popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Remc.exe

Generic Malware UPX Downloader Malicious Library Malicious Packer PE File OS Processor Check JPEG Format PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us June 13, 2023, 10:40 p.m. June 13, 2023, 10:42 p.m.
Size 481.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 7b0951243f7919dfbbe6489a0218845e
SHA256 e5ecc9b504121707ebc8782b5a81546ee41e7141d5554271030111c51cc2501f
CRC32 BABBAEC7
ssdeep 12288:hRXxReZj3WZfj/2eSseWFaIe2+f8CL47bs/Zf2gDU:hx7cyF2eSsewS8W47eZO
Yara
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • Network_Downloader - File Downloader
  • Malicious_Packer_Zero - Malicious Packer
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware

Name Response Post-Analysis Lookup
nov231122.con-ip.com
A 181.142.211.88
181.142.211.88
geoplugin.net
A 178.237.33.50
178.237.33.50
IP Address Status Action
164.124.101.2 Active Moloch
178.237.33.50 Active Moloch
181.142.211.88 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2037787 ET INFO DNS Redirection Service Domain in DNS Lookup (con-ip .com) Potentially Bad Traffic
TCP 192.168.56.103:49161 -> 181.142.211.88:7476 2036594 ET JA3 Hash - Remcos 3.x TLS Connection Malware Command and Control Activity Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.103:49161
181.142.211.88:7476 		None None None

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .gfids
suspicious_features GET method with no useragent header suspicious_request GET http://geoplugin.net/json.gp
request GET http://geoplugin.net/json.gp
description Remc.exe tried to sleep 468 seconds, actually delayed analysis time by 468 seconds
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x0040a1cb
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 65999 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Remcos.4!c
MicroWorld-eScan Generic.Remcos.E8289BC3
FireEye Generic.mg.7b0951243f7919df
McAfee Remcos-FDQO!7B0951243F79
Malwarebytes Backdoor.Remcos
VIPRE Generic.Remcos.E8289BC3
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0053ac2c1 )
K7GW Trojan ( 0053ac2c1 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Generic.Remcos.E8289BC3
Baidu Win32.Trojan.Kryptik.awm
VirIT Trojan.Win32.GenusT.DMHR
Symantec ML.Attribute.HighConfidence
Elastic Windows.Trojan.Remcos
ESET-NOD32 a variant of Win32/Rescoms.B
Cynet Malicious (score: 100)
APEX Malicious
ClamAV Win.Trojan.Remcos-9841897-0
Kaspersky HEUR:Backdoor.Win32.Remcos.gen
BitDefender Generic.Remcos.E8289BC3
Avast Win32:RATX-gen [Trj]
Tencent Malware.Win32.Gencirc.10bee921
Sophos Mal/Emogen-Y
F-Secure Backdoor.BDS/Backdoor.Gen
DrWeb Trojan.Inject4.57973
Zillya Trojan.Rescoms.Win32.1410
McAfee-GW-Edition BehavesLike.Win32.NetLoader.gh
Emsisoft Generic.Remcos.E8289BC3 (B)
Ikarus Win32.Outbreak
Avira BDS/Backdoor.Gen
Antiy-AVL Trojan[Backdoor]/Win32.Rescoms
Microsoft Backdoor:Win32/Remcos.GA!MTB
ZoneAlarm HEUR:Backdoor.Win32.Remcos.gen
GData Generic.Remcos.E8289BC3
Google Detected
AhnLab-V3 Backdoor/Win.Remcos.C5370570
BitDefenderTheta Gen:NN.ZexaF.36250.ECW@a8eMXmmi
ALYac Generic.Remcos.E8289BC3
MAX malware (ai score=86)
Cylance unsafe
Panda Trj/GdSda.A
Rising Backdoor.Remcos!1.BAC7 (CLASSIC)
Yandex Trojan.Invader!ZCRgWkv1kYo
SentinelOne Static AI - Suspicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Remcos.A!tr
AVG Win32:RATX-gen [Trj]
Cybereason malicious.43f791