Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 13, 2025, 9:44 a.m.	March 13, 2025, 9:46 a.m.

Size	235.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`444c83a662cc3f056b30e69ef646c097`
SHA256	`f01c012ed02d1c83885899e0f6dfa0f053a7a16548de074d859428df064d0802`
CRC32	`8CC57AF1`
ssdeep	`3072:QrO63tSvNCRwz34cPY5ggG2UfMvIn6T7vxVuzebnf1hCp/AjgqI3hTBLdS7TXwIn:2H3tEIOz34cPY5gXQH7USGhlU7`
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Network_Downloader - File Downloader IsPE32 - (no description) UPX_Zero - UPX packed file

muk.exe "C:\Users\test22\AppData\Local\Temp\muk.exe"
2544

Name	Response	Post-Analysis Lookup
geoplugin.net	A 178.237.33.50	178.237.33.50

IP Address	Status	Action
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch
198.23.227.212	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 198.23.227.212:32583	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49161 198.23.227.212:32583	None	None	None

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 13, 2025, 9:44 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

Performs some HTTP requests (1 event)

request

GET http://geoplugin.net/json.gp

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00036000', u'virtual_address': u'0x0004e000', u'entropy': 7.935739944126659, u'name': u'UPX1', u'virtual_size': u'0x00036000'}

entropy

7.93573994413

description

A section with a high entropy has been found

entropy

0.921108742004

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

198.23.227.212

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Remcos.m!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Ghanarava.174172283846c097
Skyhigh	BehavesLike.Win32.Generic.dc
ALYac	Dump:Generic.Remcos.F1511AFA
Cylance	Unsafe
VIPRE	Dump:Generic.Remcos.F1511AFA
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Dump:Generic.Remcos.F1511AFA
K7GW	Trojan ( 0053ac2c1 )
K7AntiVirus	Trojan ( 0053ac2c1 )
Arcabit	Dump:Generic.Remcos.FD5E7AFA
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/Rescoms.B
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
ClamAV	Win.Trojan.Remcos-9841897-0
Kaspersky	HEUR:Backdoor.Win32.Remcos.gen
Alibaba	Backdoor:Win32/Remcos.d955cdd8
NANO-Antivirus	Trojan.Win32.Remcos.kvsovm
MicroWorld-eScan	Dump:Generic.Remcos.F1511AFA
Rising	Backdoor.Remcos!8.B89E (TFE:5:AyOt9ijbbiR)
Emsisoft	Dump:Generic.Remcos.F1511AFA (B)
F-Secure	Backdoor.BDS/Backdoor.Gen
DrWeb	BackDoor.Remcos.491
TrendMicro	Backdoor.Win32.REMCOS.YXFCLZ
McAfeeD	Real Protect-LS!444C83A662CC
Trapmine	malicious.high.ml.score
CTX	exe.backdoor.remcos
Sophos	Mal/Remcos-B
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.444c83a662cc3f05
Google	Detected
Avira	BDS/Backdoor.Gen
Antiy-AVL	GrayWare/Win32.Wacapew
Kingsoft	malware.kb.b.972
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Backdoor:Win32/Remcos!rfn
ZoneAlarm	Mal/Remcos-B
GData	Dump:Generic.Remcos.F1511AFA
Varist	W32/ABApplication.ODWR-9196
AhnLab-V3	Trojan/Win.RATX-gen.R625809
McAfee	Artemis!444C83A662CC
DeepInstinct	MALICIOUS
VBA32	BScope.Backdoor.Remcos
Malwarebytes	Malware.AI.2088537425
Ikarus	Trojan.Win32.Remcos

muk.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All