Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 30, 2023, 9:11 a.m.	March 30, 2023, 9:14 a.m.

Size	475.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d606a39261a0599154ba54ec565fd602`
SHA256	`98eee0791e9e33bc16140ed6dc2a68ace15cb42f78408790e0278bc24c8416a1`
CRC32	`0D19E1B7`
ssdeep	`12288:FjdAK8wxqkXuxOqLXO3X2orpbKs/ZgDfBRq:LA3wxqkXuxOq+rpbRZqz`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check Network_Downloader - File Downloader Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) PE_Header_Zero - PE File Signature

2.exe "C:\Users\test22\AppData\Local\Temp\2.exe"
1608

Name	Response	Post-Analysis Lookup
geoplugin.net	A 178.237.33.50	178.237.33.50

IP Address	Status	Action
158.101.44.242	Active	Moloch
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch
185.246.220.130	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49161 -> 185.246.220.130:2987	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49161 185.246.220.130:2987	None	None	None

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 30, 2023, 9:11 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

Performs some HTTP requests (1 event)

request

GET http://geoplugin.net/json.gp

A process attempted to delay the analysis task. (1 event)

description

2.exe tried to sleep 350 seconds, actually delayed analysis time by 350 seconds

Communicates with host for which no DNS query was performed (2 events)

host	158.101.44.242
host	185.246.220.130

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA March 30, 2023, 9:11 a.m.	thread_identifier: 0 callback_function: 0x004098a7 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	66005	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Lionic	Hacktool.Win32.Knotweed.3!c
DrWeb	Trojan.Inject4.52723
MicroWorld-eScan	Generic.Remcos.840F6810
CAT-QuickHeal	Trojan.GenericRI.S30100141
ALYac	Generic.Remcos.840F6810
Cylance	unsafe
Zillya	Trojan.Rescoms.Win32.1284
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
K7GW	Trojan ( 0053ac2c1 )
K7AntiVirus	Trojan ( 0053ac2c1 )
Arcabit	Generic.Remcos.840F6810
BitDefenderTheta	Gen:NN.ZexaF.36344.DCW@aK5dmEni
VirIT	Trojan.Win32.Genus.OBL
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Trojan.Remcos
ESET-NOD32	a variant of Win32/Rescoms.B
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Trojan.Remcos-9841897-0
Kaspersky	HEUR:HackTool.Win32.Knotweed.gen
BitDefender	Generic.Remcos.840F6810
NANO-Antivirus	Trojan.Win32.Invader.jushzk
Avast	Win32:RATX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10bddcd3
Emsisoft	Generic.Remcos.840F6810 (B)
Baidu	Win32.Trojan.Kryptik.awm
VIPRE	Generic.Remcos.840F6810
McAfee-GW-Edition	BehavesLike.Win32.Backdoor.gh
FireEye	Generic.mg.d606a39261a05991
Sophos	Mal/Emogen-Y
Ikarus	Win32.Outbreak
Jiangmin	Backdoor.Remcos.dtz
Avira	BDS/Backdoor.Gen
Antiy-AVL	Trojan[Backdoor]/Win32.Rescoms
Gridinsoft	Ransom.Win32.Wacatac.oa!s1
Microsoft	Trojan:Win32/Remcos!ic
GData	Generic.Remcos.840F6810
Google	Detected
AhnLab-V3	Backdoor/Win.Remcos.C5370570
McAfee	Artemis!D606A39261A0
MAX	malware (ai score=87)
VBA32	BScope.Trojan.Wacatac
Malwarebytes	Generic.Trojan.Injector.DDS
Rising	Backdoor.Remcos!1.BAC7 (CLASSIC)
Yandex	Trojan.Invader!f1qZVKKb/HQ
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.187042512.susgen
Fortinet	W32/Remcos.A!tr

2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All