analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

4b98d2919533ab614a7571aa0ef7c80fc177218bb778524fde3bf6f72b0d7b08.js

Full analysis: https://app.any.run/tasks/7ab7d7ee-8574-401a-b3c8-262a3fc240cc
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: August 01, 2022, 10:32:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
keylogger
rat
remcos
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with no line terminators
MD5:

AD27BE427DD7F922143E57FD1FA64F98

SHA1:

9D04EB7712599DB741E8E85D9F4339219B991E6A

SHA256:

4B98D2919533AB614A7571AA0EF7C80FC177218BB778524FDE3BF6F72B0D7B08

SSDEEP:

12288:ifY8It0lbvO1PJ9XyuRrvafaI8ieJaU4I79VXHv0aIn83IHiz0:iubAaIoUCI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WScript.exe (PID: 2520)
      • invoice_a_202.exe (PID: 3324)

    • Changes the autorun value in the registry

      • invoice_a_202.exe (PID: 3324)
      • windowsjx.exe (PID: 3908)

    • Application was dropped or rewritten from another process

      • invoice_a_202.exe (PID: 3324)
      • windowsjx.exe (PID: 3908)

    • REMCOS was detected

      • windowsjx.exe (PID: 3908)

    • REMCOS detected by memory dumps

      • windowsjx.exe (PID: 3908)

  • SUSPICIOUS

    • Reads the computer name

      • wscript.exe (PID: 852)
      • WScript.exe (PID: 2520)
      • WScript.exe (PID: 276)
      • invoice_a_202.exe (PID: 3324)
      • windowsjx.exe (PID: 3908)

    • Checks supported languages

      • wscript.exe (PID: 852)
      • WScript.exe (PID: 2520)
      • invoice_a_202.exe (PID: 3324)
      • cmd.exe (PID: 2892)
      • WScript.exe (PID: 276)
      • windowsjx.exe (PID: 3908)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2520)
      • invoice_a_202.exe (PID: 3324)

    • Application launched itself

      • WScript.exe (PID: 2520)

    • Writes files like Keylogger logs

      • WScript.exe (PID: 2520)
      • invoice_a_202.exe (PID: 3324)
      • windowsjx.exe (PID: 3908)

    • Reads Environment values

      • invoice_a_202.exe (PID: 3324)
      • windowsjx.exe (PID: 3908)

    • Drops a file with a compile date too recent

      • WScript.exe (PID: 2520)
      • invoice_a_202.exe (PID: 3324)

    • Creates files in the program directory

      • invoice_a_202.exe (PID: 3324)
      • windowsjx.exe (PID: 3908)

  • INFO

    • Checks Windows Trust Settings

      • WScript.exe (PID: 2520)
      • wscript.exe (PID: 852)
      • WScript.exe (PID: 276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(3908) windowsjx.exe
Hosts (1)185.157.162.75:62186
BotnetPowerPoint
Connect_interval1
Install_flagTrue
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\ShellP1Z89AQ0B0
Setup_path%LOCALAPPDATA%
Copy_filewindowsjx.exe
Startup_valuemicrosoftjx
Hide_fileTrue
Mutex_nameRemcos-34MTRX
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagTrue
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%APPDATA%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
Max_keylog_file100000
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start wscript.exe wscript.exe no specs invoice_a_202.exe wscript.exe no specs cmd.exe no specs #REMCOS windowsjx.exe

Process information

PID
CMD
Path
Indicators
Parent process
2520"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\4b98d2919533ab614a7571aa0ef7c80fc177218bb778524fde3bf6f72b0d7b08.js"C:\Windows\System32\WScript.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
852"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\bQiNiwTuYc.js"C:\Windows\System32\wscript.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3324"C:\Users\admin\AppData\Local\Temp\invoice_a_202.exe" C:\Users\admin\AppData\Local\Temp\invoice_a_202.exe
WScript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\invoice_a_202.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
276"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\install.vbs" C:\Windows\System32\WScript.exeinvoice_a_202.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2892"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\windowsjx.exe"C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3908C:\ProgramData\Remcos\windowsjx.exeC:\ProgramData\Remcos\windowsjx.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\programdata\remcos\windowsjx.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Remcos
(PID) Process(3908) windowsjx.exe
Hosts (1)185.157.162.75:62186
BotnetPowerPoint
Connect_interval1
Install_flagTrue
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\ShellP1Z89AQ0B0
Setup_path%LOCALAPPDATA%
Copy_filewindowsjx.exe
Startup_valuemicrosoftjx
Hide_fileTrue
Mutex_nameRemcos-34MTRX
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagTrue
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%APPDATA%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
Max_keylog_file100000
Total events
2 240
Read events
2 190
Write events
50
Delete events
0

Modification events

(PID) Process:(2520) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2520) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2520) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2520) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3324) invoice_a_202.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:microsoftjx
Value:
"C:\ProgramData\Remcos\windowsjx.exe"
(PID) Process:(3324) invoice_a_202.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:microsoftjx
Value:
"C:\ProgramData\Remcos\windowsjx.exe"
(PID) Process:(3324) invoice_a_202.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3324) invoice_a_202.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3324) invoice_a_202.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3324) invoice_a_202.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
2
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3908windowsjx.exeC:\Users\admin\AppData\Roaming\Screenshots\time_20220801_113241.jpgimage
MD5:684A9D15D7674075DDFF55365A559690
SHA256:D7CB84F0E2899A5D3015B06A346232F61C381799BADE3C2C7BBDF1EEBDA198F8
2520WScript.exeC:\Users\admin\AppData\Roaming\bQiNiwTuYc.jstext
MD5:794372001398B622FF579ACFAEF83033
SHA256:A2EB8EC643B32F38C67006EA8B9AB00B449546B4869DD4E43FB45FC5FBA45968
3908windowsjx.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\json[1].jsonbinary
MD5:F99A87CE1B8CE6269E7C27D2A970F099
SHA256:07E7A5A7E7F5E14AEEFB90CCF0044E94242CDF4C6471329A9018AC7C1551BAB4
3324invoice_a_202.exeC:\ProgramData\Remcos\windowsjx.exeexecutable
MD5:F9E94909637A6B6471565022188AB2BE
SHA256:8F47DBD8189DBE96BDA7511F2A37277EE9FAB8A763619D120C0FE49D953124B7
2520WScript.exeC:\Users\admin\AppData\Local\Temp\invoice_a_202.exeexecutable
MD5:F9E94909637A6B6471565022188AB2BE
SHA256:8F47DBD8189DBE96BDA7511F2A37277EE9FAB8A763619D120C0FE49D953124B7
3324invoice_a_202.exeC:\Users\admin\AppData\Local\Temp\install.vbsbinary
MD5:A709FE06DB2D825EE491B8BAC6569204
SHA256:822CBB0BEF4CA3DFF8F2AE70537A990A2C4330DB5B484F5E51282CB43ECE8E46
3908windowsjx.exeC:\ProgramData\remcos\logs.datbinary
MD5:2CD77281752C57B73F4F68F48233F1D1
SHA256:60E7FE4F4D0AB3D93FF73A745411E846D46B9896B0E9F594CA6EFE5AD95247CF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3908
windowsjx.exe
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
NL
binary
918 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3908
windowsjx.exe
185.157.162.75:62186
Obenetwork AB
SE
malicious
3908
windowsjx.exe
178.237.33.50:80
geoplugin.net
Schuberg Philis B.V.
NL
suspicious

DNS requests

Domain
IP
Reputation
geoplugin.net
  • 178.237.33.50
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
4b98d2919533ab614a7571aa0ef7c80fc177218bb778524fde3bf6f72b0d7b08.js