File name:

PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe

Full analysis: https://app.any.run/tasks/6a11dca6-72e0-4de8-b21c-e16b3fe258cd
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: April 04, 2024, 21:28:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
remcos
keylogger
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

64928E31F091F8C2F66351A861F854FC

SHA1:

D0747ED639215639DC10D9A930206340078A03FE

SHA256:

DC368229D98416EE3BF458DF242E4B616C6D2232C200F4779B4E67DC360B7823

SSDEEP:

98304:L4ABahfOJ7362u1XOG5QQuBKzn602NGokrOiLMKD+:uOGxx+p

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe (PID: 4008)

    • Changes the autorun value in the registry

      • PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe (PID: 4008)

    • REMCOS has been detected

      • PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe (PID: 1692)
      • PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe (PID: 1692)
      • PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe (PID: 1692)

    • REMCOS has been detected (YARA)

      • PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe (PID: 1692)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe (PID: 4008)

    • Application launched itself

      • PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe (PID: 4008)

    • Connects to unusual port

      • PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe (PID: 1692)

    • Writes files like Keylogger logs

      • PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe (PID: 1692)

  • INFO

    • Checks supported languages

      • PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe (PID: 4008)
      • PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe (PID: 1692)

    • Reads product name

      • PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe (PID: 1692)

    • Reads Environment values

      • PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe (PID: 1692)

    • Reads the computer name

      • PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe (PID: 1692)

    • Creates files in the program directory

      • PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe (PID: 1692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(1692) PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe
C2 (1)sdfvskdjcnsdkcmowdijfei.con-ip.com:1998
BotnetZAANTOS
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueFalse
Hide_fileFalse
Mutex_nameRmc-7UDH7L
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:01:10 01:24:31+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 979968
InitializedDataSize: 1566208
UninitializedDataSize: -
EntryPoint: 0xe62ba
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 3.1.0.26650
ProductVersionNumber: 3.1.0.26650
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: BitTorrent, Inc.
FileDescription: µTorrent
FileVersion: 3.1.0.26650
InternalName: uTorrent.exe
OriginalFileName: uTorrent.exe
LegalCopyright: ©2011 BitTorrent, Inc. All Rights Reserved.
ProductName: µTorrent
ProductVersion: 3.1.0.26650
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start parssc 99392843284 chhdsnndjkks 77388388333232c.exe #REMCOS parssc 99392843284 chhdsnndjkks 77388388333232c.exe

Process information

PID
CMD
Path
Indicators
Parent process
1692"C:\Users\admin\AppData\Local\Temp\PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe"C:\Users\admin\AppData\Local\Temp\PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe
PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe
User:
admin
Company:
BitTorrent, Inc.
Integrity Level:
MEDIUM
Description:
µTorrent
Version:
3.1.0.26650
Modules
Images
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Remcos
(PID) Process(1692) PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe
C2 (1)sdfvskdjcnsdkcmowdijfei.con-ip.com:1998
BotnetZAANTOS
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueFalse
Hide_fileFalse
Mutex_nameRmc-7UDH7L
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
4008"C:\Users\admin\AppData\Local\Temp\PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe" C:\Users\admin\AppData\Local\Temp\PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe
explorer.exe
User:
admin
Company:
BitTorrent, Inc.
Integrity Level:
MEDIUM
Description:
µTorrent
Exit code:
0
Version:
3.1.0.26650
Modules
Images
c:\users\admin\appdata\local\temp\parssc 99392843284 chhdsnndjkks 77388388333232c.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
260
Read events
256
Write events
4
Delete events
0

Modification events

(PID) Process:(4008) PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SpyPro
Value:
C:\Users\admin\Documents\ChromeUpdate\schost.exe
(PID) Process:(1692) PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exeKey:HKEY_CURRENT_USER\Software\Rmc-7UDH7L
Operation:writeName:exepath
Value:
0C158F2A6A7491B5D36B4C9A66FB3F15A5D92676589912735D00321A342080419C95F8FF2E645531510A02AF1CA993B6AF73A80ADD2F57E55B07899E0E4CE752D31DC3E1A33327923B819DE87F3D1DB33F0D3732F6536324EB33A583EF9FACD88AD5CD70B624BBF252F77ACD833452876D6D6CD8DDDD51DE103CFD15F8D1421238E449CF7A3FBCC48B363EA8C117A82724DAD6C7B64CF671EB257B2AF44E1295A2146A0B92DE4F991EDF2632
(PID) Process:(1692) PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exeKey:HKEY_CURRENT_USER\Software\Rmc-7UDH7L
Operation:writeName:licence
Value:
0D8C3C4C423A1D4F37D3E60828A45BCF
(PID) Process:(1692) PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exeKey:HKEY_CURRENT_USER\Software\Rmc-7UDH7L
Operation:writeName:time
Value:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
1692PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exeC:\ProgramData\remcos\logs.datbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
2
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1692
PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe
191.88.250.15:1998
sdfvskdjcnsdkcmowdijfei.con-ip.com
Colombia Movil
CO
unknown

DNS requests

Domain
IP
Reputation
sdfvskdjcnsdkcmowdijfei.con-ip.com
  • 191.88.250.15
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET INFO DNS Redirection Service Domain in DNS Lookup (con-ip .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PARSSC 99392843284 CHHDSNNDJKKS 77388388333232C.exe