Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 12, 2021, 12:06 p.m.	May 12, 2021, 12:16 p.m.

Size	133.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`c5b088a8ef675fa7576197f7faa07b40`
SHA256	`10f9863a0c087a93b465eb4c17e5a006add72acf87747603d2caff4b011f7bd7`
CRC32	`F288D244`
ssdeep	`3072:NI0YC4NW+e4X2U1fvN7jDARDnxSRgLyIio18WaedeeNNzyOBODYGCTCZ:NDO8+tXpVN0RDnxSRgLyIio18WaedeeO`
Yara	Is_DotNET_EXE - (no description) OS_Processor_Check_Zero - OS Processor Check PE_Header_Zero - PE File Signature IsPE32 - (no description)

mobianshi.txt "C:\Users\test22\AppData\Local\Temp\mobianshi.txt"
2704
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
modoba.duckdns.org	A 103.133.105.179	103.133.105.179

IP Address	Status	Action
103.133.105.179	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 192.168.56.101:49203 -> 103.133.105.179:1111	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 12, 2021, 12:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 12, 2021, 12:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 12, 2021, noon	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 12, 2021, 12:07 p.m.			0	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 12, 2021, 12:07 p.m.	stacktrace: 0x44e1c18 0x44e1881 0x44e16ad mscorlib+0x216e76 @ 0x6f816e76 mscorlib+0x2202ff @ 0x6f8202ff mscorlib+0x216df4 @ 0x6f816df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72071b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x72088dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x72096a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x72096a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x72096a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x72113191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x720c192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x720c18cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x720c17f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x720c197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x72112f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x7211303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x721d805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 a6 24 2a 6b 8b c8 e8 5f 29 c2 6d 8b f0 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x44e2397 registers.esp: 89257884 registers.edi: 35766320 registers.eax: 35721624 registers.ebp: 89257924 registers.edx: 35766320 registers.ebx: 35766260 registers.esi: 0 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

May 12, 2021, 12:07 p.m.

stacktrace:

0x44e1c18
0x44e1881
0x44e16ad
mscorlib+0x216e76 @ 0x6f816e76
mscorlib+0x2202ff @ 0x6f8202ff
mscorlib+0x216df4 @ 0x6f816df4
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72071b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x72088dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x72096a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x72096a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x72096a7d
DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x72113191
CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x720c192f
CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x720c18cb
CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x720c17f1
CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x720c197d
DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x72112f62
DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x7211303c
GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x721d805a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 a6 24 2a 6b 8b c8 e8 5f 29 c2 6d 8b f0
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x44e2397
registers.esp: 89257884
registers.edi: 35766320
registers.eax: 35721624
registers.ebp: 89257924
registers.edx: 35766320
registers.ebx: 35766260
registers.esi: 0
registers.ecx: 0

Connects to a Dynamic DNS Domain (1 event)

domain

modoba.duckdns.org

Allocates read-write-execute memory (usually to unpack itself) (37 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72071000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72072000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0050b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00505000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05581000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05611000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05612000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05582000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

mobianshi.txt tried to sleep 124 seconds, actually delayed analysis time by 124 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 12, 2021, noon	total_number_of_free_bytes: 13727899648 free_bytes_available: 13727899648 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Creates a shortcut to an executable file (3 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Executes one or more WMI queries (1 event)

wmi	select * from Win32_OperatingSystem

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 12, 2021, 12:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 12, 2021, noon	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 12, 2021, noon	system_name: privilege_name: SeShutdownPrivilege	1	1

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.46114245
FireEye	Generic.mg.c5b088a8ef675fa7
McAfee	Artemis!C5B088A8EF67
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Backdoor:MSIL/Tnega.8ae8b84c
K7GW	Trojan ( 0057af751 )
K7AntiVirus	Trojan ( 0057af751 )
Cyren	W32/Trojan.PZMP-3732
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.AASQ
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Razy-7660763-0
Kaspersky	HEUR:Backdoor.MSIL.Mokes.gen
BitDefender	Trojan.GenericKD.46114245
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Trojan.GenericKD.46114245
Comodo	Malware@#2280eu45sleiq
DrWeb	Trojan.Spynet.33
Zillya	Trojan.GenKryptik.Win32.81831
TrendMicro	Backdoor.MSIL.MOKES.USASHDM21
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.46114245 (B)
Ikarus	Trojan.Crypt
Avira	TR/Kryptik.rdrtq
MAX	malware (ai score=88)
Kingsoft	Win32.Hack.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Packed.oa
Microsoft	Trojan:MSIL/Tnega!MSR
AegisLab	Trojan.MSIL.Mokes.m!c
ZoneAlarm	HEUR:Backdoor.MSIL.Mokes.gen
GData	Trojan.GenericKD.46114245
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Generic.C4425581
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZemsilF.34688.iqW@aio5iaoO
ALYac	Trojan.GenericKD.46114245
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.MalPack
TrendMicro-HouseCall	Backdoor.MSIL.MOKES.USASHDM21
Rising	Backdoor.Mokes!8.619 (CLOUD)
Fortinet	W32/Mokes.FECE!tr.bdr
Webroot	W32.Malware.Gen
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A

mobianshi.txt

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All