popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

dew.txt.exe

Browser Login Data Stealer Generic Malware Malicious Library Downloader UPX Malicious Packer PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 July 19, 2024, 1:01 p.m. July 19, 2024, 1:03 p.m.
Size 483.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 fa105fc59f412384d0209ea62e257305
SHA256 72fe792e3d0981053e91f2632b432131a289a20e450f0dc1b560e8d354355a4c
CRC32 5D52E515
ssdeep 6144:EXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZoAX0cNT25Gv:EX7tPMK8ctGe4Dzl4h2QnuPs/Zobcv
Yara
  • Network_Downloader - File Downloader
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • infoStealer_browser_b_Zero - browser info stealer
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
geoplugin.net
A 178.237.33.50
178.237.33.50
swre.remwavesw.com
A 141.98.10.11
141.98.10.11
IP Address Status Action
141.98.10.11 Active Moloch
164.124.101.2 Active Moloch
178.237.33.50 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 141.98.10.11:23101 -> 192.168.56.102:49161 2400021 ET DROP Spamhaus DROP Listed Traffic Inbound group 22 Misc Attack
TCP 192.168.56.102:49161 -> 141.98.10.11:23101 2036594 ET JA3 Hash - Remcos 3.x/4.x TLS Connection Malware Command and Control Activity Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.102:49161
141.98.10.11:23101 		None None None

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .gfids
suspicious_features GET method with no useragent header suspicious_request GET http://geoplugin.net/json.gp
request GET http://geoplugin.net/json.gp
description dew.txt.exe tried to sleep 350 seconds, actually delayed analysis time by 350 seconds
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x0040a2a4
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 131357 0
Bkav W32.AIDetectMalware
Elastic Windows.Trojan.Remcos
Cynet Malicious (score: 100)
CAT-QuickHeal Backdoor.RemcosIH.S31010159
Skyhigh BehavesLike.Win32.Remcos.gh
ALYac Generic.Remcos.7B70B83E
Cylance Unsafe
VIPRE Generic.Remcos.7B70B83E
Sangfor Trojan.Win32.Save.a
K7AntiVirus Riskware ( 00584baa1 )
BitDefender Generic.Remcos.7B70B83E
K7GW Riskware ( 00584baa1 )
Cybereason malicious.59f412
Arcabit Generic.Remcos.7B70B83E
Baidu Win32.Trojan.Kryptik.awm
VirIT Trojan.Win32.Genus.UED
Symantec ML.Attribute.HighConfidence
ESET-NOD32 Win32/Rescoms.V
APEX Malicious
McAfee Remcos-FDQO!FA105FC59F41
Avast Win32:RATX-gen [Trj]
ClamAV Win.Trojan.Remcos-9841897-0
Kaspersky HEUR:Backdoor.Win32.Remcos.gen
NANO-Antivirus Trojan.Win32.Remcos.keikbt
SUPERAntiSpyware Trojan.Agent/Gen-Remcos
MicroWorld-eScan Generic.Remcos.7B70B83E
Rising Backdoor.Remcos!1.BAC7 (CLASSIC)
Emsisoft Generic.Remcos.7B70B83E (B)
F-Secure Backdoor.BDS/Backdoor.Gen
DrWeb Trojan.Siggen22.19832
Zillya Trojan.Rescoms.Win32.1521
McAfeeD Real Protect-LS!FA105FC59F41
FireEye Generic.mg.fa105fc59f412384
Sophos Mal/Remcos-B
Ikarus Backdoor.Remcos
Jiangmin Backdoor.Remcos.dyc
Google Detected
Avira BDS/Backdoor.Gen
MAX malware (ai score=85)
Antiy-AVL Trojan[Backdoor]/Win32.Rescoms.b
Kingsoft malware.kb.a.1000
Gridinsoft Ransom.Win32.Wacatac.oa!s1
Microsoft Backdoor:Win32/Remcos.GA!MTB
ZoneAlarm HEUR:Backdoor.Win32.Remcos.gen
GData Win32.Trojan.PSE.1OHYAG0
Varist W32/Trojan.SMWB-4856
AhnLab-V3 Backdoor/Win.Remcos.R625673
BitDefenderTheta Gen:NN.ZexaF.36808.ECW@aO9vXdoi
DeepInstinct MALICIOUS
VBA32 Backdoor.Remcos