Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 19, 2023, 9:53 a.m.	Oct. 19, 2023, 9:55 a.m.

Size	348.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`bf88f41d1be46f0855345b4b74beb44f`
SHA256	`0aa2b99b072736a522905c80505e8bfb45f545ee4d4f5a2fc02fb8f163b44225`
CRC32	`A1E69C6E`
ssdeep	`6144:q2NHXf500M8oLdbUljPPpbxkL5K/qq2sus7vpdCoK:Jd507dbUlLjkkuNstdbK`
Yara	UPX_Zero - UPX packed file Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

Name	Response	Post-Analysis Lookup
ip-api.com	A 208.95.112.1	208.95.112.1
berlinqua.duckdns.org	A 179.13.0.48	179.13.0.48

IP Address	Status	Action
164.124.101.2	Active	Moloch
179.13.0.48	Active	Moloch
208.95.112.1	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49162 -> 208.95.112.1:80	2036383	ET MALWARE Common RAT Connectivity Check Observed	A Network Trojan was detected
TCP 192.168.56.102:49162 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
UDP 192.168.56.102:62846 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.102:62846 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

No Suricata TLS

Connects to a Dynamic DNS Domain (1 event)

domain

berlinqua.duckdns.org

Performs some HTTP requests (1 event)

request

GET http://ip-api.com/json/

Looks up the external IP address (1 event)

domain

ip-api.com

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

MicroWorld-eScan	Generic.MSIL.PasswordStealerA.08D5DF4D
FireEye	Generic.mg.bf88f41d1be46f08
Skyhigh	BehavesLike.Win32.Generic.fh
McAfee	PWS-FCOI!BF88F41D1BE4
Cylance	unsafe
VIPRE	Generic.MSIL.PasswordStealerA.08D5DF4D
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 00521dab1 )
K7GW	Trojan ( 00521dab1 )
Cybereason	malicious.e17811
Arcabit	Generic.MSIL.PasswordStealerA.08D5DF4D
VirIT	Trojan.Win32.MSIL_Heur.B
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Trojan.Quasarrat
ESET-NOD32	a variant of MSIL/Spy.Agent.AES
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Packed.Generic-9829635-0
Kaspersky	Trojan.MSIL.Agent.foww
BitDefender	Generic.MSIL.PasswordStealerA.08D5DF4D
SUPERAntiSpyware	Trojan.Agent/Gen-PasswordStealer
Avast	MSIL:Rat-B [Trj]
Tencent	Trojan.Msil.Agent.zc
Emsisoft	Generic.MSIL.PasswordStealerA.08D5DF4D (B)
F-Secure	Trojan:w32/QuasarRAT.A1
DrWeb	Trojan.DownLoader27.59888
Zillya	Trojan.Agent.Win32.1090480
TrendMicro	TSPY_TINCLEX.SM1
Trapmine	malicious.moderate.ml.score
Sophos	ATK/Zaquar-D
Ikarus	Trojan.MSIL.Agent
Jiangmin	Trojan.Generic.ajfvk
Webroot	W32.Malware.Gen
Varist	W32/MSIL_Mintluks.A.gen!Eldorado
Avira	HEUR/AGEN.1307329
Antiy-AVL	Trojan/MSIL.Agent
Microsoft	Backdoor:MSIL/Quasar.GG!MTB
ZoneAlarm	Trojan.MSIL.Agent.foww
GData	MSIL.Backdoor.Quasar.D
Google	Detected
AhnLab-V3	Trojan/Win32.Subti.R285137
BitDefenderTheta	Gen:NN.ZemsilF.36738.vm0@aiGxjab
ALYac	Generic.MSIL.PasswordStealerA.08D5DF4D
MAX	malware (ai score=84)
VBA32	Trojan.MSIL.Quasar.Heur
Malwarebytes	Generic.Malware.AI.DDS
TrendMicro-HouseCall	TSPY_TINCLEX.SM1
Rising	Backdoor.xRAT!1.D01D (CLASSIC)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen

bQJU.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All