popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Avast.exe

PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 8, 2023, 9:27 a.m. Aug. 8, 2023, 9:29 a.m.
Size 10.0MB
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5 7735f97175abb2da0cfce029d211dc66
SHA256 f973483d000cc45314d1d5df0b6f6f84d06421d4aea1988bfeb04e025aa2c2fc
CRC32 D36F3695
ssdeep 98304:IyZY8x15pS6O7Q1Oaw50T7NxVcNPx60hinhP9D1AJrix7JDg:IsbuQ1BwqJxVY560hQ5Wyls
Yara
  • IsPE64 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
pool.supportxmr.com
A 141.94.96.71
CNAME pool-fr.supportxmr.com
A 141.94.96.144
A 141.94.96.195
141.94.96.71
IP Address Status Action
141.94.96.144 Active Moloch
141.94.96.195 Active Moloch
164.124.101.2 Active Moloch
51.77.140.74 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49164 -> 51.77.140.74:80 2044697 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3 A Network Trojan was detected
TCP 192.168.56.103:49166 -> 51.77.140.74:80 2035420 ET MALWARE Win32/Pripyat Activity (POST) A Network Trojan was detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.103:49163
141.94.96.195:9000 		C=IT, ST=Pool, L=Daemon, O=Mining Pool, CN=mining.pool C=IT, ST=Pool, L=Daemon, O=Mining Pool, CN=mining.pool 53:ae:f7:96:12:17:eb:ad:26:1e:d7:46:d6:47:0b:e6:80:80:7b:02
TLS 1.2
192.168.56.103:49165
141.94.96.144:9000 		C=IT, ST=Pool, L=Daemon, O=Mining Pool, CN=mining.pool C=IT, ST=Pool, L=Daemon, O=Mining Pool, CN=mining.pool d4:50:34:fd:7a:42:9b:53:4c:cb:38:ba:60:08:f3:a1:e1:df:f0:10

suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://51.77.140.74/api/endpoint.php
request POST http://51.77.140.74/api/endpoint.php
request POST http://51.77.140.74/api/endpoint.php
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 884
region_size: 159744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000630000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0
section {u'size_of_data': u'0x009c6e00', u'virtual_address': u'0x00020000', u'entropy': 7.609631951769354, u'name': u'.data', u'virtual_size': u'0x009c6e00'} entropy 7.60963195177 description A section with a high entropy has been found
entropy 0.980270243807 description Overall entropy of this PE file is high
host 51.77.140.74
Lionic Trojan.Win32.Injector.4!c
MicroWorld-eScan Gen:Heur.Molotov.IM.39.90
ClamAV Win.Packed.Tedy-10005655-0
FireEye Gen:Heur.Molotov.IM.39.90
McAfee Artemis!7735F97175AB
Malwarebytes Crypt.Trojan.MSIL.DDS
Sangfor Trojan.Win64.Kryptik.V0r5
K7AntiVirus Trojan ( 005a508c1 )
Alibaba Trojan:Win64/GenKryptik.791c9bea
K7GW Trojan ( 005a508c1 )
Cybereason malicious.759e47
Arcabit Trojan.Molotov.IM.39.90
Cyren W64/Injector.BMR.gen!Eldorado
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win64/GenKryptik.GIIA
Cynet Malicious (score: 99)
Kaspersky Trojan.Win64.Reflo.cxq
BitDefender Gen:Heur.Molotov.IM.39.90
Avast Win64:Evo-gen [Trj]
Tencent Malware.Win32.Gencirc.13eb791b
Sophos Mal/Generic-S
F-Secure Trojan.TR/AD.Nekark.ziplm
DrWeb Trojan.PWS.Siggen3.24856
VIPRE Gen:Heur.Molotov.IM.39.90
TrendMicro TROJ_GEN.R002C0DH123
McAfee-GW-Edition Artemis!Trojan
Emsisoft Gen:Heur.Molotov.IM.39.90 (B)
Ikarus Trojan.Win64.Krypt
Avira TR/AD.Nekark.ziplm
Antiy-AVL Trojan/Win64.GenKryptik
Microsoft Trojan:Win32/Xmrig!ic
ZoneAlarm Trojan.Win64.Reflo.cxq
GData Gen:Heur.Molotov.IM.39.90
Google Detected
AhnLab-V3 Trojan/Win.Generic.R570072
ALYac Gen:Heur.Molotov.IM.39.90
MAX malware (ai score=82)
Cylance unsafe
Panda Trj/CI.A
TrendMicro-HouseCall TROJ_GEN.R002C0DH123
Rising Trojan.Kryptik!8.8 (TFE:5:tSjl4DNY5BP)
Fortinet W64/GenKryptik.GIIA!tr
AVG Win64:Evo-gen [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_60% (W)