popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

yest.txt.exe

Browser Login Data Stealer Generic Malware Malicious Library Downloader UPX Malicious Packer PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 10, 2025, 4:19 p.m. April 10, 2025, 4:21 p.m.
Size 487.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 10a55a8b8f7c517b126b149a2721cf7b
SHA256 bc31d564f5bdc70e314cac621b14195ebf53aa8b74f1de6350e60de691f2c728
CRC32 40BAD576
ssdeep 6144:CIlSCa0RPvRz+n8Qr1D0ZGESuHabmvHOE4mCp6qtydBnP+Y4+3sAORZ/FXvXc6CJ:C200OFp+G0imvHn3Cp6qyBP+YdsvZ/c
Yara
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library
  • infoStealer_browser_b_Zero - browser info stealer
  • Network_Downloader - File Downloader
  • IsPE32 - (no description)
  • Malicious_Packer_Zero - Malicious Packer
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
geoplugin.net
A 178.237.33.50
178.237.33.50
001remsw.ydns.eu
A 89.34.230.126
89.34.230.126
remsw.ydns.eu
IP Address Status Action
164.124.101.2 Active Moloch
178.237.33.50 Active Moloch
89.34.230.126 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49162 -> 89.34.230.126:23101 2036594 ET JA3 Hash - Remcos 3.x/4.x TLS Connection Malware Command and Control Activity Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.101:49162
89.34.230.126:23101 		None None None

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header suspicious_request GET http://geoplugin.net/json.gp
request GET http://geoplugin.net/json.gp
description yest.txt.exe tried to sleep 355 seconds, actually delayed analysis time by 350 seconds
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x00409d0a
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 5767561 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Remcos.m!c
Cynet Malicious (score: 100)
CAT-QuickHeal Backdoor.RemcosRI.S35402806
Skyhigh BehavesLike.Win32.Remcos.gh
ALYac Generic.Dacic.A9349469.A.54E2EDBA
Cylance Unsafe
VIPRE Generic.Dacic.A9349469.A.54E2EDBA
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Generic.Dacic.A9349469.A.54E2EDBA
K7GW Trojan ( 0053ac2c1 )
K7AntiVirus Trojan ( 0053ac2c1 )
Arcabit Generic.Dacic.A9349469.A.54E2EDBA
VirIT Trojan.Win32.Remcos.DFP
Symantec ML.Attribute.HighConfidence
Elastic Windows.Trojan.Remcos
ESET-NOD32 a variant of Win32/Rescoms.B
APEX Malicious
Avast Win32:RATX-gen [Trj]
ClamAV Win.Trojan.Remcos-9841897-0
Kaspersky HEUR:Backdoor.Win32.Remcos.gen
Alibaba Backdoor:Win32/Remcos.45f94838
NANO-Antivirus Trojan.Win32.Remcos.kvsovm
MicroWorld-eScan Generic.Dacic.A9349469.A.54E2EDBA
Rising Backdoor.Remcos!1.BAC7 (CLASSIC)
Emsisoft Generic.Dacic.A9349469.A.54E2EDBA (B)
F-Secure Backdoor.BDS/Backdoor.Gen
DrWeb BackDoor.Remcos.491
Zillya Trojan.Rescoms.Win32.2189
McAfeeD Real Protect-LS!10A55A8B8F7C
CTX exe.backdoor.remcos
Sophos Mal/Remcos-B
SentinelOne Static AI - Malicious PE
Webroot Win.Backdoor.Remcos
Google Detected
Avira BDS/Backdoor.Gen
Antiy-AVL Trojan[Backdoor]/Win32.Remcos
Kingsoft malware.kb.a.1000
Gridinsoft Backdoor.Win32.Remcos.sa
Xcitium Malware@#6xa1m4d68sdw
Microsoft Backdoor:Win32/Remcos.GA!MTB
ZoneAlarm Mal/Remcos-B
GData Generic.Dacic.A9349469.A.54E2EDBA
Varist W32/Agent.JUB.gen!Eldorado
AhnLab-V3 Backdoor/Win.Remcos.R694416
McAfee Artemis!10A55A8B8F7C
DeepInstinct MALICIOUS
VBA32 Backdoor.RmRAT
Malwarebytes Backdoor.Remcos