Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 17, 2024, 1:21 p.m.	Sept. 17, 2024, 1:32 p.m.

Size	483.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`aa4aca6b0973b169a4242718f04d9c54`
SHA256	`2ff32c90e5a04d6a51e0360368daafe35396561f9687a27306f539ae0f354ade`
CRC32	`BA0FB237`
ssdeep	`6144:RTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZmAX4crxT4:RTlrYw1RUh3NFn+N5WfIQIjbs/ZmyT4`
Yara	Malicious_Library_Zero - Malicious_Library Network_Downloader - File Downloader PE_Header_Zero - PE File Signature infoStealer_browser_b_Zero - browser info stealer Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

ZZ.exe "C:\Users\test22\AppData\Local\Temp\ZZ.exe"
2560

Name	Response	Post-Analysis Lookup
sungito2.ddns.net	A 154.216.19.222	154.216.19.222

IP Address	Status	Action
154.216.19.222	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
TCP 154.216.19.222:6509 -> 192.168.56.101:49161	2400023	ET DROP Spamhaus DROP Listed Traffic Inbound group 24	Misc Attack
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

Connects to a Dynamic DNS Domain (1 event)

domain

sungito2.ddns.net

A process attempted to delay the analysis task. (1 event)

description

ZZ.exe tried to sleep 378 seconds, actually delayed analysis time by 378 seconds

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Sept. 17, 2024, 1:21 p.m.	thread_identifier: 0 callback_function: 0x0040a2df hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	1245585	0

File has been identified by 64 AntiVirus engines on VirusTotal as malicious (50 out of 64 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Remcos.m!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Backdoor.Remcos
Skyhigh	BehavesLike.Win32.Remcos.gh
ALYac	Generic.Remcos.88A0BF4A
Cylance	Unsafe
VIPRE	Generic.Remcos.88A0BF4A
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Generic.Remcos.88A0BF4A
K7GW	Trojan ( 0053ac2c1 )
K7AntiVirus	Trojan ( 0053ac2c1 )
Arcabit	Generic.Remcos.88A0BF4A
Baidu	Win32.Trojan.Kryptik.awm
VirIT	Trojan.Win32.Remcos.HCY
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Trojan.Remcos
ESET-NOD32	a variant of Win32/Rescoms.B
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
ClamAV	Win.Trojan.Remcos-9841897-0
Kaspersky	HEUR:Backdoor.Win32.Remcos.gen
Alibaba	Backdoor:Win32/Remcos.d4170065
NANO-Antivirus	Trojan.Win32.Rescoms.kqldxd
SUPERAntiSpyware	Trojan.Agent/Gen-Crypt
MicroWorld-eScan	Generic.Remcos.88A0BF4A
Rising	Backdoor.Remcos!1.BAC7 (CLASSIC)
Emsisoft	Generic.Remcos.88A0BF4A (B)
F-Secure	Backdoor.BDS/Backdoor.Gen
DrWeb	BackDoor.Remcos.438
Zillya	Trojan.Rescoms.Win32.1913
McAfeeD	Real Protect-LS!AA4ACA6B0973
CTX	exe.trojan.remcos
Sophos	Mal/Remcos-B
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.aa4aca6b0973b169
Jiangmin	Backdoor.Remcos.dzw
Webroot	W32.Trojan.Remcos
Google	Detected
Avira	BDS/Backdoor.Gen
Antiy-AVL	Trojan[Backdoor]/Win32.Rescoms.b
Kingsoft	Win32.Hack.Remcos.gen
Gridinsoft	Trojan.Win32.Remcos.tr
Microsoft	Backdoor:Win32/Remcos.GA!MTB
ViRobot	Trojan.Win.Z.Remcos.494592.WO
ZoneAlarm	HEUR:Backdoor.Win32.Remcos.gen
GData	Generic.Remcos.88A0BF4A
Varist	W32/Trojan.TEVC-5559
AhnLab-V3	Backdoor/Win.Remcos.R634199

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (50 out of 60 events)

dead_host	192.168.56.101:49191
dead_host	192.168.56.101:49161
dead_host	192.168.56.101:49171
dead_host	192.168.56.101:49192
dead_host	192.168.56.101:49202
dead_host	192.168.56.101:49211
dead_host	192.168.56.101:49165
dead_host	192.168.56.101:49175
dead_host	192.168.56.101:49196
dead_host	192.168.56.101:49206
dead_host	192.168.56.101:49219
dead_host	192.168.56.101:49176
dead_host	192.168.56.101:49215
dead_host	192.168.56.101:49184
dead_host	192.168.56.101:49180
dead_host	192.168.56.101:49193
dead_host	192.168.56.101:49203
dead_host	192.168.56.101:49217
dead_host	192.168.56.101:49188
dead_host	192.168.56.101:49168
dead_host	192.168.56.101:49197
dead_host	192.168.56.101:49207
dead_host	192.168.56.101:49177
dead_host	192.168.56.101:49208
dead_host	192.168.56.101:49172
dead_host	192.168.56.101:49185
dead_host	192.168.56.101:49163
dead_host	192.168.56.101:49216
dead_host	192.168.56.101:49181
dead_host	192.168.56.101:49194
dead_host	192.168.56.101:49212
dead_host	192.168.56.101:49189
dead_host	192.168.56.101:49167
dead_host	192.168.56.101:49220
dead_host	192.168.56.101:49169
dead_host	192.168.56.101:49198
dead_host	154.216.19.222:6509
dead_host	192.168.56.101:49178
dead_host	192.168.56.101:49204
dead_host	192.168.56.101:49209
dead_host	192.168.56.101:49173
dead_host	192.168.56.101:49186
dead_host	192.168.56.101:49200
dead_host	154.216.19.222:5532
dead_host	192.168.56.101:49182
dead_host	192.168.56.101:49195
dead_host	192.168.56.101:49213
dead_host	192.168.56.101:49190
dead_host	192.168.56.101:49170
dead_host	192.168.56.101:49199

ZZ.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All