Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 9, 2023, 9:22 a.m.	June 9, 2023, 9:24 a.m.

Size	9.8MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`828dda50caa47e37c427142e216c373f`
SHA256	`54c7a21de074152b11a9aefb278508706176189c322c08fc2e56fec1a7f9169b`
CRC32	`B85EF1BF`
ssdeep	`98304:O+uYZVNKpE1d5eqjDiI5pmOl3AR6hfn47tYjr6uh+PTJtSUBzYXk4fTbZthsZbfH:OId5eqPthrr6uh+PTJtS3t0aZAFtiQMe`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature

Flow	SID	Signature	Category
TCP 192.168.56.102:49165 -> 172.67.34.170:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined
UDP 192.168.56.102:56630 -> 164.124.101.2:53	2027870	ET INFO Observed DNS Query to .world TLD	Potentially Bad Traffic
TCP 192.168.56.102:49167 -> 194.180.48.231:3333	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.102:49166 -> 188.165.24.131:80	2011341	ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 188.165.24.131:80	2035420	ET MALWARE Win32/Pripyat Activity (POST)	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 188.165.24.131:80	2031189	ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing	Misc activity
TCP 192.168.56.102:49167 -> 194.180.48.231:3333	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.102:49165 172.67.34.170:443	None	None	None
TLS 1.3 192.168.56.102:49164 54.250.156.221:20128	None	None	None

suspicious_features

POST method with no referer header

suspicious_request

POST http://ppanel.freaktorrentz.xyz/x/y/z/WebPanel/api/endpoint.php

request

POST http://ppanel.freaktorrentz.xyz/x/y/z/WebPanel/api/endpoint.php

request

POST http://ppanel.freaktorrentz.xyz/x/y/z/WebPanel/api/endpoint.php

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 9, 2023, 9:23 a.m.	process_identifier: 3052 region_size: 159744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

section

{u'size_of_data': u'0x009a2800', u'virtual_address': u'0x0001c000', u'entropy': 7.624603045348705, u'name': u'.data', u'virtual_size': u'0x009a26e0'}

entropy

7.62460304535

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0000e800', u'virtual_address': u'0x009cd000', u'entropy': 6.980505712685737, u'name': u'.rsrc', u'virtual_size': u'0x0000e640'}

entropy

6.98050571269

description

A section with a high entropy has been found

entropy

0.986285032797

description

Overall entropy of this PE file is high

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Barys.429302
K7GW	Trojan ( 005a508c1 )
K7AntiVirus	Trojan ( 005a508c1 )
Cyren	W64/Injector.BMR.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/GenKryptik.GIIA
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Barys.429302
Emsisoft	Gen:Variant.Barys.429302 (B)
VIPRE	Gen:Variant.Barys.429302
FireEye	Gen:Variant.Barys.429302
GData	Gen:Variant.Barys.429302
Arcabit	Trojan.Barys.D68CF6
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R571995
ALYac	Gen:Variant.Barys.429302
MAX	malware (ai score=86)
Rising	Trojan.DisguisedXMRigMiner!8.12EF7 (TFE:5:YhzrPCllRHI)
Ikarus	Trojan.Win64.Krypt
Fortinet	W64/GenKryptik.GIIA!tr

mobsync.exe