Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 2, 2023, 8:57 a.m.	April 2, 2023, 9:02 a.m.

Size	3.9MB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`a04a12bd76283170bc83848686e4f946`
SHA256	`13d6361137c3e50b65f6e7385e44e2a5bbcb435aea861112953579ec2230fd44`
CRC32	`E65E9FEC`
ssdeep	`98304:vT72zCNeI+sjbIBNmJ1t2WJ8BJXzN9Bhvu4:vPb+sjbIXgUJXzN9Bhvu4`
PDB Path	C:\Users\Admin\source\repos\dropper_my\x64\Release\dropper_my.pdb
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check IsPE64 - (no description) PE_Header_Zero - PE File Signature

updater.exe "C:\Users\test22\AppData\Local\Temp\updater.exe"
840
- Provide.exe "C:\Users\Public\Videos\Provide.exe"
  2132

Name	Response	Post-Analysis Lookup
pool.hashvault.pro	A 131.153.76.130 A 125.253.92.50	125.253.92.50
xmr.2miners.com	A 162.19.139.184	162.19.139.184

IP Address	Status	Action
131.153.76.130	Active	Moloch
162.19.139.184	Active	Moloch
164.124.101.2	Active	Moloch
77.91.78.143	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2040353	ET INFO Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)	Crypto Currency Mining Activity Detected
TCP 192.168.56.103:49167 -> 77.91.78.143:80	2035420	ET MALWARE Win32/Pripyat Activity (POST)	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 77.91.78.143:80	2035420	ET MALWARE Win32/Pripyat Activity (POST)	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49164 131.153.76.130:443	None	None	None
TLS 1.3 192.168.56.103:49168 162.19.139.184:12222	None	None	None

This executable has a PDB path (1 event)

pdb_path

C:\Users\Admin\source\repos\dropper_my\x64\Release\dropper_my.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.00cfg
section	_RDATA

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://77.91.78.143/index.php?page=configurations&id=1
suspicious_features	Connection to IP address	suspicious_request	GET http://77.91.78.143login.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://77.91.78.143/api/endpoint.php

Performs some HTTP requests (3 events)

request	GET http://77.91.78.143/index.php?page=configurations&id=1
request	GET http://77.91.78.143login.php
request	POST http://77.91.78.143/api/endpoint.php

Sends data using the HTTP POST Method (1 event)

request

POST http://77.91.78.143/api/endpoint.php

Creates executable files on the filesystem (1 event)

file	C:\Users\Public\Videos\Provide.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 2, 2023, 8:50 a.m.	show_type: 0 filepath_r: C:\Users\Public\Videos\Provide.exe parameters: filepath: C:\Users\Public\Videos\Provide.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x003b3000', u'virtual_address': u'0x00036000', u'entropy': 7.997305020077126, u'name': u'.data', u'virtual_size': u'0x003b47a8'}

entropy

7.99730502008

description

A section with a high entropy has been found

entropy

0.944756204015

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

77.91.78.143

Drops a binary and executes it (1 event)

file	C:\Users\Public\Videos\Provide.exe

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Lionic	Trojan.Win32.Agent.Y!c
MicroWorld-eScan	Trojan.GenericKD.66186725
FireEye	Trojan.GenericKD.66186725
Cylance	unsafe
CrowdStrike	win/malicious_confidence_90% (W)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win64/TrojanDropper.Agent.GW
Cynet	Malicious (score: 100)
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Agent.xavjgw
BitDefender	Trojan.GenericKD.66186725
Avast	Win64:Trojan-gen
Emsisoft	Trojan.GenericKD.66186725 (B)
F-Secure	Trojan.TR/Crypt.EPACK.Gen2
McAfee-GW-Edition	BehavesLike.Win64.Generic.wc
Trapmine	malicious.high.ml.score
Sophos	Generic Reputation PUA (PUA)
Ikarus	Trojan-Dropper.Win64.Agent
Avira	TR/Crypt.EPACK.Gen2
Antiy-AVL	Trojan/Win32.Wacatac
Microsoft	Trojan:Win32/Wacatac.B!ml
Gridinsoft	Trojan.Win64.Gen.bot
Arcabit	Trojan.Generic.D3F1EDE5
ZoneAlarm	Trojan.Win32.Agent.xavjgw
GData	Trojan.GenericKD.66186725
Google	Detected
McAfee	Artemis!A04A12BD7628
MAX	malware (ai score=86)
Malwarebytes	Generic.Malware/Suspicious
Rising	Dropper.Agent!8.2F (CLOUD)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
AVG	Win64:Trojan-gen

updater.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All