Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 23, 2025, 6:23 p.m.	Jan. 23, 2025, 6:36 p.m.

Size	462.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`448478c46fe0884972f0047c26da0935`
SHA256	`79738b58535815ae65f86122ebd5a8bf26c6801a3238e6be5a59b77a993b60b2`
CRC32	`A86C4A5B`
ssdeep	`6144:3OFBH/FMNjt18F+9a/NgAeDB4CcOtKp03b13a4LJ+sAOZZPWXbTcUjyg:3OFtiNBuFgawDB4NOmuwsfZPUyg`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Network_Downloader - File Downloader infoStealer_browser_b_Zero - browser info stealer Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

22.exe "C:\Users\test22\AppData\Local\Temp\22.exe"
1372

Name	Response	Post-Analysis Lookup
dash1.3utilities.com
dash.3utilities.com
dash3.ddns.net
bash2.accesscam.org	A 192.188.88.248	192.188.88.248
dash4.ddns.net
dash2.ddns.net
bash1.accesscam.org	A 192.188.88.248	192.188.88.248
bash.mywire.org	A 192.188.88.248	192.188.88.248

IP Address	Status	Action
164.124.101.2	Active	Moloch
192.188.88.248	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

Connects to a Dynamic DNS Domain (5 events)

domain	dash4.ddns.net
domain	dash3.ddns.net
domain	dash2.ddns.net
domain	dash1.3utilities.com
domain	dash.3utilities.com

A process attempted to delay the analysis task. (1 event)

description

22.exe tried to sleep 357 seconds, actually delayed analysis time by 357 seconds

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Jan. 23, 2025, 6:23 p.m.	thread_identifier: 0 callback_function: 0x00408a23 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	66001	0

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Remcos.4!c
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.MultiRI.S26969863
Skyhigh	BehavesLike.Win32.Remcos.gh
ALYac	Generic.Dacic.A9349469.A.A27C3960
Cylance	Unsafe
VIPRE	Generic.Dacic.A9349469.A.A27C3960
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Generic.Dacic.A9349469.A.A27C3960
K7GW	Trojan ( 0053ac2c1 )
K7AntiVirus	Trojan ( 0053ac2c1 )
Arcabit	Generic.Dacic.A9349469.A.A27C3960
Baidu	Win32.Trojan.Kryptik.awm
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Trojan.Remcos
ESET-NOD32	a variant of Win32/Rescoms.B
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
ClamAV	Win.Trojan.Remcos-9841897-0
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Backdoor:Win32/Remcos.8b2ede82
NANO-Antivirus	Trojan.Win32.jnwxkg.jsuxhk
SUPERAntiSpyware	Trojan.Agent/Gen-Crypt
MicroWorld-eScan	Generic.Dacic.A9349469.A.A27C3960
Rising	Backdoor.Remcos!1.BAC7 (CLASSIC)
Emsisoft	Trojan-Spy.Agent (A)
F-Secure	Heuristic.HEUR/AGEN.1319007
DrWeb	Trojan.Siggen16.44935
Zillya	Trojan.Rescoms.Win32.817
McAfeeD	Real Protect-LS!448478C46FE0
CTX	exe.trojan.remcos
Sophos	Troj/Remcos-DI
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.448478c46fe08849
Jiangmin	Trojan.Generic.hffus
Webroot	W32.Trojan.Remcos
Google	Detected
Avira	HEUR/AGEN.1319007
Antiy-AVL	Trojan[Backdoor]/Win32.Remcos
Kingsoft	Win32.Trojan.Generic.a
Gridinsoft	Trojan.Win32.Remcos.tr
Microsoft	Backdoor:Win32/Remcos!pz
ViRobot	Trojan.Win32.Z.Remcos.473600.EJ
GData	Win32.Malware.Bucaspys.B
Varist	W32/Agent.DKW.gen!Eldorado
AhnLab-V3	Trojan/Win.RemcosRAT.R418128
McAfee	GenericRXRV-BT!448478C46FE0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (20 events)

dead_host	192.168.56.103:49181
dead_host	192.168.56.103:49177
dead_host	192.168.56.103:49174
dead_host	192.168.56.103:49167
dead_host	192.168.56.103:49170
dead_host	192.168.56.103:49163
dead_host	192.168.56.103:49182
dead_host	192.188.88.248:2404
dead_host	192.168.56.103:49175
dead_host	192.168.56.103:49164
dead_host	192.168.56.103:49178
dead_host	192.168.56.103:49171
dead_host	192.168.56.103:49183
dead_host	192.168.56.103:49179
dead_host	192.168.56.103:49168
dead_host	192.168.56.103:49161
dead_host	192.168.56.103:49173
dead_host	192.168.56.103:49176
dead_host	192.168.56.103:49169
dead_host	192.168.56.103:49166

22.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All