Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 16, 2023, 4:13 p.m.	April 16, 2023, 4:23 p.m.

Size	520.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`caea33e0d520c8a783732de2634c1017`
SHA256	`678d3d4b1057a230e358c3b9b88eb2b5e7611e448427788cc6474ae9a0c19404`
CRC32	`FC5A921A`
ssdeep	`12288:gYhXuzMd8pASpKdoaUjaBMr2j+yQLO0NVVjBvOhWaV3JnJw:gYhXuz28pA2KfLj+yqWBlJw`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

dcrossw.exe "C:\Users\test22\AppData\Local\Temp\dcrossw.exe"
1648
- qrwlz.exe "C:\Users\test22\AppData\Local\Temp\qrwlz.exe" C:\Users\test22\AppData\Local\Temp\aztvpotk.nx
  2120
  - qrwlz.exe "C:\Users\test22\AppData\Local\Temp\qrwlz.exe"
    2192

Name	Response	Post-Analysis Lookup
geoplugin.net	A 178.237.33.50	178.237.33.50
jovaneo.duckdns.org	A 212.8.244.201	212.8.244.201

IP Address	Status	Action
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch
212.8.244.201	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 192.168.56.103:49165 -> 212.8.244.201:3641	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	Malware Command and Control Activity Detected
TCP 212.8.244.201:3641 -> 192.168.56.103:49165	2032777	ET MALWARE Remcos 3.x Unencrypted Server Response	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 16, 2023, 4:13 p.m.			0	0

Command line console output was observed (6 events)

Time & API	Arguments	Status	Return
WriteConsoleA April 16, 2023, 4:13 p.m.	buffer: Remcos v4.5.0 Pro © BreakingSecurity.net console_handle: 0x0000000f	1	1
WriteConsoleA April 16, 2023, 4:13 p.m.	buffer: 00:33:35:156 i \| Remcos Agent initialized console_handle: 0x0000000f	1	1
WriteConsoleA April 16, 2023, 4:13 p.m.	buffer: 00:33:35:156 i \| Access Level: Administrator console_handle: 0x0000000f	1	1
WriteConsoleA April 16, 2023, 4:13 p.m.	buffer: 00:33:35:156 i \| Connecting \| TLS Off \| jovaneo.duckdns.org:3641 console_handle: 0x0000000f	1	1
WriteConsoleA April 16, 2023, 4:13 p.m.	buffer: 00:33:35:718 i \| Connected \| TLS Off \| jovaneo.duckdns.org:3641 console_handle: 0x0000000f	1	1
WriteConsoleA April 16, 2023, 4:13 p.m.	buffer: 00:33:36:359 i \| KeepAlive \| Enabled \| Timeout: 60 console_handle: 0x0000000f	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 16, 2023, 4:13 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

Connects to a Dynamic DNS Domain (1 event)

domain

jovaneo.duckdns.org

Performs some HTTP requests (1 event)

request

GET http://geoplugin.net/json.gp

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 16, 2023, 4:13 p.m.	process_identifier: 2120 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 16, 2023, 4:13 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\qrwlz.exe
file	C:\Users\test22\AppData\Roaming\qavfoktdyie\nwsclgplu.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\qrwlz.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\qrwlz.exe

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\eajsox

reg_value

C:\Users\test22\AppData\Roaming\qavfoktdyie\nwsclgplu.exe "C:\Users\test22\AppData\Local\Temp\qrwlz.exe" C:\Users\test22\AppData\

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2120 called NtSetContextThread to modify thread in remote process 2192
NtSetContextThread April 16, 2023, 4:13 p.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4403648 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000f4 process_identifier: 2192	1	0	0

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Lionic	Trojan.Win32.Agent.tshg
MicroWorld-eScan	Trojan.GenericKD.66417496
FireEye	Generic.mg.caea33e0d520c8a7
ALYac	Trojan.GenericKD.66417496
Malwarebytes	Generic.Malware/Suspicious
VIPRE	Trojan.GenericKD.66417496
Sangfor	Trojan.Win32.Remcos.Vglu
K7AntiVirus	Trojan ( 005a37e21 )
Alibaba	Backdoor:Win32/Remcos.857db1d3
K7GW	Trojan ( 005a37e21 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Generic.D3F57358
Cyren	W32/Injector.BMD.gen!Eldorado
Symantec	Packed.NSISPacker!g14
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.ESWF
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Backdoor.Win32.Remcos.gen
BitDefender	Trojan.GenericKD.66417496
Avast	Win32:TrojanX-gen [Trj]
Tencent	Win32.Trojan.Agen.Tgil
Emsisoft	Trojan.GenericKD.66417496 (B)
F-Secure	Trojan.TR/Injector.ppuxh
DrWeb	Trojan.DownLoader45.54318
McAfee-GW-Edition	BehavesLike.Win32.Generic.hc
Sophos	Mal/Generic-S
Ikarus	Trojan.Inject
Webroot	W32.Backdoor.Gen
Avira	HEUR/AGEN.1337959
Antiy-AVL	Trojan/Win32.Injector
Gridinsoft	Trojan.Win32.Remcos.bot
Microsoft	Trojan:Win32/Remcos!MTB
ZoneAlarm	HEUR:Backdoor.Win32.Remcos.gen
GData	Trojan.GenericKD.66417496
Google	Detected
AhnLab-V3	Infostealer/Win.Generic.C5395778
McAfee	Artemis!CAEA33E0D520
MAX	malware (ai score=84)
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H07DE23
Rising	Trojan.Injector!8.C4 (TFE:5:VOoMinqZtSK)
Fortinet	W32/Injector.ESVZ!tr
AVG	Win32:TrojanX-gen [Trj]
DeepInstinct	MALICIOUS

dcrossw.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All