File name:

Backdoor.exe

Full analysis: https://app.any.run/tasks/b237f269-a741-44e1-bfe0-4e1b27fa9faa
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 11, 2024, 01:41:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
remcos
remote
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

2BC86FE5EA8CECD9BD2F78362446E848

SHA1:

AA373F4456935D242EE83004FDF3A2398B129C87

SHA256:

972E30E8C07472FAAB006935ACC3C6E1C09B0815BB259C023703FAABE4F04304

SSDEEP:

3072:UGn3BLrjOSBOpP/ySDixvvvKNy/35ENLeQJ:TnJqAvKNyhENLeQJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REMCOS has been detected

      • Backdoor.exe (PID: 3976)
      • remcos.exe (PID: 2072)
      • remcos.exe (PID: 2072)

    • Drops the executable file immediately after the start

      • Backdoor.exe (PID: 3976)

    • Changes the autorun value in the registry

      • Backdoor.exe (PID: 3976)
      • remcos.exe (PID: 2072)

    • Connects to the CnC server

      • remcos.exe (PID: 2072)

    • REMCOS has been detected (SURICATA)

      • remcos.exe (PID: 2072)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Backdoor.exe (PID: 3976)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 4004)

    • Executing commands from a ".bat" file

      • Backdoor.exe (PID: 3976)
      • remcos.exe (PID: 2072)

    • Starts CMD.EXE for commands execution

      • Backdoor.exe (PID: 3976)
      • remcos.exe (PID: 2072)

    • Reads security settings of Internet Explorer

      • Backdoor.exe (PID: 3976)
      • remcos.exe (PID: 2072)

    • Reads the Internet Settings

      • Backdoor.exe (PID: 3976)
      • remcos.exe (PID: 2072)

    • The executable file from the user directory is run by the CMD process

      • remcos.exe (PID: 2072)

    • Contacting a server suspected of hosting an CnC

      • remcos.exe (PID: 2072)

    • Connects to unusual port

      • remcos.exe (PID: 2072)

  • INFO

    • Checks supported languages

      • Backdoor.exe (PID: 3976)
      • remcos.exe (PID: 2072)
      • wmpnscfg.exe (PID: 1116)

    • Reads product name

      • Backdoor.exe (PID: 3976)
      • remcos.exe (PID: 2072)

    • Reads the computer name

      • Backdoor.exe (PID: 3976)
      • wmpnscfg.exe (PID: 1116)
      • remcos.exe (PID: 2072)

    • Create files in a temporary directory

      • Backdoor.exe (PID: 3976)
      • remcos.exe (PID: 2072)

    • Reads Environment values

      • Backdoor.exe (PID: 3976)
      • remcos.exe (PID: 2072)

    • Creates files or folders in the user directory

      • Backdoor.exe (PID: 3976)
      • remcos.exe (PID: 2072)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:01:05 19:50:13+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 61440
InitializedDataSize: 28672
UninitializedDataSize: -
EntryPoint: 0xfd88
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #REMCOS backdoor.exe cmd.exe no specs ping.exe no specs #REMCOS remcos.exe wmpnscfg.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1116"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1588C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\uninstall.bat" "C:\Windows\System32\cmd.exeremcos.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2072"C:\Users\admin\AppData\Roaming\remcos\remcos.exe" C:\Users\admin\AppData\Roaming\remcos\remcos.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\remcos\remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3976"C:\Users\admin\Desktop\Backdoor.exe" C:\Users\admin\Desktop\Backdoor.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\backdoor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
4004C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\install.bat" "C:\Windows\System32\cmd.exeBackdoor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
4032PING 127.0.0.1 -n 2 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
Total events
5 799
Read events
5 778
Write events
19
Delete events
2

Modification events

(PID) Process:(3976) Backdoor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:remcos
Value:
"C:\Users\admin\AppData\Roaming\remcos\remcos.exe"
(PID) Process:(3976) Backdoor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3976) Backdoor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3976) Backdoor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3976) Backdoor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2072) remcos.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:remcos
Value:
"C:\Users\admin\AppData\Roaming\remcos\remcos.exe"
(PID) Process:(2072) remcos.exeKey:HKEY_CURRENT_USER\Software\remcos_ttusunpexyvclxg
Operation:writeName:EXEpath
Value:
e.gÆïò…»ø.õˆL§ÓÂò늳w菞sϳhìËæóٍÞú‘o+ù
(PID) Process:(2072) remcos.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:remcos
Value:
"C:\Users\admin\AppData\Roaming\remcos\remcos.exe"
(PID) Process:(2072) remcos.exeKey:HKEY_CURRENT_USER\Software\remcos_ttusunpexyvclxg
Operation:delete keyName:(default)
Value:
(PID) Process:(2072) remcos.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
1
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3976Backdoor.exeC:\Users\admin\AppData\Local\Temp\install.battext
MD5:4BE8E47D35A08B8B6AD69312F7B4E077
SHA256:428B8E9AF103691C24E02AA1F514D45763C29FD1F83EA77DAB7DEF653545FB60
3976Backdoor.exeC:\Users\admin\AppData\Roaming\remcos\remcos.exeexecutable
MD5:2BC86FE5EA8CECD9BD2F78362446E848
SHA256:972E30E8C07472FAAB006935ACC3C6E1C09B0815BB259C023703FAABE4F04304
2072remcos.exeC:\Users\admin\AppData\Roaming\remcos\logs.dattext
MD5:F2C2F3C56C730538E44F428FC90F4BE5
SHA256:11876AD66BAE4825B7CA91B09584EDDE38D15140413BE1CD5799145E2AB922FD
2072remcos.exeC:\Users\admin\AppData\Local\Temp\uninstall.battext
MD5:47C083A3715E9D955C667002AC2E246A
SHA256:9C6A011FA96007BB5A24F407959DB3E4DD40EF082F43A403EC212C842FE874B3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
1
Threats
37

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
2072
remcos.exe
3.134.125.175:11830
0.tcp.ngrok.io
AMAZON-02
US
malicious

DNS requests

Domain
IP
Reputation
0.tcp.ngrok.io
  • 3.134.125.175
shared

Threats

PID
Process
Class
Message
1088
svchost.exe
Misc activity
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
2072
remcos.exe
Malware Command and Control Activity Detected
ET MALWARE Remcos RAT Checkin 23
A Network Trojan was detected
REMOTE [ANY.RUN] Remcos Successful Connection
Malware Command and Control Activity Detected
ET MALWARE Remcos RAT Checkin 23
Malware Command and Control Activity Detected
ET MALWARE Remcos RAT Checkin 23
Malware Command and Control Activity Detected
ET MALWARE Remcos RAT Checkin 23
31 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Backdoor.exe