Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 14, 2021, 9:53 a.m.	Sept. 14, 2021, 10:06 a.m.

Size	83.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`6622363be06db7fabf23393755e05b0b`
SHA256	`e046697b4102be8e3ad4b6e04524e7248d86b58f6d9f4884357fd33768878fbd`
CRC32	`C86642C9`
ssdeep	`1536:59POZTDTDXAqlscUaXzvFMHmx7HHZsj8U4n43HTdk0GVj+Bk4:HPmTXDXAdEzmGBH5uHTddG4`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

pay.exe "C:\Users\test22\AppData\Local\Temp\pay.exe"
2232

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
1.14.61.188	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49200 -> 1.14.61.188:8080	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.101:49200 -> 1.14.61.188:8080	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 192.168.56.101:49200 -> 1.14.61.188:8080	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.101:49200 -> 1.14.61.188:8080	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 192.168.56.101:49200 -> 1.14.61.188:8080	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.101:49200 -> 1.14.61.188:8080	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 192.168.56.101:49200 -> 1.14.61.188:8080	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.101:49200 -> 1.14.61.188:8080	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0003205c

size

0x00000408

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Sept. 14, 2021, 9:53 a.m.	service_start_name: start_type: 2 password: display_name: Windows Updtae filepath: C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k netsvcs service_name: fastuserswitchingcompatibility filepath_r: %SystemRoot%\System32\svchost.exe -k netsvcs desired_access: 983551 service_handle: 0x00573710 error_control: 0 service_type: 288 service_manager_handle: 0x005738f0	1	5715728	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 14, 2021, 9:53 a.m.	snapshot_handle: 0x00000120 process_name: SearchProtocolHost.exe process_identifier: 2120	1	1
Process32NextW Sept. 14, 2021, 9:53 a.m.	snapshot_handle: 0x00000120 process_name: mobsync.exe process_identifier: 1068	1	1
Process32NextW Sept. 14, 2021, 9:53 a.m.	snapshot_handle: 0x00000120 process_name: pw.exe process_identifier: 2368	1	1
Process32NextW Sept. 14, 2021, 9:53 a.m.	snapshot_handle: 0x00000120 process_name: sdclt.exe process_identifier: 752	1	1
Process32NextW Sept. 14, 2021, 9:53 a.m.	snapshot_handle: 0x00000120 process_name: taskhost.exe process_identifier: 2420	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00014200', u'virtual_address': u'0x0001d000', u'entropy': 7.9306187216408235, u'name': u'UPX1', u'virtual_size': u'0x00015000'}

entropy

7.93061872164

description

A section with a high entropy has been found

entropy

0.975757575758

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

pay.exe

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

1.14.61.188

Installs itself for autorun at Windows startup (2 events)

service_name	fastuserswitchingcompatibility				service_path	C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k netsvcs
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fastuserswitchingcompatibility\Parameters\ServiceDll				reg_value	C:\Windows\system32\ntfastuserswitchingcompatibility.dll

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Generic.Magania.1.0241FA2C
FireEye	Generic.mg.6622363be06db7fa
CAT-QuickHeal	Trojanpws.Bjlog.20461
ALYac	Generic.Magania.1.0241FA2C
Malwarebytes	Malware.AI.2703777413
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Dialer ( 004be7ad1 )
Alibaba	Backdoor:Win32/PcClient.2cd9faf8
K7GW	Dialer ( 004be7ad1 )
Cybereason	malicious.be06db
BitDefenderTheta	AI:Packer.82393A1E1F
Cyren	W32/Zegost.I.gen!Eldorado
Symantec	Backdoor.Trojan
ESET-NOD32	Win32/Dialer.NHP
Baidu	Win32.Trojan.Baijin.a
TrendMicro-HouseCall	BKDR_ZEGOST.SMF
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	Trojan-PSW.Win32.Bjlog.dxwn
BitDefender	Generic.Magania.1.0241FA2C
NANO-Antivirus	Trojan.Win32.DVB.fjzikd
Avast	FileRepMalware
Tencent	Backdoor.Win32.Gh0st.al
Ad-Aware	Generic.Magania.1.0241FA2C
Emsisoft	Generic.Magania.1.0241FA2C (B)
Comodo	TrojWare.Win32.PSW.Bjlog.~Z@k24gw
DrWeb	Trojan.MulDrop1.56994
VIPRE	Backdoor.Win32.Zegost.B (v)
TrendMicro	BKDR_ZEGOST.SMF
McAfee-GW-Edition	BehavesLike.Win32.Generic.mc
SentinelOne	Static AI - Malicious PE
Sophos	ML/PE-A + Troj/Redosdru-A
APEX	Malicious
Jiangmin	Trojan/Agent.chek
Avira	BDS/Agent.188418
Antiy-AVL	Trojan/Generic.ASBOL.577
Microsoft	Backdoor:Win32/PcClient.ZR
ViRobot	Trojan.Win32.Agent.188416.R[UPX]
GData	Generic.Magania.1.0241FA2C
AhnLab-V3	Trojan/Win32.PbBot.R3985
Acronis	suspicious
McAfee	Artemis!6622363BE06D
MAX	malware (ai score=84)
VBA32	BScope.Trojan.Agent.0135
Cylance	Unsafe
Rising	Backdoor.Bagolod!1.64B4 (CLASSIC)
Ikarus	Trojan.Win32.Redosdru
Fortinet	W32/Magania.ATH!tr.pws
AVG	FileRepMalware

pay.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All