Windows
Analysis Report
https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe
Overview
General Information
Detection
Score: | 72 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
cmd.exe (PID: 8292 cmdline:
C:\Windows \system32\ cmd.exe /c wget -t 2 -v -T 60 -P "C:\Use rs\user\De sktop\down load" --no -check-cer tificate - -content-d isposition --user-ag ent="Mozil la/5.0 (Wi ndows NT 6 .1; WOW64; Trident/7 .0; AS; rv :11.0) lik e Gecko" " https://gi thub.com/O x47100/Rem cos-RAT-v3 .8.0/raw/r efs/heads/ main/Remco s-RAT-3.8. 0.exe" > c mdline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 8300 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) wget.exe (PID: 8340 cmdline:
wget -t 2 -v -T 60 - P "C:\User s\user\Des ktop\downl oad" --no- check-cert ificate -- content-di sposition --user-age nt="Mozill a/5.0 (Win dows NT 6. 1; WOW64; Trident/7. 0; AS; rv: 11.0) like Gecko" "h ttps://git hub.com/Ox 47100/Remc os-RAT-v3. 8.0/raw/re fs/heads/m ain/Remcos -RAT-3.8.0 .exe" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
Remcos-RAT-3.8.0.exe (PID: 8472 cmdline:
"C:\Users\ user\Deskt op\downloa d\Remcos-R AT-3.8.0.e xe" MD5: 6166F997B4BB3428AE0D9D4B4E1F0DB2) WerFault.exe (PID: 8632 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 8 472 -s 218 4 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |
---|
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-20T17:02:28.362047+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.5 | 49725 | 80.87.203.251 | 443 | TCP |
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Suricata IDS: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | 3_2_00F60848 |
Source: | Process created: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window detected: |
Source: | File opened: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | File source: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 121 Security Software Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Disable or Modify Tools | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | Data from Removable Media | 3 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 41 Virtualization/Sandbox Evasion | Security Account Manager | 41 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Process Injection | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 4 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Timestomp | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | HEUR/AGEN.1313721 | ||
79% | ReversingLabs | ByteCode-MSIL.Trojan.RealProtectPENGSD |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
qaz.su | 80.87.203.251 | true | false | unknown | |
github.com | 140.82.114.4 | true | false | high | |
raw.githubusercontent.com | 185.199.110.133 | true | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
false | high | ||
false |
| unknown | |
false |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
140.82.114.4 | github.com | United States | 36459 | GITHUBUS | false | |
80.87.203.251 | qaz.su | Russian Federation | 29182 | THEFIRST-ASRU | false | |
185.199.110.133 | raw.githubusercontent.com | Netherlands | 54113 | FASTLYUS | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1644538 |
Start date and time: | 2025-03-20 17:01:28 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 7s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | urldownload.jbs |
Sample URL: | https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 14 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal72.evad.win@6/7@3/3 |
EGA Information: | Failed |
HCA Information: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, B ackgroundTransferHost.exe, Wer Fault.exe, WMIADAP.exe, SIHCli ent.exe, backgroundTaskHost.ex e, conhost.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 40.71.93.126, 184. 31.69.3, 40.126.24.84, 20.12.2 3.50, 23.96.180.189, 150.171.2 7.10, 23.44.201.36 - Excluded domains from analysis
(whitelisted): www.bing.com, onedsblobvmssprdeus02.eastus.c loudapp.azure.com, fs.microsof t.com, login.live.com, slscr.u pdate.microsoft.com, blobcolle ctor.events.data.trafficmanage r.net, ctldl.windowsupdate.com , g.bing.com, umwatson.events. data.microsoft.com, arc.msn.co m, fe3cr.delivery.mp.microsoft .com - Execution Graph export aborted
for target Remcos-RAT-3.8.0.e xe, PID 8472 because it is emp ty - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found. - Report size getting too big, t
oo many NtReadVirtualMemory ca lls found. - Report size getting too big, t
oo many NtSetInformationFile c alls found. - VT rate limit hit for: https:
//github.com/Ox47100/Remcos-RA T-v3.8.0/raw/refs/heads/main/R emcos-RAT-3.8.0.exe
Time | Type | Description |
---|---|---|
12:02:25 | API Interceptor | |
12:02:29 | API Interceptor |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.166358160959894 |
Encrypted: | false |
SSDEEP: | 192:e3g73Xf0BU/KaGc+LyIZzuiFWZ24IO8U:t738BU/KaPcDZzuiFWY4IO8U |
MD5: | AA4085EDAD3376FBD07FD37693179D06 |
SHA1: | 12F85DDA1C118303DE355C8315E0179437C267B5 |
SHA-256: | 5B0AFF85F85097BEC523F990F152A8CC87921BDD7EACE958417303336BA439AF |
SHA-512: | 8551C679644461CC626436036E6F09FFB23F57F79F0A6252D696104633CDEAB8945B8F7B565D07E242FD711DDD8FFEF77D3B15F5B377E72F52C46E4CF360A6F9 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 298658 |
Entropy (8bit): | 3.558159919841817 |
Encrypted: | false |
SSDEEP: | 3072:id6uX7LTgJjnyesRZzHtC5Pym2p4uEqSB:iguX/TgdnyesTNC5kp4b |
MD5: | A554BBD33E151D20B0D07F2C7E20BC83 |
SHA1: | 700D51F3D34844683E0366D0E497E3E72D07177E |
SHA-256: | F523A12F071B21A007B250592873361EFA3DA30AE0F758A24434548DD5F5A04A |
SHA-512: | B04A9A4717FD334799E28F971D395960A80662DE41CBF956D23958BFEA280EB3ED34F093EFB9AB2F522B88C3EDEC075D065869E8B4F86E79CD39A0B4D07D0EDA |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8430 |
Entropy (8bit): | 3.695416714182132 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJh8686YV4ySU9p350WjgmfZnJprV89bm2dZsfrim:R6lXJ6686YqySU9pWWjgmfJWm2dyfP |
MD5: | 7CDC999EA885600E2D21A2B4D4D0AB04 |
SHA1: | 07644A9E82A461D2C2FD924075688C464A7B3886 |
SHA-256: | 95C047FEFD0305B8683D939BB77D1C929FEDCF58F34B88A6D45C2006E350B008 |
SHA-512: | 4B5C428751F47037A0697405B3D5DB354754CDEDF9131EFB0EACF7128E29D9E1D66735AD7B234B2A9F6C7F70FF09A6EDCFB338C456606221904EEC575C84BFAA |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4777 |
Entropy (8bit): | 4.4848571345548205 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zs0Jg77aI916WOa8tLYm8M4JkW3FOj+q8v1WLQBCBYd:uIjfyI7H7Ol0JyjKmgCBYd |
MD5: | 974F2DABBAFE42D974AB4BB5F0EEF3ED |
SHA1: | A0419E1E8BE9213250978B427EE68E778FBFABE7 |
SHA-256: | 0A42166BC162BB2DE7FC527A204C964E799957B316B04628B8BA7E042ABAC1FD |
SHA-512: | E7EC9F8846FE8D2B29A6DE70AC4576276FCDFFE9F2DBB817557CB39BD0B2BBE3C7F1DF96E3382C8EEE42792956D15B455EF8455520D6ADC283660318BA622D57 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | modified |
Size (bytes): | 1113 |
Entropy (8bit): | 5.215768150205967 |
Encrypted: | false |
SSDEEP: | 24:bu+no51DxePnSMGs+2U9ovzEMGs+2tMGjMGYvMGjMGG6xePg+I3Pb9SMvQPb9SpP:bTnobDiO2vXO2ux6x565b9SYyb9S/Z |
MD5: | 1A39C2FC4E006B0C9A98E781D497BAE6 |
SHA1: | 0ACFD42206EE553D01C490AD9FABDBDB03066BCA |
SHA-256: | 7EB876DBB755A0E534B803DBD0CE19B4B675D172D033006304AFDFFDA89B5AE9 |
SHA-512: | D439DA555A5320E2F0124A8A92DCB5C66B9E805B77696BE95B3946DBACE23F05CADEE2991E048191431E960D7D7394345188B7805D31F936DD3D031C1A4B4141 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\wget.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 7168 |
Entropy (8bit): | 4.6253897524833 |
Encrypted: | false |
SSDEEP: | 96:oz4/c4Kr6GgZ2+dzcMsio1ZafV/WyDhh1e35YZNW+hC/zNt:64KuG+2I5xfVWyDhh1eG10p |
MD5: | 6166F997B4BB3428AE0D9D4B4E1F0DB2 |
SHA1: | D18A89610C4AB5FF73532A608E3BA0038D6146E0 |
SHA-256: | 3E3EF95E4D20E1CF759021D91F834B6F2C82A1A9DBAB3CAB1605A55BC85D5BE5 |
SHA-512: | 087BE6857F602A648C612C9C849560C8C803182BF08BBDBC41F58EB17E28A1822DED1B1FB45C9A007722B6C6A19754671159A0A3510CC80188D3C145AB5A297C |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.461264989737572 |
Encrypted: | false |
SSDEEP: | 6144:L52cwMWh0HQdcETgP70KkM8NqaCskjPrWBYCw6o+u8O/zvX9smlYXgTw:d2n8BkRFBYCfkDztFlVw |
MD5: | 8B226B9E848ED00CD479374CBB0EAF3B |
SHA1: | 7BABDC192C0F62327CD59ECE7B33850878C1A5BF |
SHA-256: | 9348D3FFFC195722D68F94191CD82822AE7410D21BA1142752DD64171AF73A6C |
SHA-512: | 050BFED7EE0FD7E71EE51E333C8AF8914EBE0E12EAB8AF7C8727E4101EB0539387F45BD349F88E57E5FD8B4E5D5E62CAFDE913C2A5F356B954DD0844C713DAD5 |
Malicious: | false |
Reputation: | low |
Preview: |
Download Network PCAP: filtered – full
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-20T17:02:28.362047+0100 | 2803305 | ETPRO MALWARE Common Downloader Header Pattern H | 3 | 192.168.2.5 | 49725 | 80.87.203.251 | 443 | TCP |
- Total Packets: 41
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 20, 2025 17:02:22.185954094 CET | 49722 | 443 | 192.168.2.5 | 140.82.114.4 |
Mar 20, 2025 17:02:22.185995102 CET | 443 | 49722 | 140.82.114.4 | 192.168.2.5 |
Mar 20, 2025 17:02:22.186096907 CET | 49722 | 443 | 192.168.2.5 | 140.82.114.4 |
Mar 20, 2025 17:02:22.187686920 CET | 49722 | 443 | 192.168.2.5 | 140.82.114.4 |
Mar 20, 2025 17:02:22.187717915 CET | 443 | 49722 | 140.82.114.4 | 192.168.2.5 |
Mar 20, 2025 17:02:22.401119947 CET | 443 | 49722 | 140.82.114.4 | 192.168.2.5 |
Mar 20, 2025 17:02:22.401485920 CET | 49722 | 443 | 192.168.2.5 | 140.82.114.4 |
Mar 20, 2025 17:02:22.403250933 CET | 49722 | 443 | 192.168.2.5 | 140.82.114.4 |
Mar 20, 2025 17:02:22.403259039 CET | 443 | 49722 | 140.82.114.4 | 192.168.2.5 |
Mar 20, 2025 17:02:22.403748035 CET | 443 | 49722 | 140.82.114.4 | 192.168.2.5 |
Mar 20, 2025 17:02:22.405354023 CET | 49722 | 443 | 192.168.2.5 | 140.82.114.4 |
Mar 20, 2025 17:02:22.448329926 CET | 443 | 49722 | 140.82.114.4 | 192.168.2.5 |
Mar 20, 2025 17:02:22.678725004 CET | 443 | 49722 | 140.82.114.4 | 192.168.2.5 |
Mar 20, 2025 17:02:22.733056068 CET | 49722 | 443 | 192.168.2.5 | 140.82.114.4 |
Mar 20, 2025 17:02:23.103673935 CET | 443 | 49722 | 140.82.114.4 | 192.168.2.5 |
Mar 20, 2025 17:02:23.103691101 CET | 443 | 49722 | 140.82.114.4 | 192.168.2.5 |
Mar 20, 2025 17:02:23.103749037 CET | 49722 | 443 | 192.168.2.5 | 140.82.114.4 |
Mar 20, 2025 17:02:23.103773117 CET | 443 | 49722 | 140.82.114.4 | 192.168.2.5 |
Mar 20, 2025 17:02:23.103789091 CET | 443 | 49722 | 140.82.114.4 | 192.168.2.5 |
Mar 20, 2025 17:02:23.103818893 CET | 49722 | 443 | 192.168.2.5 | 140.82.114.4 |
Mar 20, 2025 17:02:23.103858948 CET | 49722 | 443 | 192.168.2.5 | 140.82.114.4 |
Mar 20, 2025 17:02:23.110950947 CET | 49722 | 443 | 192.168.2.5 | 140.82.114.4 |
Mar 20, 2025 17:02:23.110964060 CET | 443 | 49722 | 140.82.114.4 | 192.168.2.5 |
Mar 20, 2025 17:02:23.232435942 CET | 49723 | 443 | 192.168.2.5 | 185.199.110.133 |
Mar 20, 2025 17:02:23.232497931 CET | 443 | 49723 | 185.199.110.133 | 192.168.2.5 |
Mar 20, 2025 17:02:23.232566118 CET | 49723 | 443 | 192.168.2.5 | 185.199.110.133 |
Mar 20, 2025 17:02:23.234261990 CET | 49723 | 443 | 192.168.2.5 | 185.199.110.133 |
Mar 20, 2025 17:02:23.234286070 CET | 443 | 49723 | 185.199.110.133 | 192.168.2.5 |
Mar 20, 2025 17:02:23.439620972 CET | 443 | 49723 | 185.199.110.133 | 192.168.2.5 |
Mar 20, 2025 17:02:23.439743042 CET | 49723 | 443 | 192.168.2.5 | 185.199.110.133 |
Mar 20, 2025 17:02:23.441226959 CET | 49723 | 443 | 192.168.2.5 | 185.199.110.133 |
Mar 20, 2025 17:02:23.441247940 CET | 443 | 49723 | 185.199.110.133 | 192.168.2.5 |
Mar 20, 2025 17:02:23.441540956 CET | 443 | 49723 | 185.199.110.133 | 192.168.2.5 |
Mar 20, 2025 17:02:23.442569017 CET | 49723 | 443 | 192.168.2.5 | 185.199.110.133 |
Mar 20, 2025 17:02:23.488337994 CET | 443 | 49723 | 185.199.110.133 | 192.168.2.5 |
Mar 20, 2025 17:02:23.698784113 CET | 443 | 49723 | 185.199.110.133 | 192.168.2.5 |
Mar 20, 2025 17:02:23.698853016 CET | 443 | 49723 | 185.199.110.133 | 192.168.2.5 |
Mar 20, 2025 17:02:23.698884964 CET | 443 | 49723 | 185.199.110.133 | 192.168.2.5 |
Mar 20, 2025 17:02:23.698915958 CET | 443 | 49723 | 185.199.110.133 | 192.168.2.5 |
Mar 20, 2025 17:02:23.698916912 CET | 49723 | 443 | 192.168.2.5 | 185.199.110.133 |
Mar 20, 2025 17:02:23.698949099 CET | 443 | 49723 | 185.199.110.133 | 192.168.2.5 |
Mar 20, 2025 17:02:23.698970079 CET | 49723 | 443 | 192.168.2.5 | 185.199.110.133 |
Mar 20, 2025 17:02:23.701786995 CET | 443 | 49723 | 185.199.110.133 | 192.168.2.5 |
Mar 20, 2025 17:02:23.701837063 CET | 49723 | 443 | 192.168.2.5 | 185.199.110.133 |
Mar 20, 2025 17:02:23.701843977 CET | 443 | 49723 | 185.199.110.133 | 192.168.2.5 |
Mar 20, 2025 17:02:23.701854944 CET | 443 | 49723 | 185.199.110.133 | 192.168.2.5 |
Mar 20, 2025 17:02:23.701905966 CET | 49723 | 443 | 192.168.2.5 | 185.199.110.133 |
Mar 20, 2025 17:02:23.731925011 CET | 49723 | 443 | 192.168.2.5 | 185.199.110.133 |
Mar 20, 2025 17:02:23.731945992 CET | 443 | 49723 | 185.199.110.133 | 192.168.2.5 |
Mar 20, 2025 17:02:26.103060961 CET | 49724 | 443 | 192.168.2.5 | 80.87.203.251 |
Mar 20, 2025 17:02:26.103105068 CET | 443 | 49724 | 80.87.203.251 | 192.168.2.5 |
Mar 20, 2025 17:02:26.103219986 CET | 49724 | 443 | 192.168.2.5 | 80.87.203.251 |
Mar 20, 2025 17:02:26.114451885 CET | 49724 | 443 | 192.168.2.5 | 80.87.203.251 |
Mar 20, 2025 17:02:26.114468098 CET | 443 | 49724 | 80.87.203.251 | 192.168.2.5 |
Mar 20, 2025 17:02:26.378484011 CET | 443 | 49724 | 80.87.203.251 | 192.168.2.5 |
Mar 20, 2025 17:02:26.378613949 CET | 49724 | 443 | 192.168.2.5 | 80.87.203.251 |
Mar 20, 2025 17:02:26.381849051 CET | 49724 | 443 | 192.168.2.5 | 80.87.203.251 |
Mar 20, 2025 17:02:26.381861925 CET | 443 | 49724 | 80.87.203.251 | 192.168.2.5 |
Mar 20, 2025 17:02:26.382270098 CET | 443 | 49724 | 80.87.203.251 | 192.168.2.5 |
Mar 20, 2025 17:02:26.433661938 CET | 49724 | 443 | 192.168.2.5 | 80.87.203.251 |
Mar 20, 2025 17:02:26.476341009 CET | 443 | 49724 | 80.87.203.251 | 192.168.2.5 |
Mar 20, 2025 17:02:27.205471039 CET | 443 | 49724 | 80.87.203.251 | 192.168.2.5 |
Mar 20, 2025 17:02:27.205554008 CET | 443 | 49724 | 80.87.203.251 | 192.168.2.5 |
Mar 20, 2025 17:02:27.205607891 CET | 49724 | 443 | 192.168.2.5 | 80.87.203.251 |
Mar 20, 2025 17:02:27.213413000 CET | 49724 | 443 | 192.168.2.5 | 80.87.203.251 |
Mar 20, 2025 17:02:27.216473103 CET | 49725 | 443 | 192.168.2.5 | 80.87.203.251 |
Mar 20, 2025 17:02:27.216526031 CET | 443 | 49725 | 80.87.203.251 | 192.168.2.5 |
Mar 20, 2025 17:02:27.216608047 CET | 49725 | 443 | 192.168.2.5 | 80.87.203.251 |
Mar 20, 2025 17:02:27.216833115 CET | 49725 | 443 | 192.168.2.5 | 80.87.203.251 |
Mar 20, 2025 17:02:27.216851950 CET | 443 | 49725 | 80.87.203.251 | 192.168.2.5 |
Mar 20, 2025 17:02:27.493330002 CET | 443 | 49725 | 80.87.203.251 | 192.168.2.5 |
Mar 20, 2025 17:02:27.545579910 CET | 49725 | 443 | 192.168.2.5 | 80.87.203.251 |
Mar 20, 2025 17:02:27.589234114 CET | 49725 | 443 | 192.168.2.5 | 80.87.203.251 |
Mar 20, 2025 17:02:27.589251041 CET | 443 | 49725 | 80.87.203.251 | 192.168.2.5 |
Mar 20, 2025 17:02:28.362086058 CET | 443 | 49725 | 80.87.203.251 | 192.168.2.5 |
Mar 20, 2025 17:02:28.362118959 CET | 443 | 49725 | 80.87.203.251 | 192.168.2.5 |
Mar 20, 2025 17:02:28.362142086 CET | 443 | 49725 | 80.87.203.251 | 192.168.2.5 |
Mar 20, 2025 17:02:28.362227917 CET | 443 | 49725 | 80.87.203.251 | 192.168.2.5 |
Mar 20, 2025 17:02:28.362238884 CET | 49725 | 443 | 192.168.2.5 | 80.87.203.251 |
Mar 20, 2025 17:02:28.362281084 CET | 49725 | 443 | 192.168.2.5 | 80.87.203.251 |
Mar 20, 2025 17:02:28.370863914 CET | 49725 | 443 | 192.168.2.5 | 80.87.203.251 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 20, 2025 17:02:22.013801098 CET | 63842 | 53 | 192.168.2.5 | 1.1.1.1 |
Mar 20, 2025 17:02:22.158931971 CET | 53 | 63842 | 1.1.1.1 | 192.168.2.5 |
Mar 20, 2025 17:02:23.121454000 CET | 52359 | 53 | 192.168.2.5 | 1.1.1.1 |
Mar 20, 2025 17:02:23.228535891 CET | 53 | 52359 | 1.1.1.1 | 192.168.2.5 |
Mar 20, 2025 17:02:25.490021944 CET | 60770 | 53 | 192.168.2.5 | 1.1.1.1 |
Mar 20, 2025 17:02:26.097472906 CET | 53 | 60770 | 1.1.1.1 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 20, 2025 17:02:22.013801098 CET | 192.168.2.5 | 1.1.1.1 | 0x5f16 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 20, 2025 17:02:23.121454000 CET | 192.168.2.5 | 1.1.1.1 | 0x1f07 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 20, 2025 17:02:25.490021944 CET | 192.168.2.5 | 1.1.1.1 | 0xf56c | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 20, 2025 17:02:22.158931971 CET | 1.1.1.1 | 192.168.2.5 | 0x5f16 | No error (0) | 140.82.114.4 | A (IP address) | IN (0x0001) | false | ||
Mar 20, 2025 17:02:23.228535891 CET | 1.1.1.1 | 192.168.2.5 | 0x1f07 | No error (0) | 185.199.110.133 | A (IP address) | IN (0x0001) | false | ||
Mar 20, 2025 17:02:23.228535891 CET | 1.1.1.1 | 192.168.2.5 | 0x1f07 | No error (0) | 185.199.108.133 | A (IP address) | IN (0x0001) | false | ||
Mar 20, 2025 17:02:23.228535891 CET | 1.1.1.1 | 192.168.2.5 | 0x1f07 | No error (0) | 185.199.111.133 | A (IP address) | IN (0x0001) | false | ||
Mar 20, 2025 17:02:23.228535891 CET | 1.1.1.1 | 192.168.2.5 | 0x1f07 | No error (0) | 185.199.109.133 | A (IP address) | IN (0x0001) | false | ||
Mar 20, 2025 17:02:26.097472906 CET | 1.1.1.1 | 192.168.2.5 | 0xf56c | No error (0) | 80.87.203.251 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.5 | 49722 | 140.82.114.4 | 443 | 8340 | C:\Windows\SysWOW64\wget.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-20 16:02:22 UTC | 252 | OUT | |
2025-03-20 16:02:22 UTC | 596 | IN | |
2025-03-20 16:02:23 UTC | 3368 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.5 | 49723 | 185.199.110.133 | 443 | 8340 | C:\Windows\SysWOW64\wget.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-20 16:02:23 UTC | 263 | OUT | |
2025-03-20 16:02:23 UTC | 894 | IN | |
2025-03-20 16:02:23 UTC | 1378 | IN | |
2025-03-20 16:02:23 UTC | 1378 | IN | |
2025-03-20 16:02:23 UTC | 1378 | IN | |
2025-03-20 16:02:23 UTC | 1378 | IN | |
2025-03-20 16:02:23 UTC | 1378 | IN | |
2025-03-20 16:02:23 UTC | 278 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.5 | 49724 | 80.87.203.251 | 443 | 8472 | C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-20 16:02:26 UTC | 104 | OUT | |
2025-03-20 16:02:27 UTC | 823 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.5 | 49725 | 80.87.203.251 | 443 | 8472 | C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-20 16:02:27 UTC | 69 | OUT | |
2025-03-20 16:02:28 UTC | 789 | IN | |
2025-03-20 16:02:28 UTC | 4365 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 12:02:20 |
Start date: | 20/03/2025 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x220000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 12:02:20 |
Start date: | 20/03/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7e2000000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 12:02:20 |
Start date: | 20/03/2025 |
Path: | C:\Windows\SysWOW64\wget.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 3'895'184 bytes |
MD5 hash: | 3DADB6E2ECE9C4B3E1E322E617658B60 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 3 |
Start time: | 12:02:23 |
Start date: | 20/03/2025 |
Path: | C:\Users\user\Desktop\download\Remcos-RAT-3.8.0.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x900000 |
File size: | 7'168 bytes |
MD5 hash: | 6166F997B4BB3428AE0D9D4B4E1F0DB2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 6 |
Start time: | 12:02:27 |
Start date: | 20/03/2025 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x7b0000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|