File name: | REMCOS v1.7 Professional_.zip |
Full analysis: | https://app.any.run/tasks/2d796297-698b-4b8c-baa5-48816eb6d479 |
Verdict: | Malicious activity |
Threats: | Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month. |
Analysis date: | August 12, 2022, 17:51:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | ECDBF64ED3D8692D4953D7E9436744D7 |
SHA1: | AC843F0AC8C4E517E2C455209746F98C896107F9 |
SHA256: | D815001E1B213377F9C85DC165F06003464729D99E201976449C07400043F811 |
SSDEEP: | 196608:iRfQQ/NHAcmK0Z7Q350gKXB2io4+Os3Yh1e+b/6CkngNuEbsB4Ija7bZOnPI+pLO:YfQNVa350F2gua1jb/VNvbs9A+JZvmj |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | REMCOS v1.7 Professional/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2022:08:12 19:47:21 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3280 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\REMCOS v1.7 Professional_.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 | ||||
3720 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) | ||||
996 | "C:\Users\admin\Desktop\REMCOS v1.7 Professional\Remcos Loader.exe" | C:\Users\admin\Desktop\REMCOS v1.7 Professional\Remcos Loader.exe | — | Explorer.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
628 | "C:\Users\admin\Desktop\REMCOS v1.7 Professional\remcos.exe" | C:\Users\admin\Desktop\REMCOS v1.7 Professional\remcos.exe | Remcos Loader.exe | |
User: admin Company: Breaking-Security.net Integrity Level: MEDIUM Description: REMCOS Remote Control & Surveillance Exit code: 0 Version: 1.7.0.0 | ||||
1868 | "C:\Users\admin\Desktop\REMCOS v1.7 Professional\remcos.exe" | C:\Users\admin\Desktop\REMCOS v1.7 Professional\remcos.exe | Remcos Loader.exe | |
User: admin Company: Breaking-Security.net Integrity Level: MEDIUM Description: REMCOS Remote Control & Surveillance Exit code: 0 Version: 1.7.0.0 | ||||
2196 | "C:\Users\admin\Desktop\REMCOS v1.7 Professional\remcos.exe" | C:\Users\admin\Desktop\REMCOS v1.7 Professional\remcos.exe | Remcos Loader.exe | |
User: admin Company: Breaking-Security.net Integrity Level: MEDIUM Description: REMCOS Remote Control & Surveillance Exit code: 0 Version: 1.7.0.0 | ||||
912 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3280 | WinRAR.exe | C:\Users\admin\Desktop\REMCOS v1.7 Professional\Remcos_Settings.ini | ini | |
MD5:8D9E5CF42F9A682B2019C8E5CF58F090 | SHA256:320AB1DE7CCE35F9B9F731C1DF5EE16FB06C75EF01B4913D08DE27B0A381D1D9 | |||
3280 | WinRAR.exe | C:\Users\admin\Desktop\REMCOS v1.7 Professional\Remcos Loader.exe | executable | |
MD5:75792B5B38EDD028D13EEF62C0D828E6 | SHA256:B7F82678830C34DB745A16D5551386F15FF28FDA563F10C6903F6471A58E243E | |||
2196 | remcos.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\gettime[1].htm | text | |
MD5:D19021C3E24FFF276CE831D27901DB2B | SHA256:A51CE6D2543445BDA96479C74113F63C5FBA8C1DF87B0628D983683CB8970F82 | |||
3280 | WinRAR.exe | C:\Users\admin\Desktop\REMCOS v1.7 Professional\REMCOSAuthHooks.dll | executable | |
MD5:A329F92AD3B9311AF3130DBDE81155CE | SHA256:D695A2EE6FCAE64F4D8C4387A0A4C4AAE05D08CE44A52598984673B890D02F27 | |||
3280 | WinRAR.exe | C:\Users\admin\Desktop\REMCOS v1.7 Professional\remcos.exe | executable | |
MD5:ED1E424EA6F625968A334377E8AC629F | SHA256:1E5375B400F68C422804703390489B2CF3968C2A8BCCB0B5B3C55FE1D2E3C991 | |||
2196 | remcos.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\OnlineCheck_MT[1].htm | text | |
MD5:442D4F5216CD9DA1FD121655A23E8843 | SHA256:0A3706B1424059F3F718B8FBAA2DD145EA0FD1F8D950744CA78C7B32D2DFA4A8 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
628 | remcos.exe | 216.58.212.132:80 | www.google.com | Google Inc. | US | whitelisted |
2196 | remcos.exe | 216.58.212.132:80 | www.google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.google.com |
| whitelisted |
dns.msftncsi.com |
| shared |