File name:

FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.REV

Full analysis: https://app.any.run/tasks/f88ae7ac-5168-49b4-9671-c2da5034a9ea
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: July 04, 2024, 23:02:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
remcos
remote
evasion
keylogger
Indicators:
MIME: application/x-rar
File info: RAR archive data, flags: Locked EncryptedBlockHeader
MD5:

41B45434AB4EEBC4CEF17B48D46C8061

SHA1:

CBDA4D24D7EFC1EA1A3D60D85B54E575234E9263

SHA256:

DB3D5FDA61695B664FBC4A8CD0C67BC8BAED20D6306940834BCC4D535DC75378

SSDEEP:

98304:y14nz8LHKi750saug8rvLx19AwpofGkXgp0/Le8E0rCAXX6vdV0Y7uVvcXZ53cYI:nJDx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 3272)

    • REMCOS has been detected (SURICATA)

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 2732)

    • Changes the autorun value in the registry

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 3272)

    • REMCOS has been detected (YARA)

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 2732)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3400)
      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 2732)

    • Executable content was dropped or overwritten

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 3272)

    • Reads the Internet Settings

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 2732)

    • Contacting a server suspected of hosting an CnC

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 2732)

    • Connects to unusual port

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 2732)

    • Writes files like Keylogger logs

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 2732)

    • Checks for external IP

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 2732)

    • Application launched itself

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 3272)

    • There is functionality for taking screenshot (YARA)

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 2732)

  • INFO

    • Reads the computer name

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 3272)
      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 2732)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3400)

    • Checks supported languages

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 3272)
      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 2732)

    • Creates files or folders in the user directory

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 3272)
      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 2732)

    • Reads the machine GUID from the registry

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 3272)
      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 2732)

    • Reads product name

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 2732)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3400)

    • Checks proxy server information

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 2732)

    • Reads Environment values

      • FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe (PID: 2732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(2732) FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe
C2 (1)areaseguras.con-ip.com:2707
Botnetspacolombia2707
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueTrue
Hide_fileFalse
Mutex_nameRmc12145501-89YHUH
Keylog_flag1
Keylog_path%APPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirloggsd
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe factura por pagar cancele su deuda de lo contrario abran acciones legales y judiciales.exe #REMCOS factura por pagar cancele su deuda de lo contrario abran acciones legales y judiciales.exe

Process information

PID
CMD
Path
Indicators
Parent process
2732"C:\Users\admin\AppData\Local\Temp\Rar$EXb3400.49204\FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe"C:\Users\admin\AppData\Local\Temp\Rar$EXb3400.49204\FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe
FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe
User:
admin
Integrity Level:
MEDIUM
Description:
2707spapoolfd0407
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb3400.49204\factura por pagar cancele su deuda de lo contrario abran acciones legales y judiciales.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Remcos
(PID) Process(2732) FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe
C2 (1)areaseguras.con-ip.com:2707
Botnetspacolombia2707
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueTrue
Hide_fileFalse
Mutex_nameRmc12145501-89YHUH
Keylog_flag1
Keylog_path%APPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirloggsd
3272"C:\Users\admin\AppData\Local\Temp\Rar$EXb3400.49204\FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3400.49204\FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
2707spapoolfd0407
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb3400.49204\factura por pagar cancele su deuda de lo contrario abran acciones legales y judiciales.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3400"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.REV.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
4 454
Read events
4 402
Write events
46
Delete events
6

Modification events

(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3400) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.REV.rar
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
Executable files
3
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3400WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3400.49204\FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exeexecutable
MD5:8D2AC6A59A4B6B9D755F3966CEE3C1C9
SHA256:4B1D3D8FBBE1E18EE7BC7EB899D446141FC4B5C9A14B534B76B916E934A329B5
3400WinRAR.exeC:\Users\admin\AppData\Local\Temp\FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.REV\FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exeexecutable
MD5:8D2AC6A59A4B6B9D755F3966CEE3C1C9
SHA256:4B1D3D8FBBE1E18EE7BC7EB899D446141FC4B5C9A14B534B76B916E934A329B5
2732FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\json[1].jsonbinary
MD5:D4AE5A1229EB67B98B2946CD5B06F7F7
SHA256:409C26FE5879053C1C65B277953D9C29B0FFEB3BD797DEEB5ED884EE3262CAB8
2732FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exeC:\Users\admin\AppData\Roaming\loggsd\logs.datbinary
MD5:F757D102DF55F20C3B1BA817B0E6CB4E
SHA256:546296D8F98DAC6CC5CB72956A0DB8B5235C64371A82DB8ECFC2CE8D8AEB3EFC
3272FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exeC:\Users\admin\AppData\Roaming\Wlinlkqbc.exeexecutable
MD5:8D2AC6A59A4B6B9D755F3966CEE3C1C9
SHA256:4B1D3D8FBBE1E18EE7BC7EB899D446141FC4B5C9A14B534B76B916E934A329B5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
13
DNS requests
6
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
2732
FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1060
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd
unknown
unknown
1372
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1060
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2732
FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe
86.104.72.183:2707
areaseguras.con-ip.com
Mouk, LLC
CA
unknown
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
2732
FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe
178.237.33.50:80
geoplugin.net
Schuberg Philis B.V.
NL
unknown
1372
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
areaseguras.con-ip.com
  • 86.104.72.183
malicious
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
geoplugin.net
  • 178.237.33.50
malicious
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted

Threats

PID
Process
Class
Message
1060
svchost.exe
Potentially Bad Traffic
ET INFO DNS Redirection Service Domain in DNS Lookup (con-ip .com)
2732
FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
2732
FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FACTURA POR PAGAR CANCELE SU DEUDA DE LO CONTRARIO ABRAN ACCIONES LEGALES Y JUDICIALES.REV