Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | June 19, 2024, 9:55 a.m. | June 19, 2024, 10:02 a.m. |
-
-
CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2112
-
Name | Response | Post-Analysis Lookup |
---|---|---|
geoplugin.net | 178.237.33.50 | |
bossnacarpet.com | 107.173.4.18 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.103:49164 -> 107.173.4.18:30902 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | Malware Command and Control Activity Detected |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.3 192.168.56.103:49164 107.173.4.18:30902 |
None | None | None |
section | .managed |
section | hydrated |
resource name | BINARY |
suspicious_features | GET method with no useragent header | suspicious_request | GET http://geoplugin.net/json.gp |
request | GET http://geoplugin.net/json.gp |
section | {u'size_of_data': u'0x000e5600', u'virtual_address': u'0x00203000', u'entropy': 6.8281912281199775, u'name': u'.rdata', u'virtual_size': u'0x000e5454'} | entropy | 6.82819122812 | description | A section with a high entropy has been found | |||||||||
section | {u'size_of_data': u'0x00079400', u'virtual_address': u'0x00316000', u'entropy': 7.999350725955562, u'name': u'.rsrc', u'virtual_size': u'0x000792c8'} | entropy | 7.99935072596 | description | A section with a high entropy has been found | |||||||||
entropy | 0.450096277279 | description | Overall entropy of this PE file is high |
description | Create a windows service | rule | Create_Service | ||||||
description | Client_SW_User_Data_Stealer | rule | Client_SW_User_Data_Stealer | ||||||
description | Win Backdoor RemcosRAT | rule | Win_Backdoor_RemcosRAT | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | browser info stealer | rule | infoStealer_browser_Zero | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Google Chrome User Data Check | rule | Chrome_User_Data_Check_Zero | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Run a KeyLogger | rule | KeyLogger |
Lionic | Trojan.Win32.Remcos.m!c |
Elastic | malicious (moderate confidence) |
ALYac | Gen:Variant.Lazy.550625 |
VIPRE | Gen:Variant.Lazy.550625 |
Sangfor | Backdoor.Win32.Kryptik.V18p |
BitDefender | Gen:Variant.Lazy.550625 |
Cybereason | malicious.ab2386 |
VirIT | Trojan.Win64.Genus.GVM |
Symantec | ML.Attribute.HighConfidence |
ESET-NOD32 | a variant of Win64/Kryptik.EKY |
Avast | FileRepMalware [Rat] |
Kaspersky | Backdoor.Win32.Remcos.ycb |
MicroWorld-eScan | Gen:Variant.Lazy.550625 |
Rising | Stealer.Convagent!8.1326D (CLOUD) |
Emsisoft | Gen:Variant.Lazy.550625 (B) |
DrWeb | Trojan.DownLoader47.3994 |
TrendMicro | Backdoor.Win64.REMCOS.YXEFRZ |
McAfeeD | ti!D613ABFDE1E4 |
FireEye | Gen:Variant.Lazy.550625 |
Sophos | Mal/Generic-S |
Ikarus | Win32.Outbreak |
Webroot | W32.Malware.Gen |
Detected | |
MAX | malware (ai score=86) |
Kingsoft | Win32.Troj.Unknown.a |
Gridinsoft | Trojan.Win64.Remcos.tr |
Arcabit | Trojan.Lazy.D866E1 |
ZoneAlarm | Backdoor.Win32.Remcos.ycb |
Varist | W64/ABRisk.KMWE-1328 |
AhnLab-V3 | Trojan/Win.Generic.C5641290 |
DeepInstinct | MALICIOUS |
Malwarebytes | Trojan.MalPack |
Panda | Trj/Chgt.AD |
TrendMicro-HouseCall | Backdoor.Win64.REMCOS.YXEFRZ |
Yandex | Trojan.PWS.Agensla!IeG/EetC8ic |
MaxSecure | Win.MxResIcn.Heur.Gen |
Fortinet | W64/GenKryptik.MAGC!tr |
AVG | FileRepMalware [Rat] |
Paloalto | generic.ml |
alibabacloud | Trojan:Win/Kryptik.EHT |