Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 7, 2021, 8:22 a.m.	Sept. 7, 2021, 8:40 a.m.

Size	96.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`cd46dbf532b047ca67d19ea025e88051`
SHA256	`da71644ee66cad527be192aefdfb9e5c70f0977d111d95e3591c8221aca1ccfc`
CRC32	`1FC3AB35`
ssdeep	`1536:rEyLmLWGPf+m2kxPqg6ANKLWG6+K3Cwx3ektcs3AGVD:IImb2khC15QSqWo`
Yara	PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file IsPE32 - (no description)

solex.exe "C:\Users\test22\AppData\Local\Temp\solex.exe"
1852
- solex.exe "C:\Users\test22\AppData\Local\Temp\solex.exe"
  2916

Name	Response	Post-Analysis Lookup
slx-wave.duckdns.org	A 23.146.242.71	23.146.242.71
sol-bin.duckdns.org	A 23.146.242.85	23.146.242.85

Flow	SID	Signature	Category
UDP 192.168.56.102:64995 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.102:52336 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 7, 2021, 8:22 a.m.		1	1	0

resource name

CUSTOM

domain	slx-wave.duckdns.org
domain	sol-bin.duckdns.org

request

GET http://sol-bin.duckdns.org/Remcos_S_tGNeLX139.bin

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1852 region_size: 77824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 8:23 a.m.	process_identifier: 1852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77af0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 8:23 a.m.	process_identifier: 2916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77af0000 process_handle: 0xffffffff	1

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00380000 process_handle: 0xffffffff	1	0	0

host

104.21.19.200

Time & API	Arguments	Status	Return	Repeated
EnumServicesStatusA Sept. 7, 2021, 8:23 a.m.	service_handle: 0x008b3ff0 service_type: 48 service_status: 3		0	0

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
ClamAV	Win.Dropper.Guloader-9890276-0
McAfee	GuLoader-FCQZ!CD46DBF532B0
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7GW	Trojan-Downloader ( 005661971 )
Cybereason	malicious.d1de42
ESET-NOD32	Win32/TrojanDownloader.Agent.FCS
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Bulz.681383
MicroWorld-eScan	Gen:Variant.Bulz.681383
Avast	Win32:Trojan-gen
Ad-Aware	Gen:Variant.Bulz.681383
Comodo	Malware@#37rrcy6fahxes
McAfee-GW-Edition	GuLoader-FCQZ!CD46DBF532B0
FireEye	Generic.mg.cd46dbf532b047ca
Ikarus	Trojan.Win32.Krypt
eGambit	Unsafe.AI_Score_100%
MAX	malware (ai score=85)
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
GData	Gen:Variant.Bulz.681383
AhnLab-V3	Trojan/Win.Sabsik.C4622888
Malwarebytes	Trojan.MalPack.VB
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Malicious_Behavior.VEX
Webroot	W32.Trojan.Gen
AVG	Win32:Trojan-gen
CrowdStrike	win/malicious_confidence_90% (W)

solex.exe