Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 3, 2021, 4:46 p.m.	May 3, 2021, 4:52 p.m.

Size	226.8KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`9b807ec7d5c9fa755cd95453f9a7c0d0`
SHA256	`f98f307a6a414fcbe42e1017d720f1ed8c9e0df21b703f74e94dbe1afa8b32ff`
CRC32	`1FBCCF51`
ssdeep	`3072:8kcmAGOyF6ulHNStfzoeAWRfS8ypYAxBWA3VcuVdxvNmT9PQdseKzxEfggIYS:8kcmflQtfUeAIQHuA36cdROPSEEf`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description) Win_Trojan_AgentTesla_IN_Zero - Win Trojan AgentTesla

Naokyle.exe C:\Users\test22\AppData\Local\Temp\Naokyle.exe
1316

Name	Response	Post-Analysis Lookup
launcher.worldofwarcraft.com	A 137.221.106.103	137.221.106.103

IP Address	Status	Action
137.221.106.103	Active	Moloch
164.124.101.2	Active	Moloch
31.210.21.231	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 3, 2021, 4:51 p.m.	computer_name: TEST22-PC	1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://launcher.worldofwarcraft.com/alert

Performs some HTTP requests (1 event)

request

GET http://launcher.worldofwarcraft.com/alert

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00032000', u'virtual_address': u'0x00002000', u'entropy': 7.943746983192339, u'name': u'.text', u'virtual_size': u'0x00031f94'}

entropy

7.94374698319

description

A section with a high entropy has been found

entropy

0.91533180778

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://discord.com/

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

31.210.21.231

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

FireEye	Generic.mg.9b807ec7d5c9fa75
McAfee	Artemis!9B807EC7D5C9
Cylance	Unsafe
Alibaba	Trojan:MSIL/GenKryptik.d026eff3
Cybereason	malicious.5f9783
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.FEUY
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Paloalto	generic.ml
Rising	Trojan.GenKryptik!8.AA55 (CLOUD)
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.Crypt (A)
Ikarus	Win32.Outbreak
Microsoft	Trojan:Win32/Woreflint.A!cl
Cynet	Malicious (score: 100)
Malwarebytes	Malware.AI.4276529596
eGambit	PE.Heur.InvalidSig
AVG	Win32:RATX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

31.210.21.231:80

Naokyle.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All