Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | July 25, 2024, 8:48 a.m. | July 25, 2024, 8:50 a.m. |
-
-
RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
2152
-
Name | Response | Post-Analysis Lookup |
---|---|---|
bossnacarpet.com | 173.255.204.62 | |
vegetachcnc.com | 173.255.204.62 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.103:49186 -> 173.255.204.62:2556 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | Malware Command and Control Activity Detected |
Suricata TLS
No Suricata TLS
section | .managed |
section | hydrated |
resource name | BINARY |
description | RegSvcs.exe tried to sleep 145 seconds, actually delayed analysis time by 145 seconds |
section | {u'size_of_data': u'0x00079400', u'virtual_address': u'0x00208000', u'entropy': 7.999297582797411, u'name': u'.rsrc', u'virtual_size': u'0x00079280'} | entropy | 7.9992975828 | description | A section with a high entropy has been found | |||||||||
entropy | 0.212719298246 | description | Overall entropy of this PE file is high |
description | Create a windows service | rule | Create_Service | ||||||
description | Client_SW_User_Data_Stealer | rule | Client_SW_User_Data_Stealer | ||||||
description | Win Backdoor RemcosRAT | rule | Win_Backdoor_RemcosRAT | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | browser info stealer | rule | infoStealer_browser_Zero | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Google Chrome User Data Check | rule | Chrome_User_Data_Check_Zero | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Run a KeyLogger | rule | KeyLogger |
Bkav | W64.AIDetectMalware |
Lionic | Trojan.Win32.Dacic.m!c |
Elastic | malicious (high confidence) |
Cynet | Malicious (score: 99) |
Skyhigh | BehavesLike.Win64.Dropper.vc |
ALYac | Generic.Dacic.3448.5C23E7A0 |
Cylance | Unsafe |
VIPRE | Generic.Dacic.3448.5C23E7A0 |
Sangfor | Backdoor.Win64.Remcos.Vsz7 |
BitDefender | Generic.Dacic.3448.5C23E7A0 |
Cybereason | malicious.a032d1 |
Arcabit | Trojan.Lazy.D866E1 |
VirIT | Trojan.Win64.Genus.GZR |
Symantec | ML.Attribute.HighConfidence |
ESET-NOD32 | a variant of Win64/GenKryptik.GZWY |
APEX | Malicious |
McAfee | Artemis!F6BF8ADA032D |
Avast | Win64:PWSX-gen [Trj] |
ClamAV | Win.Malware.Dacic-10033090-0 |
Kaspersky | Backdoor.Win32.Remcos.yid |
Alibaba | Trojan:Win64/Stealerc.e38e16e2 |
MicroWorld-eScan | Generic.Dacic.3448.5C23E7A0 |
Rising | Stealer.Agent!8.C2 (CLOUD) |
Emsisoft | Generic.Dacic.3448.5C23E7A0 (B) |
F-Secure | Trojan.TR/AD.Remcos.bqqid |
DrWeb | Trojan.DownLoader47.11537 |
TrendMicro | Backdoor.Win64.REMCOS.YXEGXZ |
McAfeeD | ti!153E11471F85 |
FireEye | Generic.Dacic.3448.5C23E7A0 |
Sophos | Mal/Generic-S |
Ikarus | Trojan.Win64.Krypt |
Detected | |
Avira | TR/AD.Remcos.bqqid |
MAX | malware (ai score=81) |
Antiy-AVL | Trojan/Win64.GenKryptik |
Kingsoft | Win32.Troj.Unknown.a |
Gridinsoft | Trojan.Win64.Remcos.tr |
Microsoft | Trojan:Win64/Stealerc.GPA!MTB |
ZoneAlarm | Backdoor.Win32.Remcos.yid |
GData | Win32.Backdoor.Remcos.CAGPNH |
AhnLab-V3 | Trojan/Win.Generic.R658964 |
DeepInstinct | MALICIOUS |
Malwarebytes | Malware.AI.1498013564 |
Panda | Trj/GdSda.A |
TrendMicro-HouseCall | Backdoor.Win64.REMCOS.YXEGXZ |
Tencent | Malware.Win32.Gencirc.141360bb |
MaxSecure | Trojan.Malware.300983.susgen |
Fortinet | W64/GenKryptik.MAGC!tr |
AVG | Win64:PWSX-gen [Trj] |
Paloalto | generic.ml |
dead_host | 192.168.56.103:49193 |
dead_host | 192.168.56.103:49181 |
dead_host | 192.168.56.103:49190 |
dead_host | 192.168.56.103:49212 |
dead_host | 192.168.56.103:49217 |
dead_host | 192.168.56.103:49205 |
dead_host | 192.168.56.103:49177 |
dead_host | 192.168.56.103:49186 |
dead_host | 192.168.56.103:49208 |
dead_host | 192.168.56.103:49174 |
dead_host | 192.168.56.103:49201 |
dead_host | 192.168.56.103:49167 |
dead_host | 192.168.56.103:49198 |
dead_host | 192.168.56.103:49191 |
dead_host | 192.168.56.103:49213 |
dead_host | 192.168.56.103:49222 |
dead_host | 192.168.56.103:49194 |
dead_host | 192.168.56.103:49182 |
dead_host | 192.168.56.103:49187 |
dead_host | 192.168.56.103:49209 |
dead_host | 192.168.56.103:49218 |
dead_host | 192.168.56.103:49175 |
dead_host | 192.168.56.103:49206 |
dead_host | 192.168.56.103:49164 |
dead_host | 192.168.56.103:49178 |
dead_host | 192.168.56.103:49199 |
dead_host | 192.168.56.103:49171 |
dead_host | 192.168.56.103:49188 |
dead_host | 192.168.56.103:49202 |
dead_host | 192.168.56.103:49195 |
dead_host | 192.168.56.103:49183 |
dead_host | 192.168.56.103:49184 |
dead_host | 192.168.56.103:49214 |
dead_host | 192.168.56.103:49219 |
dead_host | 192.168.56.103:49172 |
dead_host | 192.168.56.103:49207 |
dead_host | 192.168.56.103:49165 |
dead_host | 192.168.56.103:49179 |
dead_host | 192.168.56.103:49196 |
dead_host | 192.168.56.103:49210 |
dead_host | 192.168.56.103:49168 |
dead_host | 192.168.56.103:49189 |
dead_host | 192.168.56.103:49203 |
dead_host | 192.168.56.103:49220 |
dead_host | 192.168.56.103:49192 |
dead_host | 192.168.56.103:49180 |
dead_host | 192.168.56.103:49185 |
dead_host | 192.168.56.103:49215 |
dead_host | 192.168.56.103:49216 |
dead_host | 192.168.56.103:49173 |