Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 12, 2022, 11:21 a.m.	Dec. 12, 2022, 11:23 a.m.

Size	376.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0c9df67f152a727b0832aa4e7f079a71`
SHA256	`294f231d98716586a83665cb179bf1228d11cca7c753d902df1c19d60d53ba2e`
CRC32	`BB35FDFA`
ssdeep	`3072:hsgZAzdUCmqlw4kp/LZ1aHS5GfqPuV8hS:hsgZFCmXDp/l1+SdPAYS`
Yara	IsPE32 - (no description) ASPack_Zero - ASPack packed file PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.89.255.250	Active	Moloch

Flow	SID	Signature	Category
TCP 192.168.56.103:49163 -> 45.89.255.250:50505	2014600	ET MALWARE Win32/Nitol.A Checkin	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Dec. 12, 2022, 11:21 a.m.	computer_name: TEST22-PC	1	1	0

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Dec. 12, 2022, 11:21 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1	0

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 12, 2022, 11:21 a.m.		1	1	0

section

.itext

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Dec. 12, 2022, 11:21 a.m.	show_type: 0 filepath_r: reg.exe parameters: ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "My App" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\dllhost.exe" filepath: reg.exe	1	1	0
ShellExecuteExW Dec. 12, 2022, 11:21 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\dllhost.exe parameters: filepath: C:\Users\test22\AppData\Roaming\dllhost.exe	1	1	0

section

{u'size_of_data': u'0x0000e200', u'virtual_address': u'0x00014000', u'entropy': 7.960008451272168, u'name': u'.data', u'virtual_size': u'0x0000e010'}

entropy

7.96000845127

description

A section with a high entropy has been found

cmdline	reg.exe ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "My App" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\dllhost.exe"
cmdline	"C:\Windows\System32\reg.exe" ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "My App" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\dllhost.exe"

host

45.89.255.250

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\My App

reg_value

C:\Users\test22\AppData\Roaming\dllhost.exe

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Generic.32461068
McAfee	RDN/Generic.dx
Sangfor	Riskware.Win32.Crampes.V06t
K7AntiVirus	Riskware ( 0052f7bd1 )
Alibaba	Trojan:Win32/Crampes.46653f6f
K7GW	Riskware ( 0052f7bd1 )
Cybereason	malicious.bed03f
Cyren	W32/ABRisk.FKUV-3613
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	Win32/RiskWare.PEMalform.J
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Crampes.a
BitDefender	Trojan.Generic.32461068
Avast	Win32:Evo-gen [Trj]
Rising	Trojan.Swrort!8.296 (TFE:2:CCuO7nvtECH)
Ad-Aware	Trojan.Generic.32461068
Emsisoft	Trojan.Generic.32461068 (B)
VIPRE	Trojan.Generic.32461068
McAfee-GW-Edition	RDN/Generic.dx
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.0c9df67f152a727b
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
GData	Trojan.Generic.32461068
Jiangmin	Trojan.Crampes.ds
MAX	malware (ai score=88)
Antiy-AVL	Trojan/Win32.Dynamer
Gridinsoft	Trojan.Win32.Agent.cl
Arcabit	Trojan.Generic.D1EF510C
ZoneAlarm	HEUR:Trojan.Win32.Crampes.a
Microsoft	Behavior:Win32/Nitol.gen!A
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R539958
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H07LA22
Tencent	Win32.Trojan.FalseSign.Ltgl
Fortinet	MalwThreat!E1E6IV
BitDefenderTheta	Gen:NN.ZexaCO.36106.xC1@aOz3kuFi
AVG	Win32:Evo-gen [Trj]
Panda	Trj/CI.A

TeamViewer_Desktop.exe