Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 11, 2024, 10:11 a.m.	Nov. 11, 2024, 10:15 a.m.

Size	481.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5640bcf1ea28494be59aecce64c242ad`
SHA256	`25336d94b24bb72f6cea4f73d016781c8fc6d097d6534dbe8a143524a5b3c450`
CRC32	`16AF10D4`
ssdeep	`12288:ZuD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDSV+DY:M09AfNIEYsunZvZ19ZOs`
Yara	Malicious_Library_Zero - Malicious_Library Network_Downloader - File Downloader PE_Header_Zero - PE File Signature infoStealer_browser_b_Zero - browser info stealer Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

MARRON.exe "C:\Users\test22\AppData\Local\Temp\MARRON.exe"
872

Name	Response	Post-Analysis Lookup
concilio399.strangled.net		181.141.40.225

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:53658 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:53658 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:53658 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:53658 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:53658 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:53658 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:53658 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:57986 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:50674 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:50674 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:50674 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:50674 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:50674 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:50674 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:50674 -> 8.8.8.8:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic
UDP 192.168.56.103:57986 -> 164.124.101.2:53	2039918	ET INFO DYNAMIC_DNS Query to a *.strangled .net Domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Connects to a Dynamic DNS Domain (1 event)

domain

concilio399.strangled.net

A process attempted to delay the analysis task. (1 event)

description

MARRON.exe tried to sleep 359 seconds, actually delayed analysis time by 359 seconds

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Nov. 11, 2024, 10:11 a.m.	thread_identifier: 0 callback_function: 0x004099d0 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	66001	0

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Remcos.m!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Backdoor.Remcos
Skyhigh	BehavesLike.Win32.Remcos.gh
ALYac	Generic.Remcos.9DB810DE
Cylance	Unsafe
VIPRE	Generic.Remcos.9DB810DE
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Generic.Remcos.9DB810DE
K7GW	Trojan ( 0053ac2c1 )
K7AntiVirus	Trojan ( 0053ac2c1 )
Arcabit	Generic.Remcos.9DB810DE
VirIT	Trojan.Win32.Genus.WXQ
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Trojan.Remcos
ESET-NOD32	a variant of Win32/Rescoms.B
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
ClamAV	Win.Trojan.Remcos-9841897-0
Kaspersky	HEUR:Backdoor.Win32.Remcos.gen
Alibaba	Backdoor:Win32/Remcos.729df8f6
NANO-Antivirus	Trojan.Win32.Remcos.ktfuyr
MicroWorld-eScan	Generic.Remcos.9DB810DE
Rising	Backdoor.Remcos!1.BAC7 (CLASSIC)
Emsisoft	Generic.Remcos.9DB810DE (B)
F-Secure	Backdoor.BDS/Backdoor.Gen
DrWeb	Trojan.Siggen29.65169
TrendMicro	Backdoor.Win32.REMCOS.YXEKHZ
McAfeeD	Real Protect-LS!5640BCF1EA28
CTX	exe.backdoor.remcos
Sophos	Mal/Remcos-B
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.5640bcf1ea28494b
Google	Detected
Avira	BDS/Backdoor.Gen
Antiy-AVL	Trojan[Backdoor]/Win32.Remcos
Kingsoft	malware.kb.a.1000
Gridinsoft	Backdoor.Win32.Remcos.sa
Microsoft	Backdoor:Win32/Remcos.GA!MTB
ViRobot	Trojan.Win.Z.Remcos.492544.A
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Generic.Remcos.9DB810DE
Varist	W32/Swizzor-based.4!Maximus
AhnLab-V3	Backdoor/Win.Remcos.R679222
McAfee	Artemis!5640BCF1EA28
DeepInstinct	MALICIOUS
VBA32	BScope.Backdoor.Remcos
Malwarebytes	Backdoor.Remcos
Ikarus	Backdoor.Remcos

MARRON.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All