File name:

f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434

Full analysis: https://app.any.run/tasks/40f72584-c908-41fa-ba6c-684592aea3b1
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 20:26:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
remcos
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

2283A1E3F81A618E692F8FEE4C39446D

SHA1:

094C6DD8757C052D7A9D639ACA5D3D485759573C

SHA256:

F0BA7E8C601F4C9C9F1262B2F7815481EA39E2CED4BD0D3F74ED0BFD59930434

SSDEEP:

12288:0vrhf5oGfWrdQk4Jn6DmPaDNKPww7czUcETWZRHpWVVVVVVVVVVVVVVVVVUsd:yoGfaUtPaD9w06WZJpZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REMCOS has been detected (YARA)

      • f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe (PID: 7564)

    • REMCOS mutex has been found

      • f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe (PID: 7564)

    • REMCOS has been detected

      • f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe (PID: 7564)

    • REMCOS has been detected (SURICATA)

      • f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe (PID: 7564)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe (PID: 7564)

    • Connects to unusual port

      • f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe (PID: 7564)

    • Contacting a server suspected of hosting an CnC

      • f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe (PID: 7564)

  • INFO

    • Reads the machine GUID from the registry

      • f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe (PID: 7564)

    • Checks supported languages

      • f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe (PID: 7564)

    • Reads the computer name

      • f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe (PID: 7564)

    • Checks proxy server information

      • slui.exe (PID: 7216)

    • Reads the software policy settings

      • slui.exe (PID: 7216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:01:06 22:46:57+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 352768
InitializedDataSize: 139776
UninitializedDataSize: -
EntryPoint: 0x33d45
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #REMCOS f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7216C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7564"C:\Users\admin\Desktop\f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe" C:\Users\admin\Desktop\f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
5 099
Read events
5 095
Write events
4
Delete events
0

Modification events

(PID) Process:(7564) f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-0R71A2
Operation:writeName:exepath
Value:
6A2669ACC4480FDBA6130B3C16564035CC61D4DF75A98AC8714C0F74B32F72B98DEE3CB377584B768B4D6E8CB0651EDF98CB5DA268366D30FD3EA1D57945DEF24E6D7348D02A97436051B5F1A3EAB0ED854B06CE51EE3D496B29BDBE9DF45745BD8D23B5DE30996F19003462699E4A4A78962CF61DB7C05F3606E393448BC9A5E01DE8B4138154145B030B92CE2C2E417B4CC40AA24A38286ED7DD95C7A350B664CB33518D77A363A68135C198C2C7F4FD7C7EB7DF53B4BE
(PID) Process:(7564) f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-0R71A2
Operation:writeName:licence
Value:
46A0268CD538CB41F3A05DFE17B3CDA9
(PID) Process:(7564) f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-0R71A2
Operation:writeName:time
Value:
(PID) Process:(7564) f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-0R71A2
Operation:writeName:UID
Value:
Executable files
0
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7564f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exeC:\Users\admin\AppData\Local\Temp\mause\logs.datbinary
MD5:D5E260592140C9829D4DBD0CA16394B3
SHA256:4C2D5EAA7254048E9CD4425C380631B0FE4AB727A91A75A91F9919E36FE5B9C6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
179
DNS requests
15
Threats
232

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7796
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7796
SIHClient.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7796
SIHClient.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7796
SIHClient.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7796
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7796
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7796
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
13.85.23.206:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
GET
200
4.175.87.197:443
https://slscr.update.microsoft.com/sls/ping
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
20.190.160.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.105.99.58:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7564
f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe
216.9.225.133:57090
ATT-INTERNET4
US
malicious
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
3216
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7796
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.160.130
  • 20.190.160.131
  • 20.190.160.132
  • 40.126.32.76
  • 40.126.32.138
  • 20.190.160.17
  • 20.190.160.65
  • 20.190.160.14
whitelisted
client.wns.windows.com
  • 40.113.103.199
  • 40.115.3.253
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
arc.msn.com
  • 20.105.99.58
  • 20.223.35.26
whitelisted
google.com
  • 142.250.185.110
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.190
  • 23.48.23.143
  • 23.48.23.173
  • 23.48.23.176
  • 23.48.23.194
  • 23.48.23.180
  • 23.48.23.141
  • 23.48.23.158
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7564
f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
7564
f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
7564
f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
7564
f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
7564
f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
7564
f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
7564
f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
7564
f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
7564
f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
7564
f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
f0ba7e8c601f4c9c9f1262b2f7815481ea39e2ced4bd0d3f74ed0bfd59930434