Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 31, 2023, 9:37 a.m.	Oct. 31, 2023, 9:39 a.m.

Size	233.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`2f730ad313cf99a13514a37ff64aab61`
SHA256	`56b7b422a1f768b817ce93af8c005db587076d3c619a95a42ad34f572c331b93`
CRC32	`6D972500`
ssdeep	`3072:0OSI2I7txG68nYrugMZJMfsciIpuKNtrUQlAK3qSjYPS+IAXb3Ixi5eFrgurIlNS:lvG68YrvM80ypnjAedo3qiGUY2ChzI`
Yara	Malicious_Packer_Zero - Malicious Packer Network_Downloader - File Downloader PE_Header_Zero - PE File Signature IsPE32 - (no description)

bRbg.exe "C:\Users\test22\AppData\Local\Temp\bRbg.exe"
3016

Name	Response	Post-Analysis Lookup
salwanazeeze.ddns.net
salwanazeeze.duckdns.org	A 172.111.167.99	172.111.167.99

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.111.167.99	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:63709 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.102:63709 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.102:62846 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.102:56630 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.102:56630 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

No Suricata TLS

Connects to a Dynamic DNS Domain (2 events)

domain	salwanazeeze.ddns.net
domain	salwanazeeze.duckdns.org

A process attempted to delay the analysis task. (1 event)

description

bRbg.exe tried to sleep 388 seconds, actually delayed analysis time by 388 seconds

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00035600', u'virtual_address': u'0x0004f000', u'entropy': 7.9374983839310085, u'name': u'UPX1', u'virtual_size': u'0x00036000'}

entropy

7.93749838393

description

A section with a high entropy has been found

entropy

0.92025862069

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Oct. 31, 2023, 9:37 a.m.	thread_identifier: 0 callback_function: 0x0040a2a4 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	131355	0

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Lionic	Trojan.Win32.Remcos.4!c
MicroWorld-eScan	Generic.Dacic.A9349469.A.24A539B4
ClamAV	Win.Trojan.Remcos-9841897-0
FireEye	Generic.mg.2f730ad313cf99a1
CAT-QuickHeal	Trojan.GenericRI.S31067642
Skyhigh	BehavesLike.Win32.SpywareLyndra.dc
McAfee	Artemis!2F730AD313CF
Malwarebytes	Malware.AI.4238095733
VIPRE	Generic.Dacic.A9349469.A.24A539B4
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0053ba121 )
BitDefender	Generic.Dacic.A9349469.A.24A539B4
K7GW	Trojan ( 0053ba121 )
Cybereason	malicious.8ba1fe
Baidu	Win32.Trojan.Kryptik.awm
VirIT	Trojan.Win32.Genus.TCT
Symantec	Trojan.Remcos
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/Rescoms.B
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Backdoor.Win32.Remcos.gen
Alibaba	Backdoor:Win32/Remcos.db6ab082
NANO-Antivirus	Trojan.Win32.Remcos.kakzkh
ViRobot	Trojan.Win.Z.Remcos.238592.F
Rising	Trojan.Rescoms!8.100A0 (TFE:5:FKuWrtG2iWT)
Sophos	Mal/Emogen-Y
F-Secure	Backdoor.BDS/Backdoor.Gen
DrWeb	Trojan.DownLoader46.4974
Zillya	Trojan.Rescoms.Win32.1480
TrendMicro	Backdoor.Win32.REMCOS.YXDJ4Z
Trapmine	malicious.high.ml.score
Emsisoft	Generic.Dacic.A9349469.A.24A539B4 (B)
Ikarus	Win32.Outbreak
GData	Generic.Dacic.A9349469.A.24A539B4
Jiangmin	Backdoor.Remcos.dwr
Webroot	W32.Trojan.Remcos
Google	Detected
Avira	BDS/Backdoor.Gen
Antiy-AVL	Trojan[Backdoor]/Win32.Rescoms.b
Kingsoft	malware.kb.b.983
Gridinsoft	Trojan.Win32.Remcos.bot
Arcabit	Generic.Dacic.A9349469.A.24A539B4
ZoneAlarm	HEUR:Backdoor.Win32.Remcos.gen
Microsoft	Trojan:Win32/Remcos!ic
Varist	W32/Trojan.GCT.gen!Eldorado
AhnLab-V3	Trojan/Win.QA.C5376648
BitDefenderTheta	Gen:NN.ZexaF.36792.omGfa4nx3Vpi
ALYac	Generic.Dacic.A9349469.A.24A539B4
MAX	malware (ai score=84)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (39 events)

dead_host	192.168.56.102:49172
dead_host	192.168.56.102:49187
dead_host	192.168.56.102:49167
dead_host	192.168.56.102:49196
dead_host	192.168.56.102:49176
dead_host	192.168.56.102:49191
dead_host	192.168.56.102:49171
dead_host	192.168.56.102:49200
dead_host	192.168.56.102:49195
dead_host	192.168.56.102:49175
dead_host	192.168.56.102:49186
dead_host	192.168.56.102:49166
dead_host	192.168.56.102:49199
dead_host	192.168.56.102:49179
dead_host	192.168.56.102:49190
dead_host	192.168.56.102:49170
dead_host	192.168.56.102:49183
dead_host	192.168.56.102:49194
dead_host	192.168.56.102:49174
dead_host	192.168.56.102:49161
dead_host	192.168.56.102:49198
dead_host	192.168.56.102:49178
dead_host	192.168.56.102:49185
dead_host	192.168.56.102:49165
dead_host	192.168.56.102:49182
dead_host	192.168.56.102:49189
dead_host	172.111.167.99:9595
dead_host	192.168.56.102:49193
dead_host	192.168.56.102:49173
dead_host	192.168.56.102:49184
dead_host	192.168.56.102:49164
dead_host	192.168.56.102:49197
dead_host	192.168.56.102:49177
dead_host	192.168.56.102:49188
dead_host	192.168.56.102:49168
dead_host	192.168.56.102:49201
dead_host	192.168.56.102:49163
dead_host	192.168.56.102:49181
dead_host	192.168.56.102:49192

bRbg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All