 23
Malware Command and Control Activity Detected
ET MALWARE Remcos RAT Checkin 23
Malware Command and Control Activity Detected
ET MALWARE Remcos RAT Checkin 23
Malware Command and Control Activity Detected
ET MALWARE Remcos RAT Checkin 23
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Backdoor.exe