Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 21, 2024, 1:35 p.m.	Oct. 21, 2024, 1:53 p.m.

Size	482.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`13095aaded59fb08db07ecf6bc2387ef`
SHA256	`02b4e1709e79653e9569bf727301f92d4928726ba69d8d764db5841b94d63671`
CRC32	`C8F86ED3`
ssdeep	`6144:iTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZXAXkcr/T4:iTlrYw1RUh3NFn+N5WfIQIjbs/ZXgT4`
Yara	Malicious_Library_Zero - Malicious_Library Network_Downloader - File Downloader PE_Header_Zero - PE File Signature infoStealer_browser_b_Zero - browser info stealer Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

file.exe "C:\Users\test22\AppData\Local\Temp\file.exe"
2552
- remcos.exe "C:\ProgramData\tst\remcos.exe"
  2644

Name	Response	Post-Analysis Lookup
liveos.zapto.org		194.26.192.138

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61950 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:52815 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:61950 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:52815 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:61950 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:52815 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:61950 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:52815 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:52753 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:53850 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:53850 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:52797 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:53850 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:52797 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:53850 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:52797 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:58297 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:58297 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:58297 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:58297 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:52753 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:59002 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:59002 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:59002 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:59002 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:53850 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:53850 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:53850 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:52797 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:52797 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:52797 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:52797 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:58297 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:58297 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:58297 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:52815 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:52815 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:52815 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

Connects to a Dynamic DNS Domain (1 event)

domain

liveos.zapto.org

A process attempted to delay the analysis task. (1 event)

description

remcos.exe tried to sleep 126 seconds, actually delayed analysis time by 126 seconds

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 21, 2024, 1:36 p.m.	status_code: 0x00000000 process_identifier: 2700 process_handle: 0x000000dc		0	0
NtTerminateProcess Oct. 21, 2024, 1:36 p.m.	status_code: 0x00000000 process_identifier: 2700 process_handle: 0x000000dc	1	0	0

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN	reg_value	"C:\ProgramData\tst\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN	reg_value	"C:\ProgramData\tst\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN	reg_value	"C:\ProgramData\tst\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN	reg_value	"C:\ProgramData\tst\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN	reg_value	"C:\ProgramData\tst\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN	reg_value	"C:\ProgramData\tst\remcos.exe"

File has been identified by 64 AntiVirus engines on VirusTotal as malicious (50 out of 64 events)

Bkav	W32.Common.E47E1310
Lionic	Trojan.Win32.Remcos.m!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Backdoor.Remcos
Skyhigh	BehavesLike.Win32.Remcos.gh
ALYac	Generic.Remcos.4F506006
Cylance	Unsafe
VIPRE	Generic.Remcos.4F506006
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Generic.Remcos.4F506006
K7GW	Trojan ( 0053ac2c1 )
K7AntiVirus	Trojan ( 0053ac2c1 )
Arcabit	Generic.Remcos.4F506006
Baidu	Win32.Trojan.Kryptik.awm
VirIT	Trojan.Win32.Remcos.HCY
Symantec	Trojan Horse
Elastic	Windows.Trojan.Remcos
ESET-NOD32	a variant of Win32/Rescoms.B
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
ClamAV	Win.Trojan.Remcos-9841897-0
Kaspersky	HEUR:Backdoor.Win32.Remcos.gen
Alibaba	Backdoor:Win32/Remcos.9a741c32
NANO-Antivirus	Trojan.Win32.Rescoms.kqldxd
SUPERAntiSpyware	Trojan.Agent/Gen-Crypt
MicroWorld-eScan	Generic.Remcos.4F506006
Rising	Backdoor.Remcos!1.BAC7 (CLASSIC)
Emsisoft	Generic.Remcos.4F506006 (B)
F-Secure	Backdoor.BDS/Backdoor.Gen
DrWeb	BackDoor.Remcos.438
Zillya	Trojan.Rescoms.Win32.1913
McAfeeD	Real Protect-LS!13095AADED59
CTX	exe.trojan.remcos
Sophos	Mal/Remcos-B
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.13095aaded59fb08
Jiangmin	Backdoor.Remcos.dzw
Webroot	W32.Trojan.Remcos
Google	Detected
Avira	BDS/Backdoor.Gen
Antiy-AVL	Trojan[Backdoor]/Win32.Rescoms.b
Kingsoft	malware.kb.a.1000
Gridinsoft	Backdoor.Win32.Remcos.sa
Xcitium	Malware@#3183np88l7z4u
Microsoft	Trojan:Win32/Remcos.SD!MTB
ViRobot	Trojan.Win.Z.Remcos.494080.DY
ZoneAlarm	HEUR:Backdoor.Win32.Remcos.gen
GData	Generic.Remcos.4F506006
Varist	W32/Trojan.TEVC-5559

file.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All