Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 23, 2021, 9:53 a.m.	April 23, 2021, 9:56 a.m.

Size	1.9MB
Type	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5	`2f1115241a8d2d0400d01cec49f12d8b`
SHA256	`7b23f70c3b8e297753582be046a4afb8031129dd80889ccc1b092f6a66365a81`
CRC32	`1DF4364F`
ssdeep	`49152:Tosd3wD4joU1VqR0oWEn5Dl6IDO1cjldcrEbOYjuru8:TpdgD48iA6EnT6OOAl/br`
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsConsole - (no description) IsPacked - Entropy Check UPX_Zero - UPX packed file

ethm17041.exe "C:\Users\test22\AppData\Local\Temp\ethm17041.exe"
3024
- ee.exe C:\Users\test22\AppData\Local\Temp\csrss\wup\e\ee.exe --algo 144_5 --pers BgoldPoW --server "" --user "" --pass x
  2164
- ee.exe C:\Users\test22\AppData\Local\Temp\csrss\wup\e\ee.exe --algo 144_5 --pers BgoldPoW --server "" --user "" --pass x
  2772
- ee.exe C:\Users\test22\AppData\Local\Temp\csrss\wup\e\ee.exe --algo 144_5 --pers BgoldPoW --server "" --user "" --pass x
  2576
- ee.exe C:\Users\test22\AppData\Local\Temp\csrss\wup\e\ee.exe --algo 144_5 --pers BgoldPoW --server "" --user "" --pass x
  2472
- ee.exe C:\Users\test22\AppData\Local\Temp\csrss\wup\e\ee.exe --algo 144_5 --pers BgoldPoW --server "" --user "" --pass x
  1420

Name	Response	Post-Analysis Lookup
somekindiff.com	A 104.21.11.209 A 172.67.192.164	172.67.192.164

IP Address	Status	Action
172.67.192.164	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49199 172.67.192.164:443	None	None	None

Command line console output was observed (7 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 23, 2021, 9:53 a.m.	buffer: downloading file console_handle: 0x00000007	1	1
WriteConsoleW April 23, 2021, 9:53 a.m.	buffer: file downloaded console_handle: 0x00000007	1	1
WriteConsoleW April 23, 2021, 9:53 a.m.	buffer: process is not running console_handle: 0x0000000b	1	1
WriteConsoleW April 23, 2021, 9:53 a.m.	buffer: process is not running console_handle: 0x0000000b	1	1
WriteConsoleW April 23, 2021, 9:53 a.m.	buffer: process is not running console_handle: 0x0000000b	1	1
WriteConsoleW April 23, 2021, 9:53 a.m.	buffer: process is not running console_handle: 0x0000000b	1	1
WriteConsoleW April 23, 2021, 9:53 a.m.	buffer: process is not running console_handle: 0x0000000b	1	1

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

One or more processes crashed (5 events)

Time & API	Arguments	Status
__exception__ April 23, 2021, 9:53 a.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x74420470 hook_in_monitor+0x45 lde-0x133 @ 0x744142ea New_ntdll_NtTerminateProcess+0x20 New_ntdll_NtTerminateThread-0x11a @ 0x74435ac4 RtlExitUserProcess+0x48 LdrShutdownProcess-0x68 ntdll+0x24138 @ 0x771e4138 ee+0x36f1a0 @ 0x13fdcf1a0 ee+0x36f1a0 @ 0x13fdcf1a0 ee+0x1000 @ 0x13fa61000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 1241912 registers.rsi: 5362814976 registers.r10: 3221225785 registers.rbx: 5366411680 registers.rsp: 1244000 registers.r11: 8796092882944 registers.r8: 64 registers.r9: 1999600672 registers.rdx: 1243256 registers.r12: 0 registers.rbp: 1994653696 registers.rdi: 5422211521 registers.rax: 1241592 registers.r13: 0	1
__exception__ April 23, 2021, 9:53 a.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x74420470 hook_in_monitor+0x45 lde-0x133 @ 0x744142ea New_ntdll_NtTerminateProcess+0x20 New_ntdll_NtTerminateThread-0x11a @ 0x74435ac4 RtlExitUserProcess+0x48 LdrShutdownProcess-0x68 ntdll+0x24138 @ 0x771e4138 ee+0x36f1a0 @ 0x14030f1a0 ee+0x36f1a0 @ 0x14030f1a0 ee+0x1000 @ 0x13ffa1000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2946552 registers.rsi: 5368320000 registers.r10: 3221225785 registers.rbx: 5371916704 registers.rsp: 2948640 registers.r11: 8796092882944 registers.r8: 64 registers.r9: 1999600672 registers.rdx: 2947896 registers.r12: 0 registers.rbp: 1994653696 registers.rdi: 5427716545 registers.rax: 2946232 registers.r13: 0	1
__exception__ April 23, 2021, 9:53 a.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x74420470 hook_in_monitor+0x45 lde-0x133 @ 0x744142ea New_ntdll_NtTerminateProcess+0x20 New_ntdll_NtTerminateThread-0x11a @ 0x74435ac4 RtlExitUserProcess+0x48 LdrShutdownProcess-0x68 ntdll+0x24138 @ 0x771e4138 ee+0x36f1a0 @ 0x13f96f1a0 ee+0x36f1a0 @ 0x13f96f1a0 ee+0x1000 @ 0x13f601000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2356808 registers.rsi: 5358227456 registers.r10: 3221225785 registers.rbx: 5361824160 registers.rsp: 2358896 registers.r11: 8796092874752 registers.r8: 64 registers.r9: 1999600672 registers.rdx: 2358152 registers.r12: 0 registers.rbp: 1994653696 registers.rdi: 5417624001 registers.rax: 2356488 registers.r13: 0	1
__exception__ April 23, 2021, 9:55 a.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x74420470 hook_in_monitor+0x45 lde-0x133 @ 0x744142ea New_ntdll_NtTerminateProcess+0x20 New_ntdll_NtTerminateThread-0x11a @ 0x74435ac4 RtlExitUserProcess+0x48 LdrShutdownProcess-0x68 ntdll+0x24138 @ 0x771e4138 ee+0x36f1a0 @ 0x13fdcf1a0 ee+0x36f1a0 @ 0x13fdcf1a0 ee+0x1000 @ 0x13fa61000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2617928 registers.rsi: 5362814976 registers.r10: 3221225785 registers.rbx: 5366411680 registers.rsp: 2620016 registers.r11: 8796092878848 registers.r8: 64 registers.r9: 1999600672 registers.rdx: 2619272 registers.r12: 0 registers.rbp: 1994653696 registers.rdi: 5422211521 registers.rax: 2617608 registers.r13: 0	1
__exception__ April 23, 2021, 9:55 a.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x74420470 hook_in_monitor+0x45 lde-0x133 @ 0x744142ea New_ntdll_NtTerminateProcess+0x20 New_ntdll_NtTerminateThread-0x11a @ 0x74435ac4 RtlExitUserProcess+0x48 LdrShutdownProcess-0x68 ntdll+0x24138 @ 0x771e4138 ee+0x36f1a0 @ 0x13f7cf1a0 ee+0x36f1a0 @ 0x13f7cf1a0 ee+0x1000 @ 0x13f461000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 0x8000000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2422088 registers.rsi: 5356523520 registers.r10: 3221225785 registers.rbx: 5360120224 registers.rsp: 2424176 registers.r11: 8796092882944 registers.r8: 64 registers.r9: 1999600672 registers.rdx: 2423432 registers.r12: 0 registers.rbp: 1994653696 registers.rdi: 5415920065 registers.rax: 2421768 registers.r13: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\csrss\wup\e\ee.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\csrss\wup\e\ee.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x001dda00', u'virtual_address': u'0x002ca000', u'entropy': 7.8813252937441, u'name': u'UPX1', u'virtual_size': u'0x001de000'}

entropy

7.88132529374

description

A section with a high entropy has been found

entropy

0.999738356881

description

Overall entropy of this PE file is high

The executable is compressed using UPX (3 events)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress April 23, 2021, 9:53 a.m.	ordinal: 0 function_address: 0x0018fe3d function_name: wine_get_version module: ntdll module_address: 0x773a0000		3221225785	0

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.36735001
FireEye	Trojan.GenericKD.36735001
CAT-QuickHeal	Trojan.Wacatac
ALYac	Trojan.GenericKD.36735001
Malwarebytes	Malware.AI.1201087188
VIPRE	Trojan.Win32.Generic!BT
K7AntiVirus	Trojan ( 00577c621 )
Alibaba	Trojan:Win32/RanumBot.3af8a264
K7GW	Trojan ( 00577c621 )
Cyren	W32/RanumBot.B.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of WinGo/RanumBot.U
Avast	Win32:Trojan-gen
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKD.36735001
NANO-Antivirus	Trojan.Win32.Redcap.iufxta
Paloalto	generic.ml
Rising	Trojan.RanumBot!8.112AC (CLOUD)
Ad-Aware	Trojan.GenericKD.36735001
Emsisoft	Trojan.GenericKD.36735001 (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Sophos	Mal/Generic-S
Jiangmin	TrojanDropper.Agent.gjrl
Webroot	W32.Trojan.Gen
Avira	TR/Redcap.cnzyy
MAX	malware (ai score=88)
Gridinsoft	Trojan.Win32.Agent.vb
AegisLab	Trojan.Win32.RanumBot.4!c
GData	Trojan.GenericKD.36735001
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.RanumBot.C4427177
McAfee	Artemis!2F1115241A8D
TrendMicro-HouseCall	TROJ_GEN.R053H0CDL21
Ikarus	Trojan.WinGo.Ranumbot
Fortinet	W32/RanumBot.U!tr
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:Trojan-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (W)

ethm17041.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All