Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe
11.15 01:11
msf.exe
11.15 01:11
lum250.exe
11.15 01:11
msf443.exe
11.13 04:11
hello.exe
11.13 03:11
espsemhvcioff.exe
11.13 02:11
Geek_se.exe
11.13 02:11
cred64.dll
11.13 02:11
svhost.exe

Latest News
11.16 09:11
T-Mobile’s Network Bre...
11.16 09:11
Spotted at Supercon: G...
11.16 09:11
IT Sicherheitsnews tae...
11.16 09:11
Bitfinex Hacker Gets 5...
11.16 07:11
(g+) Datenschutz: Spor...
11.16 06:11
티오더, 메뉴 사진 무료 촬영 서비스 진행
11.16 06:11
WiFi Status Indicator ...
11.16 06:11
PAN-OS Firewall Vulner...
11.16 06:11
Dahua und Delo vereine...
11.16 05:11
NSO 그룹, 소송 중에도 ‘페가수스’로...

Summary | ZeroBOX

CHUCK.exe

Malicious Packer Malicious Library UPX PE32 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 31, 2021, 9:26 a.m.	Aug. 31, 2021, 9:38 a.m.

Size	92.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3343149d1253a8ec05b9afbe8cbedbec`
SHA256	`85445f0a808b4d25cc291adc7bf2782bcce76a011b7dbe1393426294343dd953`
CRC32	`98DB84FF`
ssdeep	`1536:YhhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6irU:+hzYTGWVvJ8f2v1TbPzuMsIFSHNThy+K`
Yara	PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file Win_Backdoor_RemcosRAT_Zero - Win Backdoor RemcosRAT Zero Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

CHUCK.exe "C:\Users\test22\AppData\Local\Temp\CHUCK.exe"
2948

Name	Response	Post-Analysis Lookup
tobi12345.hopto.org	A 91.193.75.202	91.193.75.202

IP Address	Status	Action
164.124.101.2	Active	Moloch
91.193.75.202	Active	Moloch
91.193.75.168	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic
UDP 192.168.56.101:59369 -> 164.124.101.2:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic
UDP 192.168.56.101:54056 -> 164.124.101.2:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Connects to a Dynamic DNS Domain (1 event)

domain

tobi12345.hopto.org

Communicates with host for which no DNS query was performed (1 event)

host

91.193.75.168

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Bkav	W32.FamVT.RevetAF.Trojan
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Inject.BDT
FireEye	Generic.mg.3343149d1253a8ec
CAT-QuickHeal	Trojan.Mauvaise.SL1
ALYac	Trojan.Inject.BDT
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 004f67651 )
Alibaba	Backdoor:Win32/Rescoms.32f
K7GW	Trojan ( 004f67651 )
Cybereason	malicious.d1253a
BitDefenderTheta	Gen:NN.ZexaF.34110.fqW@a47x76fi
Cyren	W32/Injector.AKNB-1880
Symantec	Infostealer!im
ESET-NOD32	Win32/Agent.RXL
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Azden-7587127-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.Inject.BDT
NANO-Antivirus	Trojan.Win32.AD.erfeyu
SUPERAntiSpyware	Backdoor.Remcos/Variant
Avast	Win32:RemcosRAT-A [Trj]
Rising	Backdoor.Remcos!1.B4AD (CLASSIC)
Ad-Aware	Trojan.Inject.BDT
Comodo	TrojWare.Win32.Rescoms.A@70v67g
DrWeb	Trojan.DownLoader25.11684
Zillya	Trojan.Agent.Win32.742092
TrendMicro	BKDR_SOCMER.SM
McAfee-GW-Edition	BehavesLike.Win32.Generic.nh
Emsisoft	Trojan.Agent (A)
Ikarus	Backdoor.Rat.Remcos
Jiangmin	Trojan.Generic.bgmwv
eGambit	Unsafe.AI_Score_100%
Avira	HEUR/AGEN.1115265
MAX	malware (ai score=100)
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Backdoor.Win32.Gen.cc!s1
Microsoft	Backdoor:Win32/Rescoms
ViRobot	Trojan.Win32.Agent.94208.EA
GData	Win32.Backdoor.Remcos.B
Cynet	Malicious (score: 100)
AhnLab-V3	Backdoor/Win32.Rescoms.R198292
Acronis	suspicious
McAfee	Trojan-FOFQ!3343149D1253
TACHYON	Backdoor/W32.Remcos.94208
VBA32	BScope.Trojan.Downloader
Malwarebytes	Generic.Trojan.Dropper.DDS

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (19 events)

dead_host	192.168.56.101:49213
dead_host	192.168.56.101:49212
dead_host	192.168.56.101:49202
dead_host	192.168.56.101:49198
dead_host	192.168.56.101:49211
dead_host	192.168.56.101:49210
dead_host	192.168.56.101:49207
dead_host	192.168.56.101:49209
dead_host	192.168.56.101:49206
dead_host	192.168.56.101:49219
dead_host	192.168.56.101:49208
dead_host	192.168.56.101:49205
dead_host	192.168.56.101:49218
dead_host	192.168.56.101:49215
dead_host	192.168.56.101:49204
dead_host	192.168.56.101:49217
dead_host	192.168.56.101:49214
dead_host	91.193.75.202:40401
dead_host	192.168.56.101:49216