popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

RGBC.txt.exe

Browser Login Data Stealer Generic Malware Malicious Library Downloader UPX Malicious Packer PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 12, 2024, 3:52 p.m. July 12, 2024, 3:54 p.m.
Size 483.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 80f5b85ee5d79f166a66a2318e06cd3d
SHA256 1ac973018ba8364d23edb3b6b5d262b4cad214e54de48bbf0c8b2aafad3f248f
CRC32 36E96C0E
ssdeep 6144:+XIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcN25Gv:+X7tPMK8ctGe4Dzl4h2QnuPs/ZDbcv
Yara
  • Network_Downloader - File Downloader
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • infoStealer_browser_b_Zero - browser info stealer
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
geoplugin.net
A 178.237.33.50
178.237.33.50
sembe.duckdns.org
A 194.187.251.115
194.187.251.115
IP Address Status Action
164.124.101.2 Active Moloch
178.237.33.50 Active Moloch
194.187.251.115 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2042936 ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain Potentially Bad Traffic
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity
TCP 192.168.56.101:49161 -> 194.187.251.115:14645 2036594 ET JA3 Hash - Remcos 3.x/4.x TLS Connection Malware Command and Control Activity Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.101:49161
194.187.251.115:14645 		None None None

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .gfids
suspicious_features GET method with no useragent header suspicious_request GET http://geoplugin.net/json.gp
domain sembe.duckdns.org
request GET http://geoplugin.net/json.gp
description RGBC.txt.exe tried to sleep 350 seconds, actually delayed analysis time by 350 seconds
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x0040a2a4
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 1704147 0
Bkav W32.Common.29F7FDA3
Lionic Trojan.Win32.Remcos.m!c
Elastic Windows.Trojan.Remcos
Cynet Malicious (score: 100)
CAT-QuickHeal Backdoor.RemcosIH.S31010159
Skyhigh BehavesLike.Win32.Remcos.gh
ALYac Generic.Remcos.0D0CEFB9
Cylance Unsafe
VIPRE Generic.Remcos.0D0CEFB9
Sangfor Trojan.Win32.Save.a
K7AntiVirus Riskware ( 00584baa1 )
BitDefender Generic.Remcos.0D0CEFB9
K7GW Riskware ( 00584baa1 )
Cybereason malicious.ee5d79
Arcabit Generic.Remcos.0D0CEFB9
Baidu Win32.Trojan.Kryptik.awm
VirIT Trojan.Win32.Genus.UED
Symantec Backdoor.Rifelku
ESET-NOD32 Win32/Rescoms.V
APEX Malicious
McAfee Remcos-FDQO!80F5B85EE5D7
Avast Win32:RATX-gen [Trj]
ClamAV Win.Trojan.Remcos-9841897-0
Kaspersky HEUR:Backdoor.Win32.Remcos.gen
Alibaba Backdoor:Win32/Remcos.c375b56a
NANO-Antivirus Trojan.Win32.Remcos.keikbt
SUPERAntiSpyware Trojan.Agent/Gen-Remcos
MicroWorld-eScan Generic.Remcos.0D0CEFB9
Rising Backdoor.Remcos!1.BAC7 (CLASSIC)
Emsisoft Generic.Remcos.0D0CEFB9 (B)
F-Secure Backdoor.BDS/Backdoor.Gen
DrWeb Trojan.Siggen22.19832
Zillya Trojan.Rescoms.Win32.1521
TrendMicro Backdoor.Win32.REMCOS.YXEDYZ
McAfeeD Real Protect-LS!80F5B85EE5D7
FireEye Generic.mg.80f5b85ee5d79f16
Sophos Mal/Remcos-B
Ikarus Backdoor.Remcos
Jiangmin Backdoor.Remcos.dyc
Webroot W32.Trojan.Remcos
Google Detected
Avira BDS/Backdoor.Gen
MAX malware (ai score=80)
Antiy-AVL Trojan[Backdoor]/Win32.Rescoms.b
Kingsoft malware.kb.a.1000
Gridinsoft Ransom.Win32.Wacatac.oa!s1
Xcitium Malware@#1b7b67dre3zpw
Microsoft Backdoor:Win32/Remcos.GA!MTB
ZoneAlarm HEUR:Backdoor.Win32.Remcos.gen
GData Win32.Trojan.PSE.1OHYAG0