File name:

B748194FDF038A8EFE795B59C8BA2BF2.exe

Full analysis: https://app.any.run/tasks/a1e03fed-d99f-4ff3-801f-710412764411
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 01:37:28
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
remcos
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

B748194FDF038A8EFE795B59C8BA2BF2

SHA1:

E160874F47157347A216EF3B8A7927A92753E130

SHA256:

B99FBCD991D810359CE4033ADFA803E2AC70C14ABBA0DB02CE689214ED36AB04

SSDEEP:

12288:8ucEko68OD9XdZ3JiY0meNN2od7bQc1kcnB6ZYxpWVVVVVVVVVVVVVVVVVP67:Qo6869wMENXbFt6Zkp0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REMCOS mutex has been found

      • B748194FDF038A8EFE795B59C8BA2BF2.exe (PID: 7396)

    • Connects to the CnC server

      • B748194FDF038A8EFE795B59C8BA2BF2.exe (PID: 7396)

    • REMCOS has been detected

      • B748194FDF038A8EFE795B59C8BA2BF2.exe (PID: 7396)

    • REMCOS has been detected (SURICATA)

      • B748194FDF038A8EFE795B59C8BA2BF2.exe (PID: 7396)

    • REMCOS has been detected (YARA)

      • B748194FDF038A8EFE795B59C8BA2BF2.exe (PID: 7396)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • B748194FDF038A8EFE795B59C8BA2BF2.exe (PID: 7396)

    • Contacting a server suspected of hosting an CnC

      • B748194FDF038A8EFE795B59C8BA2BF2.exe (PID: 7396)

    • Connects to unusual port

      • B748194FDF038A8EFE795B59C8BA2BF2.exe (PID: 7396)

    • There is functionality for taking screenshot (YARA)

      • B748194FDF038A8EFE795B59C8BA2BF2.exe (PID: 7396)

  • INFO

    • Creates files or folders in the user directory

      • B748194FDF038A8EFE795B59C8BA2BF2.exe (PID: 7396)

    • Creates files in the program directory

      • B748194FDF038A8EFE795B59C8BA2BF2.exe (PID: 7396)

    • Checks supported languages

      • B748194FDF038A8EFE795B59C8BA2BF2.exe (PID: 7396)

    • Reads the computer name

      • B748194FDF038A8EFE795B59C8BA2BF2.exe (PID: 7396)

    • Checks proxy server information

      • B748194FDF038A8EFE795B59C8BA2BF2.exe (PID: 7396)
      • slui.exe (PID: 7796)

    • Reads the software policy settings

      • slui.exe (PID: 7796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:02:24 10:00:11+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 356864
InitializedDataSize: 140288
UninitializedDataSize: -
EntryPoint: 0x34d64
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #REMCOS b748194fdf038a8efe795b59c8ba2bf2.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7396"C:\Users\admin\Desktop\B748194FDF038A8EFE795B59C8BA2BF2.exe" C:\Users\admin\Desktop\B748194FDF038A8EFE795B59C8BA2BF2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\b748194fdf038a8efe795b59c8ba2bf2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7796C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 851
Read events
3 844
Write events
7
Delete events
0

Modification events

(PID) Process:(7396) B748194FDF038A8EFE795B59C8BA2BF2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-QZ6SXQ
Operation:writeName:exepath
Value:
68E5307A94AAD2BB058FE2EF43BAD308730884287390EE6B0EA10DA16176F5C82A2CED87F3B034CA84A82AE4535A06056D407C11BC7A9C0794D7F9104339A1DC301DC9F52854478E46806F477173069FF5D0037C6F3AB75C2A93F3788E9F615D6AC70F7187DF6FCEE45497280BBCD59A126800F5C1F5D93C
(PID) Process:(7396) B748194FDF038A8EFE795B59C8BA2BF2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-QZ6SXQ
Operation:writeName:licence
Value:
B5716F83374E9E0F7387797748B1EDCE
(PID) Process:(7396) B748194FDF038A8EFE795B59C8BA2BF2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-QZ6SXQ
Operation:writeName:time
Value:
(PID) Process:(7396) B748194FDF038A8EFE795B59C8BA2BF2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-QZ6SXQ
Operation:writeName:UID
Value:
(PID) Process:(7396) B748194FDF038A8EFE795B59C8BA2BF2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7396) B748194FDF038A8EFE795B59C8BA2BF2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7396) B748194FDF038A8EFE795B59C8BA2BF2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7396B748194FDF038A8EFE795B59C8BA2BF2.exeC:\ProgramData\sdrgfwergergef\logs.datbinary
MD5:7093B0E764CEE6731D0F7A29156359AD
SHA256:327DC6575F7323FD68E1496CE41297DD956192623CB502512E3C02344D0B8B0B
7396B748194FDF038A8EFE795B59C8BA2BF2.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\json[1].jsonbinary
MD5:50E77C593F5CC8478110132A7E7B5624
SHA256:C5172C75FB31FDE1AE0EE72EE40E40E3FBF3990814CC9332A789F821E63B53B1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
24
DNS requests
6
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7396
B748194FDF038A8EFE795B59C8BA2BF2.exe
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
whitelisted
2104
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7396
B748194FDF038A8EFE795B59C8BA2BF2.exe
147.124.217.110:2404
MAJESTIC-HOSTING-01
US
malicious
7396
B748194FDF038A8EFE795B59C8BA2BF2.exe
178.237.33.50:80
geoplugin.net
Schuberg Philis B.V.
NL
whitelisted
2104
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7248
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7796
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.78
whitelisted
geoplugin.net
  • 178.237.33.50
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
7396
B748194FDF038A8EFE795B59C8BA2BF2.exe
Malware Command and Control Activity Detected
ET MALWARE Remcos 3.x Unencrypted Checkin
7396
B748194FDF038A8EFE795B59C8BA2BF2.exe
Malware Command and Control Activity Detected
ET MALWARE Remcos 3.x Unencrypted Server Response
7396
B748194FDF038A8EFE795B59C8BA2BF2.exe
Malware Command and Control Activity Detected
ET MALWARE Remcos 3.x Unencrypted Server Response
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
B748194FDF038A8EFE795B59C8BA2BF2.exe