Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.17 02:09
setup2.exe
09.17 02:09
66e5f96b41510_GageEpa....
09.17 02:09
ueu7.exe
09.17 02:09
Ghost_0x000263826B9A9B...
09.17 02:09
66c62b70f281e_tz4j.exe
09.17 02:09
Client_protected.exe
09.17 02:09
install_lodop32.exe
09.17 02:09
hq8.exe
09.17 02:09
66df1acad4359_res_out.exe
09.17 02:09
yqy2.exe

Latest News
09.18 05:09
KKR-Backed Livspace Ne...
09.18 05:09
BlackRock, Microsoft A...
09.18 05:09
FCC opens applications...
09.18 05:09
Latest PiEEG Shield No...
09.18 05:09
Sony Joins a Crypto Pu...
09.18 04:09
Back to the office, Vo...
09.18 04:09
AT&T agrees to $13...
09.18 04:09
Russia-backed disinfo ...
09.18 04:09
Tracing Stack Usage an...
09.18 04:09
Russian threat groups ...

Summary | ZeroBOX

RepIB.exe

Process Kill CryptGenKey UPX FindFirstVolume PE File Device_File_Check OS Processor Check PE32

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 29, 2021, 5:59 p.m.	June 29, 2021, 6:02 p.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`37ddaa9df30fbfac88ef5cfaf07cb017`
SHA256	`22ee9dc927d421f47d8b1bbb1c0176ec1f9622963e39e8d8bd28798f81847f7b`
CRC32	`57AF890D`
ssdeep	`24576:WAHnh+eWsN3skA4RV1Hom2KXMmHaSVRD8xB4P5:xh+ZkldoPK8Yaq6s`
Yara	CryptGenKey_Zero - CryptGenKey Zero OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Device_Check_Zero - Device Check Zero FindFirstVolume_Zero - FindFirstVolume Zero PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file Process_Snapshot_Kill_Zero - Process Kill Zero

RepIB.exe "C:\Users\test22\AppData\Local\Temp\RepIB.exe"
5032

Name	Response	Post-Analysis Lookup
app.ibantrocas.com	A 80.78.22.159	80.78.22.159

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
80.78.22.159	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49807 -> 80.78.22.159:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49806 -> 80.78.22.159:80	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49807 80.78.22.159:443	C=US, O=Let's Encrypt, CN=R3	CN=app.ibantrocas.com	8c:6a:2a:5d:ae:a8:ec:6f:98:da:02:8b:b2:74:b7:cd:8d:65:68:28

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 29, 2021, 5:59 p.m.			0	0

Performs some HTTP requests (2 events)

request	GET http://app.ibantrocas.com/counter/
request	GET https://app.ibantrocas.com/counter/

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 29, 2021, 5:59 p.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Bkav	W32.AIDetect.malware2
McAfee	Artemis!37DDAA9DF30F
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
ESET-NOD32	a variant of Win32/ClipBanker.NL
APEX	Malicious
Avast	Win32:Trojan-gen
Kaspersky	Trojan-Notifier.Win32.AutoIt.a
Paloalto	generic.ml
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.TrojanAitInject.th
Microsoft	Trojan:Win32/Wacatac.B!ml
AegisLab	Hacktool.Win32.Gamehack.3!e
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4535597
eGambit	Unsafe.AI_Score_90%
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:Trojan-gen
CrowdStrike	win/malicious_confidence_60% (W)