File name:

AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe

Full analysis: https://app.any.run/tasks/b77eed7e-face-4948-a8c4-2b0d0d0c2a98
Verdict: Malicious activity
Threats:

Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.

Analysis date: December 05, 2022, 20:22:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
remcos
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

C9D36E490B60B2E1964FD7311D8BB0BD

SHA1:

EBD73E29F1FD1F2D0A5BFD0FA3AD1BFEB17A6F75

SHA256:

CCA6FBBBB4B240BD2D713677E01DC377FFFFB4A99DEDAB5EEA9813F9D855AF56

SSDEEP:

12288:oHzdKZ26f6MgGse8hAvQHQ1aqM8Dg5SiaPeX:edKvgsaqM805SiaPe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Remcos is detected

      • RegSvcs.exe (PID: 3904)
      • RegSvcs.exe (PID: 3904)
    • Drops the executable file immediately after the start

      • AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe (PID: 1328)
    • REMCOS was detected

      • RegSvcs.exe (PID: 3904)
    • REMCOS detected by memory dumps

      • RegSvcs.exe (PID: 3904)
  • SUSPICIOUS

    • Reads the Internet Settings

      • AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe (PID: 1328)
    • Executable content was dropped or overwritten

      • AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe (PID: 1328)
  • INFO

    • Reads the computer name

      • AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe (PID: 1328)
      • RegSvcs.exe (PID: 3904)
    • Checks supported languages

      • AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe (PID: 1328)
      • RegSvcs.exe (PID: 3904)
    • Reads product name

      • RegSvcs.exe (PID: 3904)
    • Reads Environment values

      • RegSvcs.exe (PID: 3904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(3904) RegSvcs.exe
Max_keylog_file10000
Keylog_dirremcos
Copy_dirRemcos
Connect_delay0
Audio_dirMicRecords
Audio_path%APPDATA%
Audio_record_time5
Delete_fileFalse
Mouse_optionFalse
Screenshot_cryptFalse
Screenshot_fileScreenshots
Screenshot_path%APPDATA%
Screenshot_namewikipedia;solitaire;
Take_ScreenshotFalse
Screenshot_time5
Screenshot_flagFalse
Hide_keylogFalse
Keylog_cryptFalse
Keylog_filelogs.dat
Keylog_path%APPDATA%
Keylog_flag1
Mutex_nameRemcos-WLGLS0
Hide_fileFalse
Startup_valueRemcos
Copy_fileremcos.exe
Setup_path%APPDATA%
Install_HKCU\RunTrue
Install_flagFalse
Connect_interval1
BotnetBRASIL
Hosts (1)brasil.con-ip.com:2001
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2022-Dec-05 14:11:32
Comments:
CompanyName: MagnaSolution
FileDescription: Leather Worker
FileVersion: 1.3.0.0
InternalName: JIBE.exe
LegalCopyright: MagnaSolution 2022
LegalTrademarks:
OriginalFilename: JIBE.exe
ProductName: Leather Worker
ProductVersion: 1.3.0.0
Assembly Version: 1.3.0.0

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 3
TimeDateStamp: 2022-Dec-05 14:11:32
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
8192
566116
566272
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.76144
.rsrc
581632
271872
271872
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.54892
.reloc
860160
12
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.54323
270376
Latin 1 / Western European
UNKNOWN
RT_ICON
1 (#2)
1.41904
20
Latin 1 / Western European
UNKNOWN
RT_GROUP_ICON
1 (#3)
3.3143
832
Latin 1 / Western European
UNKNOWN
RT_VERSION

Imports

mscoree.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start audienciapreliminares20221205 audienciapreliminares20221206.exe schtasks.exe no specs #REMCOS regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
1328"C:\Users\admin\AppData\Local\Temp\AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe" C:\Users\admin\AppData\Local\Temp\AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe
Explorer.EXE
User:
admin
Company:
MagnaSolution
Integrity Level:
MEDIUM
Description:
Leather Worker
Exit code:
0
Version:
1.3.0.0
Modules
Images
c:\users\admin\appdata\local\temp\audienciapreliminares20221205 audienciapreliminares20221206.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3528"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LaeCyBpJKSBFqo" /XML "C:\Users\admin\AppData\Local\Temp\tmp9069.tmp"C:\Windows\System32\schtasks.exeAUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\schtasks.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
3904"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
Remcos
(PID) Process(3904) RegSvcs.exe
Max_keylog_file10000
Keylog_dirremcos
Copy_dirRemcos
Connect_delay0
Audio_dirMicRecords
Audio_path%APPDATA%
Audio_record_time5
Delete_fileFalse
Mouse_optionFalse
Screenshot_cryptFalse
Screenshot_fileScreenshots
Screenshot_path%APPDATA%
Screenshot_namewikipedia;solitaire;
Take_ScreenshotFalse
Screenshot_time5
Screenshot_flagFalse
Hide_keylogFalse
Keylog_cryptFalse
Keylog_filelogs.dat
Keylog_path%APPDATA%
Keylog_flag1
Mutex_nameRemcos-WLGLS0
Hide_fileFalse
Startup_valueRemcos
Copy_fileremcos.exe
Setup_path%APPDATA%
Install_HKCU\RunTrue
Install_flagFalse
Connect_interval1
BotnetBRASIL
Hosts (1)brasil.con-ip.com:2001
Total events
378
Read events
368
Write events
10
Delete events
0

Modification events

(PID) Process:(1328) AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1328) AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1328) AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1328) AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3904) RegSvcs.exeKey:HKEY_CURRENT_USER\Software\Remcos-WLGLS0
Operation:writeName:exepath
Value:
B3BC0100CED9A35B0EB209D6F0C0BBDA44CF12924643B1690AD0CB2A285B67DA9A13F41C5EF73747C4E7E168288D484B1D39DD6AC74B06A9AE431D3B4FC65890B9F2DE7CD5035B7049A426CE6CAD28640A6261AC573DFF76258D99A027E872BDAE6AF35411EC949EA19F9107E84893D240924C3F
(PID) Process:(3904) RegSvcs.exeKey:HKEY_CURRENT_USER\Software\Remcos-WLGLS0
Operation:writeName:licence
Value:
4D8686C6E91369B6B3B3FD8BFC740299
Executable files
1
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1328AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exeC:\Users\admin\AppData\Roaming\LaeCyBpJKSBFqo.exeexecutable
MD5:C9D36E490B60B2E1964FD7311D8BB0BD
SHA256:CCA6FBBBB4B240BD2D713677E01DC377FFFFB4A99DEDAB5EEA9813F9D855AF56
1328AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exeC:\Users\admin\AppData\Local\Temp\tmp9069.tmpxml
MD5:398D4F044ADD842408FC683F6FE36A4F
SHA256:94BFF2A167B975CF3F6959E87FF9DB5C2855BF9A988AC451B128697874EFEBDB
3904RegSvcs.exeC:\Users\admin\AppData\Roaming\remcos\logs.datbinary
MD5:212899296B4A3F4F706F30A428889342
SHA256:69A2A7BB5B344E00FF0D7D93E342301CAC85E582C4D89242B39F047B91128791
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
3

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3904
RegSvcs.exe
179.13.0.69:2001
brasil.con-ip.com
Colombia Movil
CO
malicious

DNS requests

Domain
IP
Reputation
brasil.con-ip.com
  • 179.13.0.69
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Redirection Service Domain in DNS Lookup (con-ip .com)
3904
RegSvcs.exe
A Network Trojan was detected
AV TROJAN Win32/Remcos RAT Checkin - pass
1 ETPRO signatures available at the full report
No debug info