Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 17, 2023, 7:34 a.m.	Aug. 17, 2023, 7:36 a.m.

Size	175.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`67c418ee40a4edb8a5b232298234f4be`
SHA256	`24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1`
CRC32	`BCE51E9D`
ssdeep	`3072:Me8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gThwARE+WpCc:o6ewwIwQJ6vKX0c5MlYZ0b2K`
Yara	OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
504
- chcp.com chcp 65001
  1528
- netsh.exe netsh wlan show profile
  1864
- findstr.exe findstr All
  2708
cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
1332
- chcp.com chcp 65001
  2000
- netsh.exe netsh wlan show networks mode=bssid
  2772

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 121.254.136.27 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	23.67.53.17
icanhazip.com	A 104.18.114.97 A 104.18.115.97	104.18.114.97
api.mylnikov.org	A 172.67.196.114 A 104.21.44.66	172.67.196.114
api.telegram.org	A 149.154.167.220	149.154.167.220

IP Address	Status	Action
104.18.114.97	Active	Moloch
121.254.136.27	Active	Moloch
149.154.167.220	Active	Moloch
164.124.101.2	Active	Moloch
172.67.196.114	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://icanhazip.com/

Performs some HTTP requests (2 events)

request	GET http://icanhazip.com/
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c

Looks up the external IP address (1 event)

domain

icanhazip.com

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	chcp 65001
cmdline	netsh wlan show networks mode=bssid
cmdline	netsh wlan show profile

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Lionic	Trojan.Win32.Stealer.12!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
ALYac	Generic.Dacic.1E3438B6.A.43F93EE2
Malwarebytes	Generic.Malware.AI.DDS
Zillya	Trojan.Agent.Win32.2981387
Sangfor	Virus.Win32.Save.a
Alibaba	Backdoor:MSIL/AsyncRAT.5d077d10
Cybereason	malicious.e40a4e
VirIT	Trojan.Win32.MSIL_Heur.B
Cyren	W32/MSIL_Agent.BTI.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Agent.CFW
APEX	Malicious
ClamAV	Win.Packed.AsyncRAT-9856570-1
Kaspersky	HEUR:Trojan-PSW.MSIL.Stealer.gen
BitDefender	Generic.Dacic.1E3438B6.A.43F93EE2
ViRobot	Trojan.Win.Z.Dacic.179200.AC
MicroWorld-eScan	Generic.Dacic.1E3438B6.A.43F93EE2
Avast	Win32:KeyloggerX-gen [Trj]
Rising	Stealer.Agent!1.D483 (CLASSIC)
Emsisoft	Generic.Dacic.1E3438B6.A.43F93EE2 (B)
DrWeb	BackDoor.AsyncRATNET.3
VIPRE	Generic.Dacic.1E3438B6.A.43F93EE2
TrendMicro	Trojan.Win32.AMADEY.YXDHPZ
McAfee-GW-Edition	BehavesLike.Win32.Generic.cm
FireEye	Generic.mg.67c418ee40a4edb8
Sophos	Mal/AsyncRat-C
Ikarus	Trojan-Spy.StormKitty
GData	MSIL.Backdoor.DCRat.D
Jiangmin	Trojan.MSIL.amfgq
MAX	malware (ai score=80)
Antiy-AVL	Trojan[Backdoor]/MSIL.Crysan
Gridinsoft	Trojan.Win32.AsyncRAT.bot
Arcabit	Generic.Dacic.1E3438B6.A.43F93EE2
SUPERAntiSpyware	Trojan.Agent/Gen-Crypt
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Stealer.gen
Microsoft	Backdoor:MSIL/AsyncRAT.GG!MTB
Google	Detected
AhnLab-V3	Backdoor/Win.AsyncRAT.C4932402
Acronis	suspicious
McAfee	GenericRXVE-ZP!67C418EE40A4
TACHYON	Backdoor/W32.DN-Crysan.179200
VBA32	Trojan.MSIL.InfoStealer.gen.D
Cylance	unsafe
Panda	Trj/CI.A
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXDHPZ
Tencent	Malware.Win32.Gencirc.10bc9d0e
SentinelOne	Static AI - Malicious PE

zaliv.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All