Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | June 12, 2021, 6:21 p.m. | June 12, 2021, 6:24 p.m. |
-
1.exe "C:\Users\test22\AppData\Local\Temp\1.exe"
1080
Name | Response | Post-Analysis Lookup |
---|---|---|
collector-node.us | 172.67.143.39 | |
collector-gate03.xyz | 172.67.211.17 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49201 -> 104.21.45.72:80 | 2027108 | ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 | A Network Trojan was detected |
Suricata TLS
No Suricata TLS
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox |
suspicious_features | POST method with no referer header | suspicious_request | POST http://collector-gate03.xyz/collect.php |
request | GET http://collector-node.us/u |
request | POST http://collector-gate03.xyz/collect.php |
request | POST http://collector-gate03.xyz/collect.php |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox |
file | C:\wallet.dat |
file | C:\Users\test22\AppData\Roaming\Electrum\wallets |
file | C:\Users\Default\AppData\Roaming\FileZilla\sitemanager.xml |
file | C:\Users\Default User\AppData\Roaming\FileZilla\recentservers.xml |
file | C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml |
file | C:\Users\Default\AppData\Roaming\FileZilla\recentservers.xml |
file | C:\Users\Public\AppData\Roaming\FileZilla\sitemanager.xml |
file | C:\Users\Public\AppData\Roaming\FileZilla\recentservers.xml |
file | C:\Users\Default User\AppData\Roaming\FileZilla\sitemanager.xml |
file | C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml |
file | C:\Users\All Users\AppData\Roaming\FileZilla\sitemanager.xml |
file | C:\Users\All Users\AppData\Roaming\FileZilla\recentservers.xml |
file | C:\Users\All Users\AppData\Roaming\.purple\accounts.xml |
file | C:\Users\Default User\AppData\Roaming\.purple\accounts.xml |
file | C:\Users\test22\AppData\Roaming\.purple\accounts.xml |
file | C:\Users\Default\AppData\Roaming\.purple\accounts.xml |
file | C:\Users\Public\AppData\Roaming\.purple\accounts.xml |
process | 1.exe | useragent | JBJWN | ||||||
process | 1.exe | useragent | uploader |
Bkav | W32.AIDetect.malware2 |
Elastic | malicious (high confidence) |
DrWeb | Trojan.PWS.Siggen2.64821 |
MicroWorld-eScan | Gen:Variant.Stealer.7 |
FireEye | Generic.mg.5a3eb1ba34e04f53 |
McAfee | GenericRXOM-OP!5A3EB1BA34E0 |
Cylance | Unsafe |
Sangfor | Trojan.Win32.Save.a |
Cybereason | malicious.a34e04 |
BitDefenderTheta | Gen:NN.ZexaF.34738.VqW@auO7!xj |
Cyren | W32/Agent.CTW.gen!Eldorado |
Symantec | ML.Attribute.HighConfidence |
ESET-NOD32 | a variant of Win32/Spy.Agent.PYU |
APEX | Malicious |
Avast | Win32:PWSX-gen [Trj] |
ClamAV | Win.Malware.Zusy-9812688-0 |
Kaspersky | HEUR:Trojan-Spy.Win32.Bobik.gen |
BitDefender | Gen:Variant.Stealer.7 |
NANO-Antivirus | Trojan.Win32.Bobik.iunqoq |
Rising | Stealer.Agent!1.D401 (CLASSIC) |
Ad-Aware | Gen:Variant.Stealer.7 |
TACHYON | Trojan-Spy/W32.Bobik.779776 |
Emsisoft | Gen:Variant.Stealer.7 (B) |
Zillya | Trojan.Agent.Win32.2075725 |
McAfee-GW-Edition | BehavesLike.Win32.Generic.bh |
Sophos | ML/PE-A |
Ikarus | Trojan-Spy.Racoon |
Jiangmin | TrojanSpy.Bobik.qz |
MaxSecure | Trojan.Malware.74196578.susgen |
Avira | HEUR/AGEN.1141176 |
Antiy-AVL | Trojan/Generic.ASMalwS.32A7E89 |
Microsoft | Trojan:Win32/Glupteba!ml |
GData | Win32.Trojan.PSE.MG6FVH |
Cynet | Malicious (score: 100) |
AhnLab-V3 | Trojan/Win32.RL_Stealer.R355109 |
VBA32 | TrojanSpy.Bobik |
MAX | malware (ai score=83) |
Malwarebytes | Spyware.PasswordStealer |
Tencent | Malware.Win32.Gencirc.10ce52dd |
Yandex | TrojanSpy.Agent!KdSyOWNBWz8 |
SentinelOne | Static AI - Malicious PE |
Fortinet | W32/Agent.PYU!tr |
AVG | Win32:PWSX-gen [Trj] |
Panda | Trj/GdSda.A |