File name:

AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe

Full analysis: https://app.any.run/tasks/b77eed7e-face-4948-a8c4-2b0d0d0c2a98
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: December 05, 2022, 20:22:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
remcos
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

C9D36E490B60B2E1964FD7311D8BB0BD

SHA1:

EBD73E29F1FD1F2D0A5BFD0FA3AD1BFEB17A6F75

SHA256:

CCA6FBBBB4B240BD2D713677E01DC377FFFFB4A99DEDAB5EEA9813F9D855AF56

SSDEEP:

12288:oHzdKZ26f6MgGse8hAvQHQ1aqM8Dg5SiaPeX:edKvgsaqM805SiaPe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe (PID: 1328)

    • Remcos is detected

      • RegSvcs.exe (PID: 3904)
      • RegSvcs.exe (PID: 3904)

    • REMCOS was detected

      • RegSvcs.exe (PID: 3904)

    • REMCOS detected by memory dumps

      • RegSvcs.exe (PID: 3904)

  • SUSPICIOUS

    • Reads the Internet Settings

      • AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe (PID: 1328)

    • Executable content was dropped or overwritten

      • AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe (PID: 1328)

  • INFO

    • Checks supported languages

      • AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe (PID: 1328)
      • RegSvcs.exe (PID: 3904)

    • Reads Environment values

      • RegSvcs.exe (PID: 3904)

    • Reads the computer name

      • AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe (PID: 1328)
      • RegSvcs.exe (PID: 3904)

    • Reads product name

      • RegSvcs.exe (PID: 3904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(3904) RegSvcs.exe
Hosts (1)brasil.con-ip.com:2001
BotnetBRASIL
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Setup_path%APPDATA%
Copy_fileremcos.exe
Startup_valueRemcos
Hide_fileFalse
Mutex_nameRemcos-WLGLS0
Keylog_flag1
Keylog_path%APPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_namewikipedia;solitaire;
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%APPDATA%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
Max_keylog_file10000
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2022-Dec-05 14:11:32
Comments: -
CompanyName: MagnaSolution
FileDescription: Leather Worker
FileVersion: 1.3.0.0
InternalName: JIBE.exe
LegalCopyright: MagnaSolution 2022
LegalTrademarks: -
OriginalFilename: JIBE.exe
ProductName: Leather Worker
ProductVersion: 1.3.0.0
Assembly Version: 1.3.0.0

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 3
TimeDateStamp: 2022-Dec-05 14:11:32
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
8192
566116
566272
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.76144
.rsrc
581632
271872
271872
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.54892
.reloc
860160
12
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.54323
270376
Latin 1 / Western European
UNKNOWN
RT_ICON
1 (#2)
1.41904
20
Latin 1 / Western European
UNKNOWN
RT_GROUP_ICON
1 (#3)
3.3143
832
Latin 1 / Western European
UNKNOWN
RT_VERSION

Imports

mscoree.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start audienciapreliminares20221205 audienciapreliminares20221206.exe schtasks.exe no specs #REMCOS regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
1328"C:\Users\admin\AppData\Local\Temp\AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe" C:\Users\admin\AppData\Local\Temp\AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe
Explorer.EXE
User:
admin
Company:
MagnaSolution
Integrity Level:
MEDIUM
Description:
Leather Worker
Exit code:
0
Version:
1.3.0.0
Modules
Images
c:\users\admin\appdata\local\temp\audienciapreliminares20221205 audienciapreliminares20221206.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3528"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LaeCyBpJKSBFqo" /XML "C:\Users\admin\AppData\Local\Temp\tmp9069.tmp"C:\Windows\System32\schtasks.exeAUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\schtasks.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
3904"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
Remcos
(PID) Process(3904) RegSvcs.exe
Hosts (1)brasil.con-ip.com:2001
BotnetBRASIL
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Setup_path%APPDATA%
Copy_fileremcos.exe
Startup_valueRemcos
Hide_fileFalse
Mutex_nameRemcos-WLGLS0
Keylog_flag1
Keylog_path%APPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_namewikipedia;solitaire;
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%APPDATA%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
Max_keylog_file10000
Total events
378
Read events
368
Write events
10
Delete events
0

Modification events

(PID) Process:(1328) AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1328) AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1328) AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1328) AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3904) RegSvcs.exeKey:HKEY_CURRENT_USER\Software\Remcos-WLGLS0
Operation:writeName:exepath
Value:
B3BC0100CED9A35B0EB209D6F0C0BBDA44CF12924643B1690AD0CB2A285B67DA9A13F41C5EF73747C4E7E168288D484B1D39DD6AC74B06A9AE431D3B4FC65890B9F2DE7CD5035B7049A426CE6CAD28640A6261AC573DFF76258D99A027E872BDAE6AF35411EC949EA19F9107E84893D240924C3F
(PID) Process:(3904) RegSvcs.exeKey:HKEY_CURRENT_USER\Software\Remcos-WLGLS0
Operation:writeName:licence
Value:
4D8686C6E91369B6B3B3FD8BFC740299
Executable files
1
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3904RegSvcs.exeC:\Users\admin\AppData\Roaming\remcos\logs.datbinary
MD5:
SHA256:
1328AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exeC:\Users\admin\AppData\Roaming\LaeCyBpJKSBFqo.exeexecutable
MD5:
SHA256:
1328AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exeC:\Users\admin\AppData\Local\Temp\tmp9069.tmpxml
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
3

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3904
RegSvcs.exe
179.13.0.69:2001
brasil.con-ip.com
Colombia Movil
CO
malicious

DNS requests

Domain
IP
Reputation
brasil.con-ip.com
  • 179.13.0.69
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Redirection Service Domain in DNS Lookup (con-ip .com)
3904
RegSvcs.exe
A Network Trojan was detected
AV TROJAN Win32/Remcos RAT Checkin - pass
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe