Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 3, 2021, 4:46 p.m.	May 3, 2021, 4:50 p.m.

Size	224.8KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`2b4a1bcc464360c350c05bf9fbb18ce3`
SHA256	`37f87d9529b496054bc82c319a8908fc82f7704a7de3bc0353a6474995aa02e3`
CRC32	`E401CCC2`
ssdeep	`6144:Mwyua/xTCGQtfUeAIQHuA36cd0NkS0tO8Q:5yR5TCGQeeAItC6606VtO8Q`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description) Win_Trojan_AgentTesla_IN_Zero - Win Trojan AgentTesla

Pcsyh.exe C:\Users\test22\AppData\Local\Temp\Pcsyh.exe
2772

Name	Response	Post-Analysis Lookup
launcher.worldofwarcraft.com	A 137.221.106.103	137.221.106.103

IP Address	Status	Action
137.221.106.103	Active	Moloch
164.124.101.2	Active	Moloch
31.210.20.238	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 3, 2021, 4:48 p.m.	computer_name: TEST22-PC	1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://launcher.worldofwarcraft.com/alert

Performs some HTTP requests (1 event)

request

GET http://launcher.worldofwarcraft.com/alert

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00031800', u'virtual_address': u'0x00002000', u'entropy': 7.939783457007093, u'name': u'.text', u'virtual_size': u'0x00031724'}

entropy

7.93978345701

description

A section with a high entropy has been found

entropy

0.91454965358

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://discord.com/

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

31.210.20.238

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

FireEye	Generic.mg.2b4a1bcc464360c3
McAfee	Artemis!2B4A1BCC4643
Cylance	Unsafe
Alibaba	Trojan:MSIL/GenKryptik.d026eff3
Cybereason	malicious.fa3473
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.FEUY
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.Crypt (A)
Microsoft	Trojan:Win32/Formbook!ml
Cynet	Malicious (score: 100)
BitDefenderTheta	Gen:NN.ZemsilF.34686.om1@aKo5y4o
Malwarebytes	Malware.AI.4276529596
Rising	Trojan.GenKryptik!8.AA55 (CLOUD)
Ikarus	Trojan.MSIL.Inject
AVG	Win32:RATX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

31.210.20.238:80

Pcsyh.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All