Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 24, 2025, 11:59 a.m.	March 24, 2025, 12:05 p.m.

Size	431.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e6db118809d55b0a47b8c9c757b8a3bf`
SHA256	`26723961a71e810b8e6f2f10d40d1d72f17c4a29d792f2cb49060dbb25fde686`
CRC32	`DA43081F`
ssdeep	`6144:1IdUXq44bq4LrqMUz2y6cdjJ4nCb0KhEekcdK5xAO2XjXapGc39ou:1IdU6tdyDJZQKhEe7WAXWpnou`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature infoStealer_browser_b_Zero - browser info stealer Malicious_Packer_Zero - Malicious Packer Network_Downloader - File Downloader IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

rclight.exe "C:\Users\test22\AppData\Local\Temp\rclight.exe"
1932

Name	Response	Post-Analysis Lookup
httpss.myvnc.com	A 178.255.148.203	178.255.148.203

IP Address	Status	Action
164.124.101.2	Active	Moloch
178.255.148.203	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2028685	ET POLICY DNS Query to DynDNS Domain *.myvnc .com	Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2028685	ET POLICY DNS Query to DynDNS Domain *.myvnc .com	Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2028685	ET POLICY DNS Query to DynDNS Domain *.myvnc .com	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

Connects to a Dynamic DNS Domain (1 event)

domain

httpss.myvnc.com

A process attempted to delay the analysis task. (1 event)

description

rclight.exe tried to sleep 122 seconds, actually delayed analysis time by 122 seconds

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

178.255.148.203:2404

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Remcos.m!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.RemcosRAT.S31331583
Skyhigh	BehavesLike.Win32.Remcos.gh
ALYac	Dump:Generic.Dacic.A9349469.A.75D96589
Cylance	Unsafe
VIPRE	Dump:Generic.Dacic.A9349469.A.75D96589
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Dump:Generic.Dacic.A9349469.A.75D96589
K7GW	Trojan ( 0057919d1 )
K7AntiVirus	Trojan ( 0057919d1 )
Arcabit	Dump:Generic.Dacic.A9349469.A.75D96589
VirIT	Trojan.Win32.GenusC.HWH
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Rescoms.N
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
ClamAV	Win.Trojan.Remcos-9841897-0
Kaspersky	HEUR:Backdoor.Win32.Remcos.gen
Alibaba	Backdoor:Win32/Remcos.0169e3f4
NANO-Antivirus	Trojan.Win32.Remcos.kwaikg
MicroWorld-eScan	Dump:Generic.Dacic.A9349469.A.75D96589
Rising	Backdoor.Remcos!1.BAC7 (CLASSIC)
Emsisoft	Dump:Generic.Dacic.A9349469.A.75D96589 (B)
F-Secure	Backdoor.BDS/Backdoor.Gen
DrWeb	BackDoor.Remcos.494
Zillya	Trojan.Rescoms.Win32.2190
McAfeeD	Real Protect-LS!E6DB118809D5
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.remcos
Sophos	Mal/Remcos-B
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.e6db118809d55b0a
Google	Detected
Avira	BDS/Backdoor.Gen
Antiy-AVL	Trojan[Backdoor]/Win32.Remcos
Kingsoft	malware.kb.a.1000
Gridinsoft	Backdoor.Win32.Remcos.sa
Microsoft	Trojan:Win32/Remcos!MTB
ZoneAlarm	Mal/Remcos-B
GData	Dump:Generic.Dacic.A9349469.A.75D96589
Varist	W32/Agent.JUB.gen!Eldorado
AhnLab-V3	Trojan/Win.RemcosRAT.R693547
McAfee	GenericRXVH-QA!E6DB118809D5
DeepInstinct	MALICIOUS
VBA32	BScope.Backdoor.RmRAT
Ikarus	Backdoor.Remcos

rclight.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All