popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

listbul.exe

GCC MinGW PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us May 24, 2022, 9:17 a.m. May 24, 2022, 9:36 a.m.
Size 2.9MB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 8970a3db9f39923a4ef16fb39cd8acc5
SHA256 1e3d10c3c84d7617692174a1f9ae8a658eabb22c7122ef1c8f37f35641ccf7aa
CRC32 15F47748
ssdeep 1536:cDG3b58g1Ax5QvHisR3yCmaWXRbkweWkCBbLyxsoUvMFMQiNTRhhmb0rBNliiU:MG3bni5mHGbcCBbLyxsgmRzmbkfU
Yara
  • PE_Header_Zero - PE File Signature
  • MinGW - Used MinGW (Win GCC)
  • IsPE64 - (no description)

Name Response Post-Analysis Lookup
pilatylu.com
A 94.140.115.34
94.140.115.34
IP Address Status Action
164.124.101.2 Active Moloch
94.140.115.34 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49161 -> 94.140.115.34:80 2032086 ET MALWARE Win32/IcedID Request Cookie A Network Trojan was detected

Suricata TLS

No Suricata TLS

suspicious_features GET method with no useragent header suspicious_request GET http://pilatylu.com/
request GET http://pilatylu.com/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001d30000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001d40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0
section {u'size_of_data': u'0x00000e00', u'virtual_address': u'0x00003000', u'entropy': 7.145116499310805, u'name': u'.data', u'virtual_size': u'0x00000cc0'} entropy 7.14511649931 description A section with a high entropy has been found
section {u'size_of_data': u'0x00003600', u'virtual_address': u'0x0000b000', u'entropy': 7.270558432666617, u'name': u'.rsrc', u'virtual_size': u'0x00003458'} entropy 7.27055843267 description A section with a high entropy has been found
Lionic Trojan.Win32.IcedID.7!c
DrWeb Trojan.IcedID.84
MicroWorld-eScan Trojan.GenericKD.49049799
McAfee Artemis!8970A3DB9F39
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 005931011 )
BitDefender Trojan.GenericKD.49049799
K7GW Trojan ( 005931011 )
Cybereason malicious.a223df
Cyren W64/ABRisk.LXNS-7972
Symantec Trojan.Gen.MBT
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win64/GenKryptik.FUUH
TrendMicro-HouseCall TROJ_GEN.R002C0WEN22
Avast Win64:BotX-gen [Trj]
Kaspersky Trojan-Banker.Win32.IcedID.tzzv
Alibaba TrojanBanker:Win32/IcedID.3aed6cde
ViRobot Trojan.Win32.Z.Meterpreter.3000000
Rising Trojan.IcedID!8.102AF (CLOUD)
Ad-Aware Trojan.GenericKD.49049799
Emsisoft Trojan.GenericKD.49049799 (B)
TrendMicro TROJ_GEN.R002C0WEN22
McAfee-GW-Edition BehavesLike.Win64.Trojan.vz
FireEye Generic.mg.8970a3db9f39923a
Sophos Mal/Generic-S
Paloalto generic.ml
Avira TR/Crypt.Agent.ybsaw
Kingsoft Win32.Troj.Banker.(kcloud)
ZoneAlarm Trojan-Banker.Win32.IcedID.tzzv
GData Trojan.GenericKD.49049799
Cynet Malicious (score: 100)
Acronis suspicious
ALYac Trojan.GenericKD.49049799
MAX malware (ai score=85)
Malwarebytes Trojan.Meterpreter
APEX Malicious
Tencent Win32.Trojan-banker.Icedid.Ebqm
SentinelOne Static AI - Malicious PE
MaxSecure Trojan.Malware.177153742.susgen
Fortinet PossibleThreat.PALLASNET.H
AVG Win64:BotX-gen [Trj]
CrowdStrike win/malicious_confidence_100% (W)