Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 5, 2021, 2:30 p.m.	April 5, 2021, 2:32 p.m.

Size	266.0KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`7f1bd38647745b87464b8c696519bfc6`
SHA256	`7919bd3d8ee49fb1803f25bd73682f5fde4164ad6523069054a0ecbfb48fdb81`
CRC32	`2DD13CAD`
ssdeep	`6144:95Y7JfHLNO7tYoUTbG14uS3Gl2TKcii5HS4bH:g7JDYaouvuUGk5JH`
Yara	Ficker_Stealer_Zero - Ficker Stealer network_tcp_listen - Listen for incoming communication network_tcp_socket - Communications over RAW socket network_dns - Communications use DNS screenshot - Take screenshot win_registry - Affect system registries win_files_operation - Affect private profile Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) HasOverlay - Overlay Check

Name	Response	Post-Analysis Lookup
lukkeze.best	A 79.143.30.6 A 188.68.221.233	188.68.221.233
api.ipify.org	A 23.21.48.44 A 23.21.140.41 CNAME nagano-19599.herokussl.com A 50.19.252.36 A 54.225.157.230 A 54.235.83.248 A 54.225.155.255 A 107.22.233.72 CNAME elb097307-934924932.us-east-1.elb.amazonaws.com A 54.235.175.90	54.243.164.148

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
50.19.252.36	Active	Moloch
79.143.30.6	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Performs some HTTP requests (1 event)

request

GET http://api.ipify.org/?format=xml

Looks up the external IP address (1 event)

domain

api.ipify.org

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00002e00', u'virtual_address': u'0x00037000', u'entropy': 6.899361725842788, u'name': u'.rdata', u'virtual_size': u'0x00002da8'}

entropy

6.89936172584

description

A section with a high entropy has been found

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.PWS.Stealer.29929
MicroWorld-eScan	Gen:Variant.Doina.7190
FireEye	Generic.mg.7f1bd38647745b87
ALYac	Gen:Variant.Doina.7190
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_60% (W)
Alibaba	TrojanDownloader:Win32/Stealer.bd2ed7d1
K7GW	Trojan ( 0001555e1 )
BitDefenderTheta	Gen:NN.ZexaF.34670.qGX@a4HRDMj
Cyren	W32/Agent.CFX.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Agent.UKB
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
ClamAV	Win.Trojan.FickerStealer-9805476-1
Kaspersky	HEUR:Trojan.Win32.Zudochka.vho
BitDefender	Gen:Variant.Doina.7190
Paloalto	generic.ml
Rising	Trojan.Agent!8.B1E (CLOUD)
Ad-Aware	Gen:Variant.Doina.7190
Sophos	Mal/Generic-S
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.Win32.FICKERSTEALER.SMTH.hp
McAfee-GW-Edition	BehavesLike.Win32.Generic.dh
Emsisoft	Trojan.Agent (A)
eGambit	Unsafe.AI_Score_98%
Avira	TR/Agent.egzae
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	TrojanDownloader:Win32/Stealer.CK!MTB
Gridinsoft	Trojan.Win32.Downloader.sa
Arcabit	Trojan.Doina.D1C16
ZoneAlarm	HEUR:Trojan.Win32.Zudochka.vho
GData	Gen:Variant.Doina.7190
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.RL_Generic.R352614
McAfee	GenericRXMH-DA!7F1BD3864774
MAX	malware (ai score=85)
VBA32	BScope.Trojan.Zudochka
Malwarebytes	Spyware.FickerStealer
TrendMicro-HouseCall	TrojanSpy.Win32.FICKERSTEALER.SMTH.hp
Tencent	Win32.Trojan.Zudochka.Aish
Ikarus	Trojan.Win32.Agent
Fortinet	W32/Agent.UKB!tr
Webroot	W32.Trojan.Gen
AVG	Win32:TrojanX-gen [Trj]
Cybereason	malicious.647745
Panda	Trj/GdSda.A
Qihoo-360	Win32/Ransom.Zudochka.HgIASSAA

lukkeze.best.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All