Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 31, 2023, 11:20 a.m.	July 31, 2023, 11:22 a.m.

Size	189.2KB
Type	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5	`79a0dbb12842319812690aebfd1ee580`
SHA256	`8949207761f3d09734aa716da1e6c182425bcde2a95dacb3320085f1fe66069c`
CRC32	`9C43FE11`
ssdeep	`3072:2Qt7BKF9SdAxgeu9s6Yq/XRwFwxsV3e67Ox9WiMx5WOX2aI663x13E9ixhuwS:2q78FAy3AsO/X4V3p7Oh2JPv6B1vXuwS`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature

Name	Response	Post-Analysis Lookup
group.pro-tokyo.top	A 23.254.204.173	23.254.204.173

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.254.204.173	Active	Moloch

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 23.254.204.173:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic

No Suricata TLS

suspicious_features

POST method with no referer header

suspicious_request

POST http://group.pro-tokyo.top//OessGdJCJn9/Xeb_xP3CIw/biIFqxf4FK/HOJI1tTjNe/rw=

request

POST http://group.pro-tokyo.top//OessGdJCJn9/Xeb_xP3CIw/biIFqxf4FK/HOJI1tTjNe/rw=

request

POST http://group.pro-tokyo.top//OessGdJCJn9/Xeb_xP3CIw/biIFqxf4FK/HOJI1tTjNe/rw=

domain

group.pro-tokyo.top

description

Generic top level domain TLD

Time & API	Arguments	Status
NtAllocateVirtualMemory July 31, 2023, 11:13 a.m.	process_identifier: 2552 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001f30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2023, 11:13 a.m.	process_identifier: 2552 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2023, 11:13 a.m.	process_identifier: 2552 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002970000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2023, 11:13 a.m.	process_identifier: 2552 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000029b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

section

{u'size_of_data': u'0x0002e800', u'virtual_address': u'0x00001000', u'entropy': 7.689721827316404, u'name': u'.text', u'virtual_size': u'0x0002e6e0'}

entropy

7.68972182732

description

A section with a high entropy has been found

entropy

0.997319034853

description

Overall entropy of this PE file is high

Lionic	Trojan.Win32.Donut.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
ALYac	Generic.ShellCode.Donut.Marte.B.83A3C742
Cylance	unsafe
Sangfor	Hacktool.Win32.Sysdupate.Vz5q
Alibaba	VirTool:Win32/Sysdupate.d1b91d3f
Cybereason	malicious.daa81f
Cyren	W64/ABRisk.IAVM-8711
Symantec	ML.Attribute.HighConfidence
TrendMicro-HouseCall	TROJ_GEN.R002H01GU23
Kaspersky	UDS:Trojan.Win32.Agentb
BitDefender	Generic.ShellCode.Donut.Marte.B.83A3C742
MicroWorld-eScan	Generic.ShellCode.Donut.Marte.B.83A3C742
Avast	Win32:Agent-BCVC [Trj]
Emsisoft	Generic.ShellCode.Donut.Marte.B.83A3C742 (B)
DrWeb	Trojan.DownLoader45.63576
VIPRE	Generic.ShellCode.Donut.Marte.B.83A3C742
McAfee-GW-Edition	BehavesLike.Win64.Glupteba.cc
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.79a0dbb128423198
Sophos	Mal/Generic-S
GData	Generic.ShellCode.Donut.Marte.B.83A3C742
Avira	TR/Redcap.euumj
Antiy-AVL	HackTool[VirTool]/Win32.Sysdupate
Arcabit	Generic.ShellCode.Donut.Marte.B.83A3C742
ZoneAlarm	UDS:Trojan.Win32.Agentb
Microsoft	VirTool:Win32/Sysdupate.gen!E
Google	Detected
McAfee	RDN/Generic.dx
MAX	malware (ai score=86)
Malwarebytes	Malware.AI.2990226395
APEX	Malicious
Rising	Hacktool.Sysdupate!8.123DD (CLOUD)
Fortinet	W32/PossibleThreat
AVG	Win32:Agent-BCVC [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

x64.exe