analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Items.exe

Full analysis: https://app.any.run/tasks/f6c92779-61ee-44a4-a2f2-2a7c3b1c345b
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Analysis date: September 19, 2019, 06:55:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
trojan
rat
remcos
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

DF01C98F1AFE3BCF988A37E0AD0DCA02

SHA1:

15CD6C0C520C2F1FA61E01438850AE22F1D947A4

SHA256:

DA83626539C30C9033C6C94430C1E074CE0A3417CC9CC249CE5D6D7A7725AB7F

SSDEEP:

24576:+NA3R5drXPfVpeI/oeP1BUOeUc2jfn76ko6/Yb1DF9ilu1h6LId7nf1RMMaReV5L:f5F85/UZ7M6/SrX1h6LIdzfXMf25Bl9l

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • vrr.exe (PID: 3140)
    • REMCOS was detected

      • RegSvcs.exe (PID: 504)
    • Changes the autorun value in the registry

      • vrr.exe (PID: 3140)
    • Connects to CnC server

      • RegSvcs.exe (PID: 504)
  • SUSPICIOUS

    • Executes scripts

      • Items.exe (PID: 2892)
    • Creates files in the user directory

      • RegSvcs.exe (PID: 504)
    • Executable content was dropped or overwritten

      • Items.exe (PID: 2892)
    • Drop AutoIt3 executable file

      • Items.exe (PID: 2892)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1d759
UninitializedDataSize: -
InitializedDataSize: 175104
CodeSize: 190976
LinkerVersion: 14
PEType: PE32
TimeStamp: 2019:04:27 22:03:27+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 27-Apr-2019 20:03:27
Detected languages:
  • English - United States
  • Process Default Language
Debug artifacts:
  • D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000110

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 27-Apr-2019 20:03:27
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0002E854
0x0002EA00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.69231
.rdata
0x00030000
0x00009A9C
0x00009C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.13286
.data
0x0003A000
0x000213D0
0x00000C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.25381
.gfids
0x0005C000
0x000000E8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.11154
.rsrc
0x0005D000
0x0001E048
0x0001E200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.77006
.reloc
0x0007C000
0x00001FCC
0x00002000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.64554

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.25329
1875
Latin 1 / Western European
English - United States
RT_MANIFEST
2
7.61595
4290
Latin 1 / Western European
Process Default Language
RT_ICON
3
2.91414
9640
Latin 1 / Western European
Process Default Language
RT_ICON
4
3.39393
4264
Latin 1 / Western European
Process Default Language
RT_ICON
5
2.3788
67624
Latin 1 / Western European
Process Default Language
RT_ICON
6
2.78068
16936
Latin 1 / Western European
Process Default Language
RT_ICON
7
3.1586
482
Latin 1 / Western European
English - United States
RT_STRING
8
3.11685
460
Latin 1 / Western European
English - United States
RT_STRING
9
3.15447
494
Latin 1 / Western European
English - United States
RT_STRING
10
2.99727
326
Latin 1 / Western European
English - United States
RT_STRING

Imports

KERNEL32.dll
USER32.dll (delay-loaded)
gdiplus.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start items.exe wscript.exe no specs vrr.exe #REMCOS regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
2892"C:\Users\admin\AppData\Local\Temp\Items.exe" C:\Users\admin\AppData\Local\Temp\Items.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3836"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\48656952\xsj.vbs" C:\Windows\System32\WScript.exeItems.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3140"C:\Users\admin\AppData\Local\Temp\48656952\vrr.exe" cer=csnC:\Users\admin\AppData\Local\Temp\48656952\vrr.exe
WScript.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Version:
3, 3, 8, 1
504"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
vrr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.7.3062.0 built by: NET472REL1
Total events
899
Read events
831
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
67
Unknown types
0

Dropped files

PID
Process
Filename
Type
2892Items.exeC:\Users\admin\AppData\Local\Temp\48656952\cer=csn
MD5:
SHA256:
2892Items.exeC:\Users\admin\AppData\Local\Temp\48656952\ctl.icmtext
MD5:166B8C8C43929F278A25C21872F57797
SHA256:04A8C50F938445750CE9DDCFE27CF58A1C6DFF9D5490F0255BC008B61027ABA2
2892Items.exeC:\Users\admin\AppData\Local\Temp\48656952\nuh.icmtext
MD5:F6F6561D94FD09C0D182C37FECC89C67
SHA256:5AE4741B8F54D5423F8E850489CCC9FD0526E77B07E175F1FA7759B9C0CF73AD
2892Items.exeC:\Users\admin\AppData\Local\Temp\48656952\fck.txttext
MD5:C63503428630AE63C17ED6E0A85025EF
SHA256:7C4A66426544FA6C842355DCFA42AE640D3E8108594727BA1F8EB8CEEF0C54CA
2892Items.exeC:\Users\admin\AppData\Local\Temp\48656952\ong.dattext
MD5:66A302AD5AE1D624374D6CADFCA99714
SHA256:BA68D968D5B3562EDD6E89A0C4DE37C79E2463189D9C4292382BA749B20628D4
2892Items.exeC:\Users\admin\AppData\Local\Temp\48656952\xsj.vbstext
MD5:92459CDF29A84547952BE998282EE437
SHA256:AE99EC7B774D32E42D684B2C06FC7E25F7A3B88199DF0BCB57AE9DCD9EC4E912
2892Items.exeC:\Users\admin\AppData\Local\Temp\48656952\pot.bmptext
MD5:9D94A2F89BCB1BDD5CFCC4C9E6F489D2
SHA256:13370220AC6DECE6537A20610BC8A4F0ECD520CB5F0424DB5E8C5EC98A630D30
2892Items.exeC:\Users\admin\AppData\Local\Temp\48656952\hju.jpgtext
MD5:A77B7D17065D39CC4365912DA79DD15A
SHA256:3D06A222B387371A422B0C2E78008831F880B12646B772AC6B98B65E3617A20A
2892Items.exeC:\Users\admin\AppData\Local\Temp\48656952\qgn.logtext
MD5:D993632075ED1527A0F2AC679E929511
SHA256:B0DE780407ACC1378EEEBA2A45F421AF63532CAD2CA73B2611DD7D10C2DFA4A1
2892Items.exeC:\Users\admin\AppData\Local\Temp\48656952\ceh.xmltext
MD5:19921C23E97102412830674BFE96318F
SHA256:CD666304B5853165843B8B84448668E2B4418BF2CCCE2916E3FA8A70FE095430
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
504
RegSvcs.exe
79.134.225.49:2265
remcos.got-game.org
Andreas Fink trading as Fink Telecom Services
CH
malicious

DNS requests

Domain
IP
Reputation
remcos.got-game.org
  • 79.134.225.49
malicious

Threats

PID
Process
Class
Message
504
RegSvcs.exe
A Network Trojan was detected
ET TROJAN Remcos RAT Checkin 23
504
RegSvcs.exe
A Network Trojan was detected
REMOTE [PTsecurity] Win32/Remcos RAT Checkin
504
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] Remcos RAT
504
RegSvcs.exe
A Network Trojan was detected
REMOTE [PTsecurity] Win32/Remcos RAT Checkin
504
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] Remcos RAT
504
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT connection
504
RegSvcs.exe
A Network Trojan was detected
REMOTE [PTsecurity] Win32/Remcos RAT Checkin
504
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] Remcos RAT
504
RegSvcs.exe
A Network Trojan was detected
ET TROJAN Remcos RAT Checkin 23
504
RegSvcs.exe
A Network Trojan was detected
REMOTE [PTsecurity] Win32/Remcos RAT Checkin
No debug info