bghost.exe| Category | Machine | Started | Completed |
|---|---|---|---|
| FILE | s1_win7_x6403_us | Oct. 28, 2021, 6:17 p.m. | Oct. 28, 2021, 6:20 p.m. |
-
bghost.exe "C:\Users\test22\AppData\Local\Temp\bghost.exe"
2396
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| youbotter.click | 167.71.28.113 |
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49171 -> 167.71.28.113:80 | 2024897 | ET USER_AGENTS Go HTTP Client User-Agent | Misc activity |
| TCP 192.168.56.103:49170 -> 167.71.28.113:80 | 2024897 | ET USER_AGENTS Go HTTP Client User-Agent | Misc activity |
| TCP 192.168.56.103:49169 -> 167.71.28.113:80 | 2024897 | ET USER_AGENTS Go HTTP Client User-Agent | Misc activity |
| TCP 192.168.56.103:49166 -> 167.71.28.113:80 | 2024897 | ET USER_AGENTS Go HTTP Client User-Agent | Misc activity |
| TCP 192.168.56.103:49166 -> 167.71.28.113:80 | 2024897 | ET USER_AGENTS Go HTTP Client User-Agent | Misc activity |
| TCP 192.168.56.103:49170 -> 167.71.28.113:80 | 2024897 | ET USER_AGENTS Go HTTP Client User-Agent | Misc activity |
| TCP 192.168.56.103:49166 -> 167.71.28.113:80 | 2024897 | ET USER_AGENTS Go HTTP Client User-Agent | Misc activity |
| TCP 192.168.56.103:49170 -> 167.71.28.113:80 | 2024897 | ET USER_AGENTS Go HTTP Client User-Agent | Misc activity |
| TCP 192.168.56.103:49166 -> 167.71.28.113:80 | 2024897 | ET USER_AGENTS Go HTTP Client User-Agent | Misc activity |
Suricata TLS
No Suricata TLS
| suspicious_features | POST method with no referer header | suspicious_request | POST http://youbotter.click/ | ||||||
| request | POST http://youbotter.click/ |
| request | GET http://youbotter.click/stream.php |
| request | POST http://youbotter.click/ |
| section | {u'size_of_data': u'0x003d3000', u'virtual_address': u'0x006b6000', u'entropy': 7.904241961430424, u'name': u'UPX1', u'virtual_size': u'0x003d3000'} | entropy | 7.90424196143 | description | A section with a high entropy has been found | |||||||||
| entropy | 0.999872334993 | description | Overall entropy of this PE file is high | |||||||||||
| section | UPX0 | description | Section name indicates UPX | ||||||
| section | UPX1 | description | Section name indicates UPX | ||||||
| section | UPX2 | description | Section name indicates UPX | ||||||
| reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SystemHost | reg_value | C:\Users\test22\AppData\Roaming\sysfile\bghost.exe | ||||||
| MicroWorld-eScan | Trojan.Generic.31068367 |
| FireEye | Generic.mg.83754fa016cb31ea |
| McAfee | Artemis!83754FA016CB |
| Cylance | Unsafe |
| Sangfor | Trojan.Win32.Save.a |
| CrowdStrike | win/malicious_confidence_80% (W) |
| Alibaba | TrojanDropper:Win32/Coinminer.68a7495e |
| K7GW | Trojan ( 005897fa1 ) |
| K7AntiVirus | Trojan ( 005897fa1 ) |
| Symantec | Trojan.Gen.2 |
| ESET-NOD32 | WinGo/Agent.CV |
| APEX | Malicious |
| Paloalto | generic.ml |
| Kaspersky | Trojan-Dropper.Win32.Sysn.czoy |
| BitDefender | Trojan.Generic.31068367 |
| Avast | Win64:Malware-gen |
| Ad-Aware | Trojan.Generic.31068367 |
| Emsisoft | Trojan.Generic.31068367 (B) |
| McAfee-GW-Edition | BehavesLike.Win64.Trickbot.wc |
| Sophos | Mal/Generic-S |
| Ikarus | Malware.Win64.Coinminer |
| Webroot | W32.Malware.Gen |
| Avira | TR/Drop.Sysn.whnqe |
| MAX | malware (ai score=86) |
| Antiy-AVL | Trojan/Generic.ASBOL.C5E3 |
| Gridinsoft | Malware.Win64.GenericMC.cc |
| Microsoft | Trojan:Win32/Sabsik.FL.A!ml |
| ViRobot | Trojan.Win32.Z.Sabsik.4011008.A |
| GData | Trojan.Generic.31068367 |
| Cynet | Malicious (score: 100) |
| VBA32 | TrojanDropper.Sysn |
| ALYac | Trojan.Generic.31068367 |
| Malwarebytes | Trojan.Agent |
| SentinelOne | Static AI - Suspicious PE |
| Fortinet | W32/Agent.CV!tr |
| AVG | Win64:Malware-gen |
| Cybereason | malicious.36ee2d |
| Panda | Trj/CI.A |