Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 14, 2023, 9:30 a.m.	June 14, 2023, 9:39 a.m.

Size	424.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1c9ff0b44e4db1fc5a2f5a84c6add5af`
SHA256	`c3f58fc7e4e51a2d4c6551fd6cebac7d8c0bf79d83f1235e7570c2db574df0f6`
CRC32	`9AF7289F`
ssdeep	`6144:DrLmBOdXFrVRWdPBraNM6inbujnJwHXkVrVGb7FhHI2PuAO2SBX3W+cUdWS:DrLmBOrVmpCMLulOXkVrV2DEASFW4WS`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library Network_Downloader - File Downloader Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

remcos_a.exe "C:\Users\test22\AppData\Local\Temp\remcos_a.exe"
2424

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 14, 2023, 9:31 a.m.			0	0

Command line console output was observed (14 events)

Time & API	Arguments	Status	Return
WriteConsoleA June 14, 2023, 9:31 a.m.	buffer: Remcos v4.6.0 Light © BreakingSecurity.net console_handle: 0x0000000f	1	1
WriteConsoleA June 14, 2023, 9:31 a.m.	buffer: 18:11:14:656 i \| Remcos Agent initialized console_handle: 0x0000000f	1	1
WriteConsoleA June 14, 2023, 9:31 a.m.	buffer: 18:11:14:656 i \| Access Level: Administrator console_handle: 0x0000000f	1	1
WriteConsoleA June 14, 2023, 9:31 a.m.	buffer: 18:11:14:671 i \| Connecting \| TLS On \| 192.168.175.1:1800 console_handle: 0x0000000f	1	1
WriteConsoleA June 14, 2023, 9:31 a.m.	buffer: 18:11:35:687 E \| Connection Failed: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. console_handle: 0x0000000f	1	1
WriteConsoleA June 14, 2023, 9:31 a.m.	buffer: 18:11:36:687 i \| Connecting \| TLS On \| 192.168.175.1:1800 console_handle: 0x0000000f	1	1
WriteConsoleA June 14, 2023, 9:31 a.m.	buffer: 18:11:57:718 E \| Connection Failed: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. console_handle: 0x0000000f	1	1
WriteConsoleA June 14, 2023, 9:31 a.m.	buffer: 18:11:58:718 i \| Connecting \| TLS On \| 192.168.175.1:1800 console_handle: 0x0000000f	1	1
WriteConsoleA June 14, 2023, 9:32 a.m.	buffer: 18:12:19:765 E \| Connection Failed: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. console_handle: 0x0000000f	1	1
WriteConsoleA June 14, 2023, 9:32 a.m.	buffer: 18:12:20:765 i \| Connecting \| TLS On \| 192.168.175.1:1800 console_handle: 0x0000000f	1	1
WriteConsoleA June 14, 2023, 9:32 a.m.	buffer: 18:12:41:765 E \| Connection Failed: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. console_handle: 0x0000000f	1	1
WriteConsoleA June 14, 2023, 9:32 a.m.	buffer: 18:12:42:765 i \| Connecting \| TLS On \| 192.168.175.1:1800 console_handle: 0x0000000f	1	1
WriteConsoleA June 14, 2023, 9:33 a.m.	buffer: 18:13:03:875 E \| Connection Failed: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. console_handle: 0x0000000f	1	1
WriteConsoleA June 14, 2023, 9:33 a.m.	buffer: 18:13:04:875 i \| Connecting \| TLS On \| 192.168.175.1:1800 console_handle: 0x0000000f	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

A process attempted to delay the analysis task. (1 event)

description

remcos_a.exe tried to sleep 122 seconds, actually delayed analysis time by 122 seconds

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

192.168.175.1:1800

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectMalware
MicroWorld-eScan	DeepScan:Generic.Dacic.A9349469.A.A540C4F8
ClamAV	Win.Trojan.Remcos-9841897-0
ALYac	DeepScan:Generic.Dacic.A9349469.A.A540C4F8
Malwarebytes	Spyware.PasswordStealer
Zillya	Trojan.Rescoms.Win32.1309
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0057919d1 )
K7GW	Trojan ( 0057919d1 )
CrowdStrike	win/malicious_confidence_90% (W)
Arcabit	DeepScan:Generic.Dacic.A9349469.A.A540C4F8
BitDefenderTheta	Gen:NN.ZexaF.36250.ACW@ayBGBkhi
VirIT	Trojan.Win32.GenusT.EFVK
Cyren	W32/Trojan.GCT.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Rescoms.N
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Backdoor.Win32.Remcos.gen
BitDefender	DeepScan:Generic.Dacic.A9349469.A.A540C4F8
NANO-Antivirus	Trojan.Win32.Remcos.jvkjil
Avast	Win32:RATX-gen [Trj]
Emsisoft	DeepScan:Generic.Dacic.A9349469.A.A540C4F8 (B)
F-Secure	Backdoor.BDS/Backdoor.Gen
VIPRE	DeepScan:Generic.Dacic.A9349469.A.A540C4F8
McAfee-GW-Edition	BehavesLike.Win32.Generic.gh
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.1c9ff0b44e4db1fc
Sophos	ML/PE-A
SentinelOne	Static AI - Suspicious PE
Jiangmin	Backdoor.Remcos.dun
Avira	BDS/Backdoor.Gen
MAX	malware (ai score=85)
Antiy-AVL	Trojan[Backdoor]/Win32.Rescoms
Microsoft	Trojan:Win32/Remcos!MTB
ZoneAlarm	HEUR:Backdoor.Win32.Remcos.gen
GData	DeepScan:Generic.Dacic.A9349469.A.A540C4F8
Google	Detected
AhnLab-V3	Trojan/Win.RemcosRAT.R574748
McAfee	GenericRXSQ-HG!1C9FF0B44E4D
TACHYON	Backdoor/W32.Remcos.434688
VBA32	BScope.Trojan.Wacatac
Cylance	unsafe
Panda	Trj/Genetic.gen
Rising	Backdoor.Remcos!1.BAC7 (CLASSIC)
Ikarus	Backdoor.Remcos
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Remcos.M!tr
AVG	Win32:RATX-gen [Trj]

remcos_a.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All