popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

gallerywp.exe

Process Kill CryptGenKey FindFirstVolume PE File Device_File_Check OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 25, 2021, 9:34 a.m. June 25, 2021, 9:43 a.m.
Size 1.0MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 73da35da64ddbe9a74984d4638fdc045
SHA256 a7643384f48446fdf343641815b56ffd0106caab6ca6f08ae1caa2de39c7fa07
CRC32 8D190C76
ssdeep 24576:IAHnh+eWsN3skA4RV1Hom2KXMmHaSVRDSxBHP5:Ph+ZkldoPK8YaqoB
Yara
  • PE_Header_Zero - PE File Signature
  • CryptGenKey_Zero - CryptGenKey Zero
  • OS_Processor_Check_Zero - OS Processor Check
  • Device_Check_Zero - Device Check Zero
  • IsPE32 - (no description)
  • FindFirstVolume_Zero - FindFirstVolume Zero
  • Process_Snapshot_Kill_Zero - Process Kill Zero

Name Response Post-Analysis Lookup
app.ibantrocas.com
A 80.78.22.159
80.78.22.159
IP Address Status Action
164.124.101.2 Active Moloch
80.78.22.159 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49198 -> 80.78.22.159:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49198
80.78.22.159:443 		C=US, O=Let's Encrypt, CN=R3 CN=app.ibantrocas.com 8c:6a:2a:5d:ae:a8:ec:6f:98:da:02:8b:b2:74:b7:cd:8d:65:68:28

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
request GET https://app.ibantrocas.com/counter/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b62000
process_handle: 0xffffffff
1 0 0
Bkav W32.AIDetect.malware2
MicroWorld-eScan Trojan.GenericKD.46530178
FireEye Trojan.GenericKD.46530178
ALYac Trojan.GenericKD.46530178
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_60% (W)
Arcabit Trojan.Generic.D2C5FE82
ESET-NOD32 Win32/ClipBanker.NL
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.GenericKD.46530178
Paloalto generic.ml
AegisLab Hacktool.Win32.Gamehack.3!e
Ad-Aware Trojan.GenericKD.46530178
Sophos Generic PUA EK (PUA)
Comodo TrojWare.Win32.Agent.xluby@0
McAfee-GW-Edition BehavesLike.Win32.TrojanAitInject.th
Emsisoft Trojan.GenericKD.46530178 (B)
Ikarus Trojan.Win32.Clipbanker
Webroot W32.Trojan.Gen
eGambit Unsafe.AI_Score_90%
Kingsoft Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft Trojan.Win32.Downloader.oa
Microsoft Program:Win32/Wacapew.C!ml
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Trojan.GenericKD.46530178
Cynet Malicious (score: 100)
McAfee Artemis!73DA35DA64DD
MAX malware (ai score=80)
Malwarebytes Trojan.MalPack.AutoIt