Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 3, 2023, 7:40 p.m.	Oct. 3, 2023, 7:42 p.m.

Size	348.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`578656857a68dc5dbb566cbf23865afa`
SHA256	`d8fadff5429d00e94828f23f7549ceacfce82d0d59947b2b77b45937ad2db363`
CRC32	`BD184EDC`
ssdeep	`6144:K2NHXf500M0nNcxsTeka6qb/ZOfCbusWrLhmjr3O:pd50ENcxsJiZDUrLhmjjO`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Malicious_Packer_Zero - Malicious Packer

Name	Response	Post-Analysis Lookup
crazydns.linkpc.net	A 2.59.254.111	2.59.254.111
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
164.124.101.2	Active	Moloch
2.59.254.111	Active	Moloch
208.95.112.1	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2034458	ET INFO Observed DNS Query to DynDNS Domain (linkpc .net)	Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 208.95.112.1:80	2036383	ET MALWARE Common RAT Connectivity Check Observed	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Connects to a Dynamic DNS Domain (1 event)

domain

crazydns.linkpc.net

Performs some HTTP requests (1 event)

request

GET http://ip-api.com/json/

Looks up the external IP address (1 event)

domain

ip-api.com

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Lionic	Trojan.MSIL.Agent.mCnJ
Elastic	Windows.Trojan.Quasarrat
MicroWorld-eScan	Generic.MSIL.PasswordStealerA.071BB1CD
FireEye	Generic.mg.578656857a68dc5d
McAfee	PWS-FCOI!578656857A68
Cylance	unsafe
VIPRE	Generic.MSIL.PasswordStealerA.071BB1CD
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 00521dab1 )
Alibaba	Backdoor:MSIL/Quasar.e7e22a26
K7GW	Trojan ( 00521dab1 )
Cybereason	malicious.7deb1f
Arcabit	Generic.MSIL.PasswordStealerA.071BB1CD
BitDefenderTheta	Gen:NN.ZemsilF.36738.vm0@aO78wzc
VirIT	Trojan.Win32.MSIL_Heur.B
Cyren	W32/MSIL_Mintluks.A.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Spy.Agent.AES
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Packed.Generic-9829635-0
Kaspersky	Trojan.MSIL.Agent.foww
BitDefender	Generic.MSIL.PasswordStealerA.071BB1CD
NANO-Antivirus	Trojan.Win32.Agent.elofqr
SUPERAntiSpyware	Trojan.Agent/Gen-PasswordStealer
Avast	MSIL:Rat-B [Trj]
Tencent	Trojan.Msil.Agent.zc
Sophos	ATK/Zaquar-D
F-Secure	Trojan:w32/QuasarRAT.A1
DrWeb	Trojan.DownLoader27.59888
Zillya	Trojan.Agent.Win32.1088950
TrendMicro	TSPY_TINCLEX.SM1
McAfee-GW-Edition	BehavesLike.Win32.Generic.fh
Trapmine	suspicious.low.ml.score
Emsisoft	Generic.MSIL.PasswordStealerA.071BB1CD (B)
Ikarus	Trojan.MSIL.Agent
Jiangmin	Trojan.Generic.ajfvk
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1307329
Antiy-AVL	Trojan/MSIL.Agent
Kingsoft	malware.kb.c.1000
Gridinsoft	Backdoor.Win32.Quasar.bot
Microsoft	Backdoor:MSIL/Quasar.GG!MTB
ViRobot	Trojan.Win.Z.Agent.356352.RI
ZoneAlarm	Trojan.MSIL.Agent.foww
GData	MSIL.Backdoor.Quasar.D
Google	Detected
AhnLab-V3	Trojan/Win32.Subti.R285137
VBA32	Trojan.MSIL.Quasar.Heur
MAX	malware (ai score=88)

xBqAmJwby407.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All