popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

BEN.txt.exe

Browser Login Data Stealer Generic Malware Malicious Library Downloader UPX Malicious Packer PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us July 30, 2024, 9:42 a.m. July 30, 2024, 9:44 a.m.
Size 483.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 550a8fd698db084dde7fd1878981a9a8
SHA256 dea963c6bfa6f5f110ee95cb4156a03a9e0cdc04bc45db340ccc76b48f13b65b
CRC32 046B4479
ssdeep 6144:PXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZ5AXIcNRI5Gv:PX7tPMK8ctGe4Dzl4h2QnuPs/Z5fcv
Yara
  • Network_Downloader - File Downloader
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • infoStealer_browser_b_Zero - browser info stealer
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
geoplugin.net
A 178.237.33.50
178.237.33.50
tochisglobal.ddns.net
A 103.253.17.222
103.253.17.222
IP Address Status Action
103.253.17.222 Active Moloch
164.124.101.2 Active Moloch
178.237.33.50 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2028675 ET POLICY DNS Query to DynDNS Domain *.ddns .net Potentially Bad Traffic
TCP 192.168.56.103:49161 -> 103.253.17.222:6426 2036594 ET JA3 Hash - Remcos 3.x/4.x TLS Connection Malware Command and Control Activity Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.103:49161
103.253.17.222:6426 		None None None

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .gfids
suspicious_features GET method with no useragent header suspicious_request GET http://geoplugin.net/json.gp
domain tochisglobal.ddns.net
request GET http://geoplugin.net/json.gp
description BEN.txt.exe tried to sleep 350 seconds, actually delayed analysis time by 350 seconds
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x0040a2a4
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 65999 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Remcos.m!c
Cynet Malicious (score: 100)
CAT-QuickHeal Backdoor.RemcosIH.S31010159
Skyhigh BehavesLike.Win32.Remcos.gh
ALYac Generic.Remcos.D08BCA0E
Cylance Unsafe
VIPRE Generic.Remcos.D08BCA0E
Sangfor Trojan.Win32.Save.a
K7AntiVirus Riskware ( 00584baa1 )
BitDefender Generic.Remcos.D08BCA0E
K7GW Riskware ( 00584baa1 )
Cybereason malicious.698db0
Baidu Win32.Trojan.Kryptik.awm
VirIT Trojan.Win32.Genus.UED
Symantec ML.Attribute.HighConfidence
Elastic Windows.Trojan.Remcos
ESET-NOD32 Win32/Rescoms.V
APEX Malicious
McAfee Remcos-FDQO!550A8FD698DB
Avast Win32:RATX-gen [Trj]
ClamAV Win.Trojan.Remcos-9841897-0
Kaspersky HEUR:Backdoor.Win32.Remcos.gen
Alibaba Backdoor:Win32/Remcos.36bed96c
NANO-Antivirus Trojan.Win32.Remcos.keikbt
SUPERAntiSpyware Trojan.Agent/Gen-Remcos
MicroWorld-eScan Generic.Remcos.D08BCA0E
Rising Backdoor.Remcos!1.BAC7 (CLASSIC)
Emsisoft Generic.Remcos.D08BCA0E (B)
F-Secure Backdoor.BDS/Backdoor.Gen
DrWeb BackDoor.Remcos.433
Zillya Trojan.Rescoms.Win32.1521
McAfeeD Real Protect-LS!550A8FD698DB
FireEye Generic.mg.550a8fd698db084d
Sophos Mal/Remcos-B
Ikarus Win32.Outbreak
Jiangmin Backdoor.Remcos.dyc
Webroot W32.Trojan.Remcos
Google Detected
Avira BDS/Backdoor.Gen
MAX malware (ai score=82)
Antiy-AVL Trojan[Backdoor]/Win32.Rescoms.b
Kingsoft Win32.Hack.Remcos.gen
Gridinsoft Trojan.Win32.Remcos.tr
Arcabit Generic.Remcos.D08BCA0E
ViRobot Trojan.Win.Z.Remcos.494592.TU
ZoneAlarm HEUR:Backdoor.Win32.Remcos.gen
GData Win32.Trojan.PSE.1OHYAG0
Varist W32/Trojan.SMWB-4856
AhnLab-V3 Backdoor/Win.Remcos.R625673