Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 12, 2023, 7:33 a.m.	July 12, 2023, 7:40 a.m.

Size	117.0KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`10adfd55d2fe1b14553f911adc389e89`
SHA256	`a1e9ac36f287a51c929becd38de41a536962e7f1c1ef3e954eeb5da0101bd7a3`
CRC32	`49A360D8`
ssdeep	`3072:ceImo5mf7mNlQw2+IvEuyrAAmU9JpdaNKNezb629Tf6O+BUnfvg0I0IM07V4Qr/c:ceGxMUbdqgw`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

Name	Response	Post-Analysis Lookup
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.135.233

IP Address	Status	Action
162.159.134.233	Active	Moloch
164.124.101.2	Active	Moloch

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49161 -> 162.159.134.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49161 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49161 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2035466	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)	Misc activity
TCP 192.168.56.101:49161 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 12, 2023, 7:33 a.m.			0	0

Time & API	Arguments	Status	Return	Repeated
__exception__ July 12, 2023, 7:33 a.m.	stacktrace: yodo_fake+0x6bcb @ 0xd86bcb yodo_fake+0x8f39 @ 0xd88f39 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 0f b7 48 16 81 e1 00 20 00 00 75 13 8b 55 f8 0f exception.symbol: yodo_fake+0x130b exception.instruction: movzx ecx, word ptr [eax + 0x16] exception.module: YoDo_Fake.exe exception.exception_code: 0xc0000005 exception.offset: 4875 exception.address: 0xd8130b registers.esp: 3864216 registers.edi: 4520760 registers.eax: 2152072718 registers.ebp: 3864324 registers.edx: 2152072718 registers.ebx: 2130567168 registers.esi: 4513424 registers.ecx: 4556736	1	0	0

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Coins.4!c
Elastic	malicious (high confidence)
McAfee	Artemis!10ADFD55D2FE
Sangfor	Trojan.Win32.Save.a
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.HAS
APEX	Malicious
Kaspersky	HEUR:Trojan-PSW.Win32.Coins.gen
Avast	Win32:PWSX-gen [Trj]
TrendMicro	Trojan.Win32.AMADEY.YXDGKZ
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.10adfd55d2fe1b14
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Coins.Gen
Gridinsoft	Malware.Win32.Downloader.cc
Microsoft	Trojan:Win32/SpywareX.CRDB!MTB
ZoneAlarm	HEUR:Trojan-PSW.Win32.Coins.gen
Google	Detected
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.36302.hqW@aG9InDn
VBA32	BScope.Trojan-Dropper.Injector
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXDGKZ
Rising	Trojan.Generic@AI.100 (RDML:IMGCJz7UY6UvSH03hyjlYA)
Ikarus	Win32.Outbreak
Fortinet	W32/PossibleThreat
AVG	Win32:PWSX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

YoDo_Fake.exe