File name:

pass 777 REMCOS v1.7 Professional.7z

Full analysis: https://app.any.run/tasks/f4ebac30-e49f-4164-9915-b72ae05de426
Verdict: Malicious activity
Threats:

Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis.

Malware Trends Tracker     >>>
Analysis date: October 29, 2024, 05:03:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
vmprotect
remcos
fsg
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

693B32731934F4F42946E5E1BE1EFD0F

SHA1:

44E5A39F928E8119DEBB3763FBAA9200862E961E

SHA256:

5816FFAD0307E947580E8B61BC3B7A3FEEDD945F00B7CCFAE56BA8564832C57A

SSDEEP:

196608:L9tYskxWGqOHlFLE8Ef+fBFIT7As2qgrQiWyLWaVwOUZzDFfCnwUapgqnwrk0:ptYs0WGqO/Q8dfBFSkzTUiWyxmZv1gaY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was injected by another process

      • explorer.exe (PID: 4616)

    • REMCOS has been detected (YARA)

      • remcos.exe (PID: 4144)
      • Reg.exe (PID: 5596)

    • Runs injected code in another process

      • remcos.exe (PID: 4144)

  • SUSPICIOUS

    • Write to the desktop.ini file (may be used to cloak folders)

      • WinRAR.exe (PID: 6680)

    • Executable content was dropped or overwritten

      • remcos.exe (PID: 4144)
      • Backdoor.exe (PID: 2196)

    • Reads security settings of Internet Explorer

      • remcos.exe (PID: 4144)

    • Starts CMD.EXE for commands execution

      • Backdoor.exe (PID: 2196)

    • Executing commands from a ".bat" file

      • Backdoor.exe (PID: 2196)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2708)

  • INFO

    • The process uses the downloaded file

      • explorer.exe (PID: 4616)
      • WinRAR.exe (PID: 6680)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4616)

    • Checks supported languages

      • Remcos Loader.exe (PID: 6208)
      • remcos.exe (PID: 4144)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6680)

    • Manual execution by a user

      • Remcos Loader.exe (PID: 6208)
      • Backdoor.exe (PID: 2196)
      • Backdoor.exe (PID: 6900)

    • VMProtect protector has been detected

      • Remcos Loader.exe (PID: 6208)

    • Reads the computer name

      • remcos.exe (PID: 4144)
      • Remcos Loader.exe (PID: 6208)

    • FSG packer has been detected

      • remcos.exe (PID: 4144)

    • Checks proxy server information

      • remcos.exe (PID: 4144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(5596) Reg.exe
C2 (1)127.0.0.1:2404
BotnetHost
Options
Connect_interval5
Install_flagTrue
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\RunTrue
Install_HKLM\Winlogon\ShellTrue
Install_HKLM\Winlogon\UserinitTrue
Setup_pathSystem32
Copy_fileReg.exe
Startup_valueremcos
Hide_fileTrue
Mutex_nameremcos_vpulujycql
Keylog_flag0
Keylog_path%APPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreens
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%APPDATA%
Audio_diraudio
Connect_delay0
Copy_dirconfig
Keylog_dirremcos
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2020:02:09 09:38:02+00:00
ArchivedFileName: REMCOS v1.7 Professional
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
16
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs THREAT remcos loader.exe no specs THREAT remcos.exe backdoor.exe no specs eventvwr.exe no specs eventvwr.exe mmc.exe no specs mmc.exe no specs backdoor.exe cmd.exe no specs conhost.exe no specs ping.exe no specs #REMCOS reg.exe no specs iexplore.exe no specs explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
1156"C:\Windows\SysWOW64\eventvwr.exe" C:\Windows\SysWOW64\eventvwr.exe
Backdoor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Event Viewer Snapin Launcher
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1432\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1588PING 127.0.0.1 -n 2 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2140"C:\Windows\SysWOW64\eventvwr.exe" C:\Windows\SysWOW64\eventvwr.exeBackdoor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Event Viewer Snapin Launcher
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
2196"C:\Users\admin\Desktop\Backdoor.exe" C:\Users\admin\Desktop\Backdoor.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2708C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\install.bat" "C:\Windows\SysWOW64\cmd.exeBackdoor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
3648C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
4144"C:\Users\admin\Desktop\REMCOS v1.7 Professional\remcos.exe"C:\Users\admin\Desktop\REMCOS v1.7 Professional\remcos.exe
Remcos Loader.exe
User:
admin
Company:
Breaking-Security.net
Integrity Level:
MEDIUM
Description:
REMCOS Remote Control & Surveillance
Version:
1.7.0.0
Modules
Images
c:\users\admin\desktop\remcos v1.7 professional\remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
4432"C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exeReg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
11.00.19041.1 (WinBuild.160101.0800)
4616C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
Total events
10 017
Read events
9 944
Write events
69
Delete events
4

Modification events

(PID) Process:(4616) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000602E8
Operation:writeName:VirtualDesktop
Value:
100000003030445671D90A7D3588864C9F3CEA9EBAB7B4A7
(PID) Process:(6680) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6680) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\pass 777 REMCOS v1.7 Professional.7z
(PID) Process:(6680) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6680) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6680) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6680) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6680) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(4616) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
0000000000000000000000000000000003000100010001000F000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C000000140000000000000061007500740068006F0072007300620061007300650064002E006A00700067003E00200020000000110000000000000065006100730069006C0079007300650078002E007200740066003E00200020000000180000000000000069006E0073007400720075006D0065006E0074007300630068006500610070002E006A00700067003E0020002000000017000000000000006C0069007300740069006E0067006D0075006C007400690070006C0065002E007200740066003E002000200000001600000000000000750073006500660075006C006E006500740077006F0072006B0073002E007200740066003E002000200000001100000000000000770068006F007300650079006F0072006B002E006A00700067003E002000200000001C00000000000000520045004D0043004F0053002000760031002E0037002000500072006F00660065007300730069006F006E0061006C003E005C0020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000000F00000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D00000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000006041000000400E00
(PID) Process:(4616) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
Executable files
8
Suspicious files
4
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
4144remcos.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\OnlineCheck_MT[1].htmtext
MD5:442D4F5216CD9DA1FD121655A23E8843
SHA256:0A3706B1424059F3F718B8FBAA2DD145EA0FD1F8D950744CA78C7B32D2DFA4A8
4144remcos.exeC:\Users\admin\Desktop\RCX12B2.tmpexecutable
MD5:7A7BD97BFA002CBD0D7FDE28B6E04101
SHA256:BD3F84D33F07DC0A4D558BE5F348378246AD9C6CA008A7F20D7DDE3B91A25956
6680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6680.4247\REMCOS v1.7 Professional\Remcos Loader.exeexecutable
MD5:75792B5B38EDD028D13EEF62C0D828E6
SHA256:B7F82678830C34DB745A16D5551386F15FF28FDA563F10C6903F6471A58E243E
6680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6680.4247\REMCOS v1.7 Professional\REMCOSAuthHooks.dllexecutable
MD5:A329F92AD3B9311AF3130DBDE81155CE
SHA256:D695A2EE6FCAE64F4D8C4387A0A4C4AAE05D08CE44A52598984673B890D02F27
4144remcos.exeC:\Users\admin\Desktop\Backdoor.exeexecutable
MD5:C9E54162155068559973AEFA62A7E6C4
SHA256:B88F895FCFF3F5939807E26A04D7E8B5FEEA2BB0E8314AE598A3B2DE0A2140C7
4144remcos.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\gettime[1].htmtext
MD5:D19021C3E24FFF276CE831D27901DB2B
SHA256:A51CE6D2543445BDA96479C74113F63C5FBA8C1DF87B0628D983683CB8970F82
6680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6680.4247\REMCOS v1.7 Professional\remcos.exeexecutable
MD5:ED1E424EA6F625968A334377E8AC629F
SHA256:1E5375B400F68C422804703390489B2CF3968C2A8BCCB0B5B3C55FE1D2E3C991
6428mmc.exeC:\Users\admin\AppData\Local\Microsoft\Event Viewer\Settings.Xmltext
MD5:884320A9B8F018F309F5A96107133F89
SHA256:50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64
4144remcos.exeC:\Users\admin\Desktop\REMCOS v1.7 Professional\Remcos_Settings.initext
MD5:902927C48D191E30067D84A53158E2BA
SHA256:B408602C7D2107D819B18D47CBC196A307AB6435BBC819173F300E76573E616C
4616explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
44
DNS requests
22
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6384
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6268
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6268
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
178.237.33.50:80
http://www.geoplugin.net/json.gp?ip=127.0.0.1
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6244
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5488
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4360
SearchApp.exe
104.126.37.185:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4360
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6384
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6384
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.36
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.186.46
whitelisted
www.bing.com
  • 104.126.37.185
  • 104.126.37.171
  • 104.126.37.130
  • 104.126.37.178
  • 104.126.37.177
  • 104.126.37.137
  • 104.126.37.179
  • 104.126.37.136
  • 104.126.37.128
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.67
  • 20.190.159.71
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.0
  • 40.126.31.73
  • 40.126.31.71
whitelisted
th.bing.com
  • 104.126.37.139
  • 104.126.37.161
  • 104.126.37.144
  • 104.126.37.155
  • 104.126.37.147
  • 104.126.37.162
  • 104.126.37.146
  • 104.126.37.153
  • 104.126.37.145
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pass 777 REMCOS v1.7 Professional.7z