Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 11, 2025, 9:43 a.m.	March 11, 2025, 9:45 a.m.

Size	487.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d249e2b6f10508da70305bb27bbf43e6`
SHA256	`489a4758ea8e46736dc0f67da790eeba6d5244de889dcee5ff49dcd6e9929736`
CRC32	`1A3E30FC`
ssdeep	`6144:nIlSCa0RPvRz+n8Qr1D0ZGESuHabmvHOE4mCp6qtydBnP+Y4+3sAORZGFX3Xc6oJ:n200OFp+G0imvHn3Cp6qyBP+YdsvZGm`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature infoStealer_browser_b_Zero - browser info stealer Malicious_Packer_Zero - Malicious Packer Network_Downloader - File Downloader IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

cozy.exe "C:\Users\test22\AppData\Local\Temp\cozy.exe"
1648

Name	Response	Post-Analysis Lookup
remyma.duckdns.org	A 185.196.9.173	185.196.9.173
geoplugin.net	A 178.237.33.50	178.237.33.50

IP Address	Status	Action
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch
185.196.9.173	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.196.9.173:52507 -> 192.168.56.103:49161	2400030	ET DROP Spamhaus DROP Listed Traffic Inbound group 31	Misc Attack
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 192.168.56.103:49161 -> 185.196.9.173:52507	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49161 185.196.9.173:52507	None	None	None

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 11, 2025, 9:43 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

Connects to a Dynamic DNS Domain (1 event)

domain

remyma.duckdns.org

Performs some HTTP requests (1 event)

request

GET http://geoplugin.net/json.gp

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Remcos.m!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Backdoor.Remcos
Skyhigh	BehavesLike.Win32.Remcos.gh
ALYac	Generic.Dacic.A9349469.A.57A1E868
Cylance	Unsafe
VIPRE	Generic.Dacic.A9349469.A.57A1E868
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Generic.Dacic.A9349469.A.57A1E868
K7GW	Trojan ( 0053ac2c1 )
K7AntiVirus	Trojan ( 0053ac2c1 )
Arcabit	Generic.Dacic.A9349469.A.57A1E868
VirIT	Trojan.Win32.Remcos.DFP
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Trojan.Remcos
ESET-NOD32	a variant of Win32/Rescoms.B
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
ClamAV	Win.Trojan.Remcos-9841897-0
Kaspersky	HEUR:Backdoor.Win32.Remcos.gen
Alibaba	Backdoor:Win32/Remcos.d7eec816
NANO-Antivirus	Trojan.Win32.Remcos.kvsovm
MicroWorld-eScan	Generic.Dacic.A9349469.A.57A1E868
Rising	Backdoor.Remcos!1.BAC7 (CLASSIC)
Emsisoft	Generic.Dacic.A9349469.A.57A1E868 (B)
F-Secure	Backdoor.BDS/Backdoor.Gen
DrWeb	BackDoor.Remcos.491
Zillya	Trojan.Rescoms.Win32.2189
McAfeeD	Real Protect-LS!D249E2B6F105
CTX	exe.backdoor.remcos
Sophos	Mal/Remcos-B
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.d249e2b6f10508da
Google	Detected
Avira	BDS/Backdoor.Gen
Antiy-AVL	GrayWare/Win32.Wacapew
Kingsoft	Win32.Hack.Remcos.gen
Gridinsoft	Backdoor.Win32.Remcos.sa
Microsoft	Backdoor:Win32/Remcos.GA!MTB
GData	Generic.Dacic.A9349469.A.57A1E868
Varist	W32/Agent.JUB.gen!Eldorado
AhnLab-V3	Backdoor/Win.Remcos.R693720
McAfee	Artemis!D249E2B6F105
DeepInstinct	MALICIOUS
VBA32	BScope.Backdoor.Remcos
Malwarebytes	Backdoor.Remcos
Ikarus	Trojan.Win32.Remcos
Panda	Trj/Genetic.gen

cozy.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All