Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 21, 2024, 1:36 p.m.	Oct. 21, 2024, 1:47 p.m.

Size	482.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6520492a4e7f9bc4dfb068de1c7b6450`
SHA256	`94465e214c05a6b477f6310957448e7d891ce37c960e36d246294eb6843081aa`
CRC32	`B746187C`
ssdeep	`6144:KTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZXAXkcr8T4:KTlrYw1RUh3NFn+N5WfIQIjbs/ZX/T4`
Yara	Malicious_Library_Zero - Malicious_Library Network_Downloader - File Downloader PE_Header_Zero - PE File Signature infoStealer_browser_b_Zero - browser info stealer Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

DEF.exe "C:\Users\test22\AppData\Local\Temp\DEF.exe"
1648
- music.exe "C:\ProgramData\db\music.exe"
  2080

Name	Response	Post-Analysis Lookup
liveos.zapto.org		194.26.192.138

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:56613 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:53658 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:53658 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:53658 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:53658 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:50674 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:57986 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:50674 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:57986 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:50674 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:50674 -> 8.8.8.8:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:53658 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:53658 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:53658 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:50674 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:50674 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.103:50674 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

Connects to a Dynamic DNS Domain (1 event)

domain

liveos.zapto.org

A process attempted to delay the analysis task. (1 event)

description

music.exe tried to sleep 126 seconds, actually delayed analysis time by 126 seconds

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 21, 2024, 1:36 p.m.	status_code: 0x00000000 process_identifier: 2152 process_handle: 0x000000e8		0	0
NtTerminateProcess Oct. 21, 2024, 1:36 p.m.	status_code: 0x00000000 process_identifier: 2152 process_handle: 0x000000e8	1	0	0

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-GHRUZU	reg_value	"C:\ProgramData\db\music.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-GHRUZU	reg_value	"C:\ProgramData\db\music.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-GHRUZU	reg_value	"C:\ProgramData\db\music.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-GHRUZU	reg_value	"C:\ProgramData\db\music.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-GHRUZU	reg_value	"C:\ProgramData\db\music.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-GHRUZU	reg_value	"C:\ProgramData\db\music.exe"

Expresses interest in specific running processes (1 event)

process: potential process injection target

svchost.exe

File has been identified by 64 AntiVirus engines on VirusTotal as malicious (50 out of 64 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Remcos.m!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Backdoor.Remcos
Skyhigh	BehavesLike.Win32.Remcos.gh
ALYac	Generic.Remcos.F4F3D442
Cylance	Unsafe
VIPRE	Generic.Remcos.F4F3D442
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Generic.Remcos.F4F3D442
K7GW	Trojan ( 0053ac2c1 )
K7AntiVirus	Trojan ( 0053ac2c1 )
Arcabit	Generic.Remcos.F4F3D442
Baidu	Win32.Trojan.Kryptik.awm
VirIT	Trojan.Win32.Remcos.HCY
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Trojan.Remcos
ESET-NOD32	a variant of Win32/Rescoms.B
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
ClamAV	Win.Trojan.Remcos-9841897-0
Kaspersky	HEUR:Backdoor.Win32.Remcos.gen
Alibaba	Backdoor:Win32/Remcos.2cfaafb7
NANO-Antivirus	Trojan.Win32.Rescoms.kqldxd
SUPERAntiSpyware	Trojan.Agent/Gen-Crypt
MicroWorld-eScan	Generic.Remcos.F4F3D442
Rising	Backdoor.Remcos!1.BAC7 (CLASSIC)
Emsisoft	Generic.Remcos.F4F3D442 (B)
F-Secure	Backdoor.BDS/Backdoor.Gen
DrWeb	BackDoor.Remcos.438
Zillya	Trojan.Rescoms.Win32.1913
McAfeeD	Real Protect-LS!6520492A4E7F
CTX	exe.trojan.remcos
Sophos	Mal/Remcos-B
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.6520492a4e7f9bc4
Jiangmin	Backdoor.Remcos.dzw
Webroot	W32.Trojan.Remcos
Google	Detected
Avira	BDS/Backdoor.Gen
Antiy-AVL	Trojan[Backdoor]/Win32.Rescoms.b
Kingsoft	malware.kb.a.1000
Gridinsoft	Backdoor.Win32.Remcos.sa
Xcitium	Malware@#20hc4yzez5yw7
Microsoft	Backdoor:Win32/Remcos.GA!MTB
ViRobot	Trojan.Win.Z.Remcos.494080.DZ
ZoneAlarm	HEUR:Backdoor.Win32.Remcos.gen
GData	Generic.Remcos.F4F3D442
Varist	W32/Trojan.TEVC-5559

DEF.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All