Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 27, 2024, 7:28 a.m.	March 27, 2024, 7:30 a.m.

Size	1.6MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`9437c89a5f9a51a4ff6d6076083fa6c9`
SHA256	`0e730f4daa303f419756a2a4da7ae96e583984ba1912abdc228b47a7fbc2ad7f`
CRC32	`864A5830`
ssdeep	`12288:Mk9eNPHnvN2o2Gwka9G/aFoy2d5iTWjxUPIaC:MKMPHnvN2hG/aEaFop5`
Yara	IsPE64 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
147.124.220.237	Active	Moloch

No Suricata Alerts

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49162 147.124.220.237:8123	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=147.124.220.237: Self-signed certificate	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=147.124.220.237: Self-signed certificate	0c:cb:8b:7a:7e:9c:d6:98:e2:f4:4a:b9:4b:d4:bb:cd:77:d6:5c:e0
TLS 1.2 192.168.56.103:49164 147.124.220.237:8123	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=147.124.220.237: Self-signed certificate	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=147.124.220.237: Self-signed certificate	0c:cb:8b:7a:7e:9c:d6:98:e2:f4:4a:b9:4b:d4:bb:cd:77:d6:5c:e0
TLS 1.2 192.168.56.103:49165 147.124.220.237:8123	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=147.124.220.237: Self-signed certificate	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=147.124.220.237: Self-signed certificate	0c:cb:8b:7a:7e:9c:d6:98:e2:f4:4a:b9:4b:d4:bb:cd:77:d6:5c:e0

section

_RDATA

Time & API	Arguments	Status
NtAllocateVirtualMemory March 27, 2024, 7:21 a.m.	process_identifier: 508 region_size: 638976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 27, 2024, 7:21 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000039d0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 27, 2024, 7:21 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4128768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000039e0000 process_handle: 0xffffffffffffffff	1

host

147.124.220.237

Bkav	W32.Common.48C7B81C
Lionic	Trojan.Win32.Kryplod.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
ALYac	Trojan.Generic.35325343
Cylance	unsafe
VIPRE	Trojan.Generic.35325343
Sangfor	Trojan.Win64.Rhadamanthys.V161
BitDefender	Trojan.Generic.35325343
Arcabit	Trojan.Generic.D21B059F
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Kryptik.EHI
APEX	Malicious
Avast	Win64:PWSX-gen [Trj]
Kaspersky	Trojan.Win64.Kryplod.bwpd
Alibaba	Trojan:Win64/Rhadamanthys.b65760c0
MicroWorld-eScan	Trojan.Generic.35325343
Rising	Trojan.ShellCodeRunner!1.F7B6 (CLASSIC)
Emsisoft	Trojan.Generic.35325343 (B)
F-Secure	Trojan.TR/AD.Nekark.neafk
DrWeb	Trojan.PWS.Siggen3.36585
Zillya	Trojan.Inject.Win32.346111
TrendMicro	TROJ_FRS.0NA104CC24
FireEye	Generic.mg.9437c89a5f9a51a4
Sophos	Mal/Generic-S
Ikarus	Trojan.Win64.Crypt
Google	Detected
Avira	TR/AD.Nekark.neafk
MAX	malware (ai score=85)
Antiy-AVL	Trojan[PSW]/Win32.Rhadamanthys
Kingsoft	Win32.Troj.Unknown.a
Microsoft	Trojan:Win64/Rhadamanthys.GXZ!MTB
ZoneAlarm	Trojan.Win64.Kryplod.bwpd
GData	Trojan.Generic.35325343
Varist	W64/ABRisk.LBWU-9141
AhnLab-V3	Trojan/Win.Malware-gen.R637934
DeepInstinct	MALICIOUS
Malwarebytes	Spyware.PasswordStealer
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_FRS.0NA104CC24
Tencent	Malware.Win32.Gencirc.10bfb819
MaxSecure	Trojan.Malware.236628121.susgen
Fortinet	W32/PossibleThreat
AVG	Win64:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)
alibabacloud	Trojan:Win/Kryplod.bwpd

@Base.exe