Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 12, 2024, 9:42 a.m.	July 12, 2024, 9:45 a.m.

Size	482.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`75d689afb9d588ba45169a8cf4134972`
SHA256	`9f5411bfa192d6d099aa19af966a620b17da4ee5c95e53c0897122eaaf8ae9e6`
CRC32	`69BCAB19`
ssdeep	`6144:8XIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNQ5Gv:8X7tPMK8ctGe4Dzl4h2QnuPs/ZDVcv`
Yara	Network_Downloader - File Downloader Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature infoStealer_browser_b_Zero - browser info stealer Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

R28JUNIOSOST.txt.exe "C:\Users\test22\AppData\Local\Temp\R28JUNIOSOST.txt.exe"
3028

Name	Response	Post-Analysis Lookup
geoplugin.net	A 178.237.33.50	178.237.33.50
newssssssssssssss.duckdns.org	A 152.201.191.104	152.201.191.104

Flow	SID	Signature	Category
UDP 192.168.56.102:63709 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.102:63709 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 192.168.56.102:49161 -> 152.201.191.104:2404	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	Malware Command and Control Activity Detected
TCP 152.201.191.104:2404 -> 192.168.56.102:49161	2032777	ET MALWARE Remcos 3.x Unencrypted Server Response	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 12, 2024, 9:42 a.m.		1	1	0

section

.gfids

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

domain

newssssssssssssss.duckdns.org

request

GET http://geoplugin.net/json.gp

description

R28JUNIOSOST.txt.exe tried to sleep 350 seconds, actually delayed analysis time by 350 seconds

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA July 12, 2024, 9:42 a.m.	thread_identifier: 0 callback_function: 0x0040a2a4 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	131355	0

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Remcos.m!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Backdoor.RemcosIH.S31010159
Skyhigh	BehavesLike.Win32.Remcos.gh
ALYac	Generic.Remcos.29C8D90D
Cylance	Unsafe
VIPRE	Generic.Remcos.29C8D90D
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Riskware ( 00584baa1 )
BitDefender	Trojan.GenericKD.73441841
K7GW	Riskware ( 00584baa1 )
Cybereason	malicious.fb9d58
Arcabit	Generic.Remcos.29C8D90D
Baidu	Win32.Trojan.Kryptik.awm
VirIT	Trojan.Win32.Genus.UED
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Trojan.Remcos
ESET-NOD32	Win32/Rescoms.V
APEX	Malicious
McAfee	Remcos-FDQO!75D689AFB9D5
Avast	Win32:RATX-gen [Trj]
ClamAV	Win.Trojan.Remcos-9841897-0
Kaspersky	HEUR:Backdoor.Win32.Remcos.gen
Alibaba	Backdoor:Win32/Remcos.620d6e1c
NANO-Antivirus	Trojan.Win32.Remcos.keikbt
SUPERAntiSpyware	Trojan.Agent/Gen-Remcos
MicroWorld-eScan	Trojan.GenericKD.73441841
Rising	Backdoor.Remcos!1.BAC7 (CLASSIC)
Emsisoft	Trojan.GenericKD.73441841 (B)
F-Secure	Backdoor.BDS/Backdoor.Gen
DrWeb	Trojan.Siggen22.19832
Zillya	Trojan.Rescoms.Win32.1521
McAfeeD	Real Protect-LS!75D689AFB9D5
FireEye	Generic.mg.75d689afb9d588ba
Sophos	Mal/Remcos-B
Ikarus	Backdoor.Remcos
Jiangmin	Backdoor.Remcos.dyc
Webroot	W32.Trojan.Remcos
Google	Detected
Avira	BDS/Backdoor.Gen
MAX	malware (ai score=84)
Antiy-AVL	Trojan[Backdoor]/Win32.Rescoms.b
Kingsoft	Win32.Hack.Remcos.gen
Gridinsoft	Trojan.Win32.Remcos.tr
Xcitium	Malware@#113viyunu3x7z
Microsoft	Backdoor:Win32/Remcos.GA!MTB
ViRobot	Trojan.Win.Z.Remcos.494080.BQ
ZoneAlarm	HEUR:Backdoor.Win32.Remcos.gen
GData	Win32.Trojan.PSE.1OHYAG0

R28JUNIOSOST.txt.exe