popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

respaldo.txt.exe

Browser Login Data Stealer Generic Malware Malicious Library Downloader UPX Malicious Packer PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 July 29, 2024, 4:57 p.m. July 29, 2024, 4:59 p.m.
Size 482.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 1568abb08de05c87e94ce4f639a05636
SHA256 fdb4361702ff1a7dbab2ad1a6251f3e74d608e47e8090e074e9e3b091bf18fac
CRC32 EF95D830
ssdeep 6144:0XIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcN+5Gv:0X7tPMK8ctGe4Dzl4h2QnuPs/ZDrcv
Yara
  • Network_Downloader - File Downloader
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • infoStealer_browser_b_Zero - browser info stealer
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
wwwwwwwwww.duckdns.org
A 152.201.163.76
152.201.163.76
geoplugin.net
A 178.237.33.50
178.237.33.50
IP Address Status Action
152.201.163.76 Active Moloch
164.124.101.2 Active Moloch
178.237.33.50 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.102:63709 -> 164.124.101.2:53 2042936 ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain Potentially Bad Traffic
UDP 192.168.56.102:63709 -> 164.124.101.2:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity
TCP 192.168.56.102:49161 -> 152.201.163.76:2001 2032776 ET MALWARE Remcos 3.x Unencrypted Checkin Malware Command and Control Activity Detected
TCP 152.201.163.76:2001 -> 192.168.56.102:49161 2032777 ET MALWARE Remcos 3.x Unencrypted Server Response Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .gfids
suspicious_features GET method with no useragent header suspicious_request GET http://geoplugin.net/json.gp
domain wwwwwwwwww.duckdns.org
request GET http://geoplugin.net/json.gp
description respaldo.txt.exe tried to sleep 350 seconds, actually delayed analysis time by 350 seconds
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x0040a2a4
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 131355 0
Bkav W32.AIDetectMalware
Elastic Windows.Trojan.Remcos
Cynet Malicious (score: 100)
CAT-QuickHeal Backdoor.RemcosIH.S31010159
Skyhigh BehavesLike.Win32.Remcos.gh
ALYac Generic.Remcos.0B44352C
Cylance Unsafe
VIPRE Generic.Remcos.0B44352C
Sangfor Trojan.Win32.Save.a
K7AntiVirus Riskware ( 00584baa1 )
BitDefender Generic.Remcos.0B44352C
K7GW Riskware ( 00584baa1 )
Cybereason malicious.08de05
Arcabit Generic.Remcos.0B44352C
Baidu Win32.Trojan.Kryptik.awm
VirIT Trojan.Win32.Genus.UED
Symantec ML.Attribute.HighConfidence
ESET-NOD32 Win32/Rescoms.V
APEX Malicious
McAfee Remcos-FDQO!1568ABB08DE0
Avast Win32:RATX-gen [Trj]
ClamAV Win.Trojan.Remcos-9841897-0
Kaspersky HEUR:Backdoor.Win32.Remcos.gen
NANO-Antivirus Trojan.Win32.Remcos.keikbt
SUPERAntiSpyware Trojan.Agent/Gen-Remcos
MicroWorld-eScan Generic.Remcos.0B44352C
Rising Backdoor.Remcos!1.BAC7 (CLASSIC)
Emsisoft Generic.Remcos.0B44352C (B)
F-Secure Backdoor.BDS/Backdoor.Gen
DrWeb BackDoor.Remcos.433
Zillya Trojan.Rescoms.Win32.1521
McAfeeD Real Protect-LS!1568ABB08DE0
FireEye Generic.mg.1568abb08de05c87
Sophos Mal/Remcos-B
SentinelOne Static AI - Malicious PE
Jiangmin Backdoor.Remcos.dyc
Google Detected
Avira BDS/Backdoor.Gen
MAX malware (ai score=89)
Antiy-AVL Trojan[Backdoor]/Win32.Rescoms.b
Kingsoft malware.kb.a.1000
Gridinsoft Ransom.Win32.Wacatac.oa!s1
Microsoft Backdoor:Win32/Remcos.GA!MTB
ZoneAlarm HEUR:Backdoor.Win32.Remcos.gen
GData Win32.Trojan.PSE.1OHYAG0
Varist W32/Trojan.SMWB-4856
AhnLab-V3 Backdoor/Win.Remcos.R625673
BitDefenderTheta Gen:NN.ZexaF.36810.ECW@ayeRmJhi
DeepInstinct MALICIOUS
VBA32 Backdoor.Remcos