popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

ASEGNEGROMARZ.exe

Browser Login Data Stealer Generic Malware Malicious Library Downloader UPX Malicious Packer PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us March 28, 2025, 9:47 a.m. March 28, 2025, 9:50 a.m.
Size 486.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 6f464f8abb486d07b1369213c207fb54
SHA256 62ebee27e520761cee2aac9de8074e73364a2e5a7677157b358300b132129d39
CRC32 E81D54B9
ssdeep 6144:BIlSCa0RPvRz+n8Qr1D0ZGESuHabmvHOE4mCp6qtydBnP+Y4+3sAORZGFX3Xc6KJ:B200OFp+G0imvHn3Cp6qyBP+YdsvZG8
Yara
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library
  • infoStealer_browser_b_Zero - browser info stealer
  • Network_Downloader - File Downloader
  • IsPE32 - (no description)
  • Malicious_Packer_Zero - Malicious Packer
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
esteesnuevo2025.duckdns.org
A 192.159.99.113
192.159.99.113
geoplugin.net
A 178.237.33.50
178.237.33.50
IP Address Status Action
164.124.101.2 Active Moloch
178.237.33.50 Active Moloch
192.159.99.113 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2042936 ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity
TCP 192.168.56.103:49161 -> 192.159.99.113:8040 2032776 ET MALWARE Remcos 3.x Unencrypted Checkin Malware Command and Control Activity Detected
TCP 192.159.99.113:8040 -> 192.168.56.103:49161 2032777 ET MALWARE Remcos 3.x Unencrypted Server Response Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleA

 buffer: Remcos v6.1.0 Pro © BreakingSecurity.net
console_handle: 0x0000000f
1 1 0

WriteConsoleA

 buffer: 10:07:17:031 i | Remcos Agent initialized
console_handle: 0x0000000f
1 1 0

WriteConsoleA

 buffer: 10:07:17:031 i | Offline Keylogger Started
console_handle: 0x0000000f
1 1 0

WriteConsoleA

 buffer: 10:07:17:031 i | Access Level: Administrator
console_handle: 0x0000000f
1 1 0

WriteConsoleA

 buffer: 10:07:17:031 i | Connecting | TLS Off | esteesnuevo2025.duckdns.org:8040
console_handle: 0x0000000f
1 1 0

WriteConsoleA

 buffer: 10:07:17:562 i | Connected | TLS Off | esteesnuevo2025.duckdns.org:8040
console_handle: 0x0000000f
1 1 0

WriteConsoleA

 buffer: 10:07:17:859 i | KeepAlive | Enabled | Timeout: 60
console_handle: 0x0000000f
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header suspicious_request GET http://geoplugin.net/json.gp
domain esteesnuevo2025.duckdns.org
request GET http://geoplugin.net/json.gp
description ASEGNEGROMARZ.exe tried to sleep 350 seconds, actually delayed analysis time by 350 seconds
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x00409d0a
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 66047 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Remcos.m!c
Cynet Malicious (score: 100)
CAT-QuickHeal Backdoor.RemcosRI.S35402806
Skyhigh BehavesLike.Win32.Remcos.gh
ALYac Generic.Dacic.A9349469.A.7611F346
Cylance Unsafe
VIPRE Generic.Dacic.A9349469.A.7611F346
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Generic.Dacic.A9349469.A.7611F346
K7GW Trojan ( 0053ac2c1 )
K7AntiVirus Trojan ( 0053ac2c1 )
Arcabit Generic.Dacic.A9349469.A.7611F346
VirIT Trojan.Win32.Remcos.DFP
Symantec ML.Attribute.HighConfidence
Elastic Windows.Trojan.Remcos
ESET-NOD32 a variant of Win32/Rescoms.B
APEX Malicious
Avast Win32:RATX-gen [Trj]
ClamAV Win.Trojan.Remcos-9841897-0
Kaspersky HEUR:Backdoor.Win32.Remcos.gen
Alibaba Backdoor:Win32/Remcos.8d3973a0
NANO-Antivirus Trojan.Win32.Remcos.kvsovm
MicroWorld-eScan Generic.Dacic.A9349469.A.7611F346
Rising Backdoor.Remcos!1.BAC7 (CLASSIC)
Emsisoft Generic.Dacic.A9349469.A.7611F346 (B)
F-Secure Backdoor.BDS/Backdoor.Gen
DrWeb BackDoor.Remcos.491
Zillya Trojan.Rescoms.Win32.2189
McAfeeD Real Protect-LS!6F464F8ABB48
CTX exe.backdoor.remcos
Sophos Mal/Remcos-B
SentinelOne Static AI - Malicious PE
FireEye Generic.mg.6f464f8abb486d07
Webroot Win.Backdoor.Remcos
Google Detected
Avira BDS/Backdoor.Gen
Antiy-AVL Trojan[Backdoor]/Win32.Remcos
Kingsoft malware.kb.a.1000
Gridinsoft Trojan.Win32.Remcos.tr
Microsoft Backdoor:Win32/Remcos.GA!MTB
ViRobot Trojan.Win.Z.Remcos.498176.M
ZoneAlarm Mal/Remcos-B
GData Generic.Dacic.A9349469.A.7611F346
Varist W32/Agent.JUB.gen!Eldorado
AhnLab-V3 Backdoor/Win.Remcos.R693720
McAfee Artemis!6F464F8ABB48
DeepInstinct MALICIOUS
VBA32 Backdoor.RmRAT