| File name: | Remcos_vilnius.zip |
| Full analysis: | https://app.any.run/tasks/9dca42ca-0ff2-4347-9bdd-04085e1b249f |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | November 29, 2023, 15:57:14 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 3E26A7C2F47D773A464E665E3C28B65C |
| SHA1: | 9AFB0392B4E44553D1E0BBB48AE166348CE91171 |
| SHA256: | 8B8DCFCBE24B3AE3EC17F1FCF5AFD80E57F292AB69297405793B9C4F22910CA2 |
| SSDEEP: | 768:sRZ8+FaoD1r/L/YIHRuDEx+K3FKcC6xGbKcgjAr8+uXtC3/ujjqak:T+N1r/ZRJacC6UaDdCaeZ |
MALICIOUS
Drops the executable file immediately after the start
- EQNEDT32.EXE (PID: 3268)
- wlanext.exe (PID: 3596)
Suspicious connection from the Equation Editor
- EQNEDT32.EXE (PID: 3268)
Connection from MS Office application
- WINWORD.EXE (PID: 3312)
Equation Editor starts application (CVE-2017-11882)
- EQNEDT32.EXE (PID: 3268)
REMCOS has been detected (SURICATA)
- wlanext.exe (PID: 3888)
REMCOS has been detected (YARA)
- wlanext.exe (PID: 3888)
SUSPICIOUS
Application launched itself
- WINWORD.EXE (PID: 3312)
- wlanext.exe (PID: 3596)
Connects to the server without a host name
- EQNEDT32.EXE (PID: 3268)
- WINWORD.EXE (PID: 3312)
Process requests binary or script from the Internet
- EQNEDT32.EXE (PID: 3268)
Connects to unusual port
- wlanext.exe (PID: 3888)
Reads the Internet Settings
- wlanext.exe (PID: 3888)
- EQNEDT32.EXE (PID: 3268)
INFO
Manual execution by a user
- OUTLOOK.EXE (PID: 2460)
- WINWORD.EXE (PID: 3312)
- wmpnscfg.exe (PID: 3304)
The process uses the downloaded file
- OUTLOOK.EXE (PID: 2460)
Creates files or folders in the user directory
- EQNEDT32.EXE (PID: 3268)
- wlanext.exe (PID: 3596)
- wlanext.exe (PID: 3888)
Checks proxy server information
- EQNEDT32.EXE (PID: 3268)
- wlanext.exe (PID: 3888)
Checks supported languages
- wmpnscfg.exe (PID: 3304)
- wlanext.exe (PID: 3888)
- wlanext.exe (PID: 3596)
- EQNEDT32.EXE (PID: 3268)
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 3304)
- wlanext.exe (PID: 3596)
- wlanext.exe (PID: 3888)
- EQNEDT32.EXE (PID: 3268)
Reads the computer name
- wmpnscfg.exe (PID: 3304)
- wlanext.exe (PID: 3596)
- wlanext.exe (PID: 3888)
- EQNEDT32.EXE (PID: 3268)
Reads Environment values
- wlanext.exe (PID: 3888)
Reads product name
- wlanext.exe (PID: 3888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Remcos
(PID) Process(3888) wlanext.exe
C2 (1)top.noforabusers1.xyz:2090
BotnetRemoteHost
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueFalse
Hide_fileFalse
Mutex_nameRmc-1IWDHQ
Keylog_flag0
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0009 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 1980:00:00 00:00:00 |
| ZipCRC: | 0x8e1693df |
| ZipCompressedSize: | 29624 |
| ZipUncompressedSize: | 47699 |
| ZipFileName: | 3e321dfbfb2d7df47ac47be5dab31bc1906b35752f5a0cd184e1480e6fcf8192 |
Total processes
53
Monitored processes
9
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2460 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\Desktop\3e321dfbfb2d7df47ac47be5dab31bc1906b35752f5a0cd184e1480e6fcf8192.eml" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 Modules
| |||||||||||||||
| 2708 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Remcos_vilnius.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 3112 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3268 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | ||||||||||||
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 Modules
| |||||||||||||||
| 3304 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3312 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Bernina order list.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3596 | "C:\Users\admin\AppData\Roaming\wlanext.exe" | C:\Users\admin\AppData\Roaming\wlanext.exe | — | EQNEDT32.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 3624 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3888 | C:\Users\admin\AppData\Roaming\wlanext.exe | C:\Users\admin\AppData\Roaming\wlanext.exe | wlanext.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.0.0.0 Modules
Remcos(PID) Process(3888) wlanext.exe C2 (1)top.noforabusers1.xyz:2090 BotnetRemoteHost Options Connect_interval1 Install_flagFalse Install_HKCU\RunTrue Install_HKLM\RunTrue Install_HKLM\Explorer\Run1 Install_HKLM\Winlogon\Shell100000 Setup_path%LOCALAPPDATA% Copy_fileremcos.exe Startup_valueFalse Hide_fileFalse Mutex_nameRmc-1IWDHQ Keylog_flag0 Keylog_path%LOCALAPPDATA% Keylog_filelogs.dat Keylog_cryptFalse Hide_keylogFalse Screenshot_flagFalse Screenshot_time5 Take_ScreenshotFalse Screenshot_path%APPDATA% Screenshot_fileScreenshots Screenshot_cryptFalse Mouse_optionFalse Delete_fileFalse Audio_record_time5 Audio_path%ProgramFiles% Audio_dirMicRecords Connect_delay0 Copy_dirRemcos Keylog_dirremcos | |||||||||||||||
Total events
18 280
Read events
17 159
Write events
923
Delete events
198
Modification events
| (PID) Process: | (2708) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2708) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2708) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2708) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2708) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2708) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2708) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2708) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2708) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
| (PID) Process: | (2708) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\General |
| Operation: | write | Name: | LastFolder |
Value: C:\Users\admin\Desktop | |||
Executable files
4
Suspicious files
40
Text files
15
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2460 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR3B1C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2460 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
| 2460 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 | |||
| 3312 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8DFF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2460 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\OICE_A2DCD9F9-AE43-413D-96E2-468B7103DCFC.0\C4627A4F.docx:Zone.Identifier:$DATA | text | |
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B | SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 | |||
| 2460 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\L34W8Y4D\Bernina order list (2).docx | document | |
MD5:21E2B2210BE245A60B513046F923FC46 | SHA256:8FE98AE573432EC9F94B3AD6ED10BEF5F3A5308751842C3A5F8F4FCD1786028B | |||
| 2460 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\L34W8Y4D\Bernina order list.docx:Zone.Identifier | text | |
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B | SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 | |||
| 2460 | OUTLOOK.EXE | C:\Users\admin\Desktop\Bernina order list.docx | document | |
MD5:21E2B2210BE245A60B513046F923FC46 | SHA256:8FE98AE573432EC9F94B3AD6ED10BEF5F3A5308751842C3A5F8F4FCD1786028B | |||
| 2460 | OUTLOOK.EXE | C:\Users\admin\Desktop\Bernina order list.docx:Zone.Identifier:$DATA | text | |
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B | SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 | |||
| 2460 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F49C44F2-8210-4EC7-AA99-1176B81B7871}.tmp | binary | |
MD5:E4255289F8585A1D975265791C52B8E1 | SHA256:9CB35638ED49E73205F5F875746F0CF79FCD0B588EE71C530B73C102F9B54D04 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
24
DNS requests
10
Threats
23
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3312 | WINWORD.EXE | OPTIONS | 301 | 104.21.48.17:80 | http://tyny.to/ | unknown | — | — | unknown |
3312 | WINWORD.EXE | HEAD | 301 | 104.21.48.17:80 | http://tyny.to/s815d5 | unknown | — | — | unknown |
828 | svchost.exe | OPTIONS | 301 | 104.21.48.17:80 | http://tyny.to/ | unknown | — | — | unknown |
3312 | WINWORD.EXE | GET | 301 | 104.21.48.17:80 | http://tyny.to/s815d5 | unknown | — | — | unknown |
3312 | WINWORD.EXE | GET | 200 | 95.140.236.0:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?47815543b7aa7773 | unknown | compressed | 4.66 Kb | unknown |
3312 | WINWORD.EXE | GET | 200 | 142.250.185.67:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | unknown | binary | 1.41 Kb | unknown |
3312 | WINWORD.EXE | GET | 200 | 142.250.185.67:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D | unknown | binary | 724 b | unknown |
1080 | svchost.exe | GET | 304 | 95.140.236.0:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8c278ce706dba7cc | unknown | — | — | unknown |
3312 | WINWORD.EXE | HEAD | 301 | 104.21.48.17:80 | http://tyny.to/s815d5 | unknown | — | — | unknown |
3312 | WINWORD.EXE | GET | 200 | 3.145.88.189:80 | http://3.145.88.189/www/MicrosoftEdgewantotdeleteentirehistorychachecookiefromthepctoclean.doc | unknown | text | 60.3 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2460 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3312 | WINWORD.EXE | 104.21.48.17:80 | tyny.to | CLOUDFLARENET | — | unknown |
3312 | WINWORD.EXE | 104.21.48.17:443 | tyny.to | CLOUDFLARENET | — | unknown |
828 | svchost.exe | 104.21.48.17:80 | tyny.to | CLOUDFLARENET | — | unknown |
828 | svchost.exe | 104.21.48.17:443 | tyny.to | CLOUDFLARENET | — | unknown |
3312 | WINWORD.EXE | 95.140.236.0:80 | ctldl.windowsupdate.com | LLNW | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
config.messenger.msn.com |
| whitelisted |
dns.msftncsi.com |
| shared |
tyny.to |
| malicious |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
top.noforabusers1.xyz |
| malicious |
geoplugin.net |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Potentially Bad Traffic | ET DNS Query for .to TLD |
3312 | WINWORD.EXE | Misc activity | ET USER_AGENTS Microsoft Office Existence Discovery User-Agent |
3312 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
3312 | WINWORD.EXE | Potentially Bad Traffic | ET HUNTING Microsoft Office User-Agent Requesting A Doc File |
3312 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Possible RTF File With Obfuscated Version Header |
3312 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
3268 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
3268 | EQNEDT32.EXE | A Network Trojan was detected | ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
3268 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3268 | EQNEDT32.EXE | A Network Trojan was detected | ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
4 ETPRO signatures available at the full report