analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

REMCOS v1.7 Professional_.zip

Full analysis: https://app.any.run/tasks/2d796297-698b-4b8c-baa5-48816eb6d479
Verdict: Malicious activity
Threats:

Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.

Malware Trends Tracker     >>>
Analysis date: August 12, 2022, 17:51:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
remcos
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

ECDBF64ED3D8692D4953D7E9436744D7

SHA1:

AC843F0AC8C4E517E2C455209746F98C896107F9

SHA256:

D815001E1B213377F9C85DC165F06003464729D99E201976449C07400043F811

SSDEEP:

196608:iRfQQ/NHAcmK0Z7Q350gKXB2io4+Os3Yh1e+b/6CkngNuEbsB4Ija7bZOnPI+pLO:YfQNVa350F2gua1jb/VNvbs9A+JZvmj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3280)

    • Application was dropped or rewritten from another process

      • remcos.exe (PID: 628)
      • Remcos Loader.exe (PID: 996)
      • remcos.exe (PID: 1868)
      • remcos.exe (PID: 2196)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3720)
      • remcos.exe (PID: 628)
      • remcos.exe (PID: 1868)
      • remcos.exe (PID: 2196)

    • Runs injected code in another process

      • remcos.exe (PID: 628)
      • remcos.exe (PID: 1868)
      • remcos.exe (PID: 2196)

    • REMCOS detected by memory dumps

      • remcos.exe (PID: 628)
      • remcos.exe (PID: 1868)
      • remcos.exe (PID: 2196)

    • Application was injected by another process

      • Explorer.EXE (PID: 912)

  • SUSPICIOUS

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3280)

    • Reads the computer name

      • WinRAR.exe (PID: 3280)
      • remcos.exe (PID: 628)
      • remcos.exe (PID: 1868)
      • remcos.exe (PID: 2196)

    • Checks supported languages

      • WinRAR.exe (PID: 3280)
      • Remcos Loader.exe (PID: 996)
      • remcos.exe (PID: 628)
      • remcos.exe (PID: 1868)
      • remcos.exe (PID: 2196)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3280)

  • INFO

    • Manual execution by user

      • Remcos Loader.exe (PID: 996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: REMCOS v1.7 Professional/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2022:08:12 19:47:21
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
7
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start inject winrar.exe searchprotocolhost.exe no specs remcos loader.exe no specs #REMCOS remcos.exe #REMCOS remcos.exe no specs #REMCOS remcos.exe explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
3280"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\REMCOS v1.7 Professional_.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3720"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
996"C:\Users\admin\Desktop\REMCOS v1.7 Professional\Remcos Loader.exe" C:\Users\admin\Desktop\REMCOS v1.7 Professional\Remcos Loader.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
628"C:\Users\admin\Desktop\REMCOS v1.7 Professional\remcos.exe"C:\Users\admin\Desktop\REMCOS v1.7 Professional\remcos.exe
Remcos Loader.exe
User:
admin
Company:
Breaking-Security.net
Integrity Level:
MEDIUM
Description:
REMCOS Remote Control & Surveillance
Exit code:
0
Version:
1.7.0.0
1868"C:\Users\admin\Desktop\REMCOS v1.7 Professional\remcos.exe"C:\Users\admin\Desktop\REMCOS v1.7 Professional\remcos.exe
Remcos Loader.exe
User:
admin
Company:
Breaking-Security.net
Integrity Level:
MEDIUM
Description:
REMCOS Remote Control & Surveillance
Exit code:
0
Version:
1.7.0.0
2196"C:\Users\admin\Desktop\REMCOS v1.7 Professional\remcos.exe"C:\Users\admin\Desktop\REMCOS v1.7 Professional\remcos.exe
Remcos Loader.exe
User:
admin
Company:
Breaking-Security.net
Integrity Level:
MEDIUM
Description:
REMCOS Remote Control & Surveillance
Exit code:
0
Version:
1.7.0.0
912C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
6 065
Read events
5 936
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3280WinRAR.exeC:\Users\admin\Desktop\REMCOS v1.7 Professional\Remcos_Settings.iniini
MD5:8D9E5CF42F9A682B2019C8E5CF58F090
SHA256:320AB1DE7CCE35F9B9F731C1DF5EE16FB06C75EF01B4913D08DE27B0A381D1D9
3280WinRAR.exeC:\Users\admin\Desktop\REMCOS v1.7 Professional\Remcos Loader.exeexecutable
MD5:75792B5B38EDD028D13EEF62C0D828E6
SHA256:B7F82678830C34DB745A16D5551386F15FF28FDA563F10C6903F6471A58E243E
2196remcos.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\gettime[1].htmtext
MD5:D19021C3E24FFF276CE831D27901DB2B
SHA256:A51CE6D2543445BDA96479C74113F63C5FBA8C1DF87B0628D983683CB8970F82
3280WinRAR.exeC:\Users\admin\Desktop\REMCOS v1.7 Professional\REMCOSAuthHooks.dllexecutable
MD5:A329F92AD3B9311AF3130DBDE81155CE
SHA256:D695A2EE6FCAE64F4D8C4387A0A4C4AAE05D08CE44A52598984673B890D02F27
3280WinRAR.exeC:\Users\admin\Desktop\REMCOS v1.7 Professional\remcos.exeexecutable
MD5:ED1E424EA6F625968A334377E8AC629F
SHA256:1E5375B400F68C422804703390489B2CF3968C2A8BCCB0B5B3C55FE1D2E3C991
2196remcos.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\OnlineCheck_MT[1].htmtext
MD5:442D4F5216CD9DA1FD121655A23E8843
SHA256:0A3706B1424059F3F718B8FBAA2DD145EA0FD1F8D950744CA78C7B32D2DFA4A8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
5
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
628
remcos.exe
216.58.212.132:80
www.google.com
Google Inc.
US
whitelisted
2196
remcos.exe
216.58.212.132:80
www.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.google.com
  • 216.58.212.132
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
REMCOS v1.7 Professional_.zip