Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | July 27, 2024, 3 p.m. | July 27, 2024, 3:02 p.m. |
-
-
HNBC.txt.exe C:\Users\test22\AppData\Local\Temp\HNBC.txt.exe /stext "C:\Users\test22\AppData\Local\Temp\xnmyaszcvv"
1368 -
HNBC.txt.exe C:\Users\test22\AppData\Local\Temp\HNBC.txt.exe /stext "C:\Users\test22\AppData\Local\Temp\hhrrtdkereoho"
2328 -
HNBC.txt.exe C:\Users\test22\AppData\Local\Temp\HNBC.txt.exe /stext "C:\Users\test22\AppData\Local\Temp\jkxctvvyfmgmzfsz"
2404
-
Name | Response | Post-Analysis Lookup |
---|---|---|
geoplugin.net | 178.237.33.50 | |
maveing.duckdns.org | 192.3.101.142 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.102:49163 -> 192.3.101.142:18576 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | Malware Command and Control Activity Detected |
TCP 192.168.56.102:49161 -> 192.3.101.142:18576 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | Malware Command and Control Activity Detected |
UDP 192.168.56.102:64513 -> 164.124.101.2:53 | 2042936 | ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain | Potentially Bad Traffic |
UDP 192.168.56.102:64513 -> 164.124.101.2:53 | 2022918 | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain | Misc activity |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.3 192.168.56.102:49163 192.3.101.142:18576 |
None | None | None |
TLS 1.3 192.168.56.102:49161 192.3.101.142:18576 |
None | None | None |
section | .gfids |
suspicious_features | GET method with no useragent header | suspicious_request | GET http://geoplugin.net/json.gp |
domain | maveing.duckdns.org |
request | GET http://geoplugin.net/json.gp |
description | HNBC.txt.exe tried to sleep 360 seconds, actually delayed analysis time by 360 seconds |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Login Data |
description | Take ScreenShot | rule | ScreenShot | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
file | C:\Users\test22\AppData\Local\Temp\hhrrtdkereoho |
file | C:\Users\test22\AppData\Roaming\Digsby\digsby.dat |
file | C:\Users\test22\AppData\Roaming\MySpace\IM\users.txt |
registry | HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords |
registry | HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts |
registry | HKEY_CURRENT_USER\Software\Paltalk |
registry | HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts |
registry | HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail |
registry | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 |
registry | HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts |
registry | HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird |
registry | HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts |
Bkav | W32.AIDetectMalware |
Elastic | Windows.Trojan.Remcos |
Cynet | Malicious (score: 100) |
CAT-QuickHeal | Backdoor.RemcosIH.S31010159 |
Skyhigh | BehavesLike.Win32.Remcos.gh |
ALYac | Generic.Remcos.13284579 |
Cylance | Unsafe |
VIPRE | Generic.Remcos.13284579 |
Sangfor | Trojan.Win32.Save.a |
K7AntiVirus | Riskware ( 00584baa1 ) |
BitDefender | Generic.Remcos.13284579 |
K7GW | Riskware ( 00584baa1 ) |
Cybereason | malicious.58a227 |
Arcabit | Generic.Remcos.DCAB4E3 |
Baidu | Win32.Trojan.Kryptik.awm |
VirIT | Trojan.Win32.Genus.UED |
Symantec | ML.Attribute.HighConfidence |
ESET-NOD32 | Win32/Rescoms.V |
APEX | Malicious |
McAfee | Remcos-FDQO!2B985C758A22 |
Avast | Win32:RATX-gen [Trj] |
ClamAV | Win.Trojan.Remcos-9841897-0 |
Kaspersky | HEUR:Backdoor.Win32.Remcos.gen |
NANO-Antivirus | Trojan.Win32.Remcos.keikbt |
SUPERAntiSpyware | Trojan.Agent/Gen-Remcos |
MicroWorld-eScan | Generic.Remcos.13284579 |
Rising | Backdoor.Remcos!1.BAC7 (CLASSIC) |
Emsisoft | Generic.Remcos.13284579 (B) |
F-Secure | Backdoor.BDS/Backdoor.Gen |
DrWeb | BackDoor.Remcos.433 |
Zillya | Trojan.Rescoms.Win32.1521 |
McAfeeD | Real Protect-LS!2B985C758A22 |
FireEye | Generic.mg.2b985c758a227407 |
Sophos | Mal/Remcos-B |
SentinelOne | Static AI - Malicious PE |
Jiangmin | Backdoor.Remcos.dyc |
Detected | |
Avira | BDS/Backdoor.Gen |
MAX | malware (ai score=89) |
Antiy-AVL | Trojan[Backdoor]/Win32.Rescoms.b |
Kingsoft | Win32.Hack.Remcos.gen |
Gridinsoft | Ransom.Win32.Wacatac.oa!s1 |
Microsoft | Backdoor:Win32/Remcos.GA!MTB |
ZoneAlarm | HEUR:Backdoor.Win32.Remcos.gen |
GData | Win32.Trojan.PSE.1OHYAG0 |
Varist | W32/Trojan.SMWB-4856 |
AhnLab-V3 | Backdoor/Win.Remcos.R625673 |
BitDefenderTheta | Gen:NN.ZexaF.36810.ECW@a4Zb!zoi |
DeepInstinct | MALICIOUS |
VBA32 | Backdoor.Remcos |