Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 30, 2023, 9:11 a.m.	March 30, 2023, 9:14 a.m.

Size	475.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`88131cfd2cca21aba749fd591b04b45f`
SHA256	`0d9cbc0e94d01e763facaf37991bce5c6b466b552961e9f136214004085d912a`
CRC32	`70361FF9`
ssdeep	`12288:tjdAK8wxqkXuxOqLXO3X2orpbKs/ZgZBRq:zA3wxqkXuxOq+rpbRZm`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check Network_Downloader - File Downloader Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) PE_Header_Zero - PE File Signature

1.exe "C:\Users\test22\AppData\Local\Temp\1.exe"
2548

Name	Response	Post-Analysis Lookup
geoplugin.net	A 178.237.33.50	178.237.33.50

IP Address	Status	Action
132.226.8.169	Active	Moloch
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch
185.246.220.130	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 185.246.220.130:2987	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49161 185.246.220.130:2987	None	None	None

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 30, 2023, 9:11 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

Performs some HTTP requests (1 event)

request

GET http://geoplugin.net/json.gp

A process attempted to delay the analysis task. (1 event)

description

1.exe tried to sleep 350 seconds, actually delayed analysis time by 350 seconds

Communicates with host for which no DNS query was performed (2 events)

host	132.226.8.169
host	185.246.220.130

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA March 30, 2023, 9:11 a.m.	thread_identifier: 0 callback_function: 0x004098a7 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	1245585	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Elastic	Windows.Trojan.Remcos
MicroWorld-eScan	Generic.Remcos.730B7D32
ClamAV	Win.Trojan.Remcos-9841897-0
CAT-QuickHeal	Trojan.GenericRI.S30100141
McAfee	GenericRXVH-QA!88131CFD2CCA
Malwarebytes	Generic.Trojan.Injector.DDS
Zillya	Trojan.Rescoms.Win32.1284
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0053ac2c1 )
K7GW	Trojan ( 0053ac2c1 )
CrowdStrike	win/malicious_confidence_90% (D)
Arcabit	Generic.Remcos.730B7D32
BitDefenderTheta	Gen:NN.ZexaF.36344.DCW@a4M8jEpi
VirIT	Trojan.Win32.Genus.OBL
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Rescoms.B
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:HackTool.Win32.Knotweed.gen
BitDefender	Generic.Remcos.730B7D32
NANO-Antivirus	Trojan.Win32.Invader.jushzk
Avast	Win32:RATX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10bddcd3
Sophos	Mal/Emogen-Y
Baidu	Win32.Trojan.Kryptik.awm
DrWeb	Trojan.Inject4.52723
VIPRE	Generic.Remcos.730B7D32
McAfee-GW-Edition	BehavesLike.Win32.Backdoor.gh
FireEye	Generic.mg.88131cfd2cca21ab
Emsisoft	Generic.Remcos.730B7D32 (B)
SentinelOne	Static AI - Malicious PE
Jiangmin	Backdoor.Remcos.dtz
Avira	BDS/Backdoor.Gen
MAX	malware (ai score=86)
Antiy-AVL	Trojan[Backdoor]/Win32.Rescoms
Gridinsoft	Ransom.Win32.Wacatac.oa!s1
Microsoft	Trojan:Win32/Remcos!ic
GData	Generic.Remcos.730B7D32
Google	Detected
AhnLab-V3	Backdoor/Win.Remcos.C5370570
VBA32	BScope.Trojan.Wacatac
ALYac	Generic.Remcos.730B7D32
Cylance	unsafe
Rising	Backdoor.Remcos!1.BAC7 (CLASSIC)
Yandex	Trojan.Invader!f1qZVKKb/HQ
Ikarus	Trojan-Spy.Remcos
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Remcos.A!tr
AVG	Win32:RATX-gen [Trj]
Panda	Trj/GdSda.A

1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All