popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

xoiHrcDMQ2n5.exe

Browser Login Data Stealer Generic Malware Malicious Library Downloader UPX Malicious Packer PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 3, 2023, 7:41 p.m. Oct. 3, 2023, 7:43 p.m.
Size 483.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c9bad87f14e2fa7872bd26796e81ec0e
SHA256 77b9a0c1a2227c43cf08700532888479d5dc29067277625745a151804f96cd44
CRC32 3FE83CEF
ssdeep 6144:K/7iPrcL3ArwhBq7Kjsn9iHGXg0lwGS9MNNhdFvPxps9gsAOZZuAXec7Av7ov:K/uPq3AfK496Gw0lwGXN3pvs/ZuJv8v
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • infoStealer_browser_b_Zero - browser info stealer
  • PE_Header_Zero - PE File Signature
  • Network_Downloader - File Downloader
  • IsPE32 - (no description)
  • Malicious_Packer_Zero - Malicious Packer
  • OS_Processor_Check_Zero - OS Processor Check
  • Generic_Malware_Zero - Generic Malware

Name Response Post-Analysis Lookup
war.bumbleshrimp.com
A 186.102.171.59
186.102.171.59
geoplugin.net
A 178.237.33.50
178.237.33.50
IP Address Status Action
164.124.101.2 Active Moloch
178.237.33.50 Active Moloch
186.102.171.59 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2046003 ET INFO DYNAMIC_DNS Query to a *.bumbleshrimp .com Domain Potentially Bad Traffic
TCP 192.168.56.103:49161 -> 186.102.171.59:3337 2036594 ET JA3 Hash - Remcos 3.x TLS Connection Malware Command and Control Activity Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.103:49161
186.102.171.59:3337 		None None None

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .gfids
suspicious_features GET method with no useragent header suspicious_request GET http://geoplugin.net/json.gp
request GET http://geoplugin.net/json.gp
description xoiHrcDMQ2n5.exe tried to sleep 350 seconds, actually delayed analysis time by 350 seconds
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x0040a2a4
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 66003 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Remcos.4!c
MicroWorld-eScan Generic.Remcos.0B969F89
ALYac Generic.Remcos.0B969F89
Malwarebytes Generic.Malware.AI.DDS
Zillya Trojan.Rescoms.Win32.1477
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0053ba121 )
Alibaba Backdoor:Win32/Remcos.54857420
K7GW Trojan ( 0053ba121 )
Cybereason malicious.50907d
Arcabit Generic.Remcos.0B969F89
Baidu Win32.Trojan.Kryptik.awm
VirIT Trojan.Win32.Genus.TDZ
Cyren W32/Remcos.AE.gen!Eldorado
Symantec ML.Attribute.HighConfidence
Elastic Windows.Trojan.Remcos
ESET-NOD32 a variant of Win32/Rescoms.B
Cynet Malicious (score: 100)
APEX Malicious
ClamAV Win.Trojan.Remcos-9841897-0
Kaspersky HEUR:Backdoor.Win32.Remcos.gen
BitDefender Generic.Remcos.0B969F89
NANO-Antivirus Trojan.Win32.Remcos.kakzkh
Avast Win32:RATX-gen [Trj]
Tencent Malware.Win32.Gencirc.10bf23c3
Emsisoft Generic.Remcos.0B969F89 (B)
F-Secure Backdoor.BDS/Backdoor.Gen
DrWeb Trojan.DownLoader46.4974
VIPRE Generic.Remcos.0B969F89
TrendMicro Backdoor.Win32.REMCOS.YXDJCZ
McAfee-GW-Edition BehavesLike.Win32.Remcos.gh
FireEye Generic.mg.c9bad87f14e2fa78
Sophos Mal/Emogen-Y
Ikarus Win32.Outbreak
Jiangmin Backdoor.Remcos.dwr
Avira BDS/Backdoor.Gen
Antiy-AVL Trojan[Backdoor]/Win32.Rescoms.b
Kingsoft malware.kb.a.1000
Gridinsoft Trojan.Win32.Remcos.bot
Microsoft Backdoor:Win32/Remcos.GA!MTB
ViRobot Trojan.Win.Z.Remcos.494592.AZ
ZoneAlarm HEUR:Backdoor.Win32.Remcos.gen
GData Generic.Remcos.0B969F89
Google Detected
AhnLab-V3 Backdoor/Win.Remcos.R605454
McAfee Remcos-FDQO!C9BAD87F14E2
MAX malware (ai score=81)
VBA32 Backdoor.Remcos
Cylance unsafe