Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 29, 2024, 9:32 a.m.	March 29, 2024, 9:36 a.m.

Size	473.0KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`76df4a59b141eb56536805aa8c597c24`
SHA256	`dadff5f7199fd06f151dc1808c6a3e3a45447d19eb4f5639e47fe2f24cfd3b84`
CRC32	`4AA4910A`
ssdeep	`12288:eT1gXSplyLVb3UAE5oRIOhsqnHzDJzeoXRj1JVT:y1gXYlgID5oRhH9eW`
PDB Path	Reboot.pdb
Yara	Craxs_RAT - Craxs RAT PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

appdata.exe "C:\Users\test22\AppData\Local\Temp\appdata.exe"
660

Name	Response	Post-Analysis Lookup
muzigor.net
muzmix.net

IP Address	Status	Action
103.130.216.153	Active	Moloch
103.180.163.202	Active	Moloch
103.241.192.11	Active	Moloch
103.82.23.11	Active	Moloch
108.163.147.62	Active	Moloch
134.0.9.202	Active	Moloch
144.76.62.230	Active	Moloch
148.72.70.150	Active	Moloch
150.95.115.130	Active	Moloch
154.49.142.244	Active	Moloch
154.56.47.107	Active	Moloch
154.56.47.11	Active	Moloch
154.56.47.99	Active	Moloch
172.67.137.14	Active	Moloch
172.67.184.164	Active	Moloch
172.67.192.137	Active	Moloch
173.236.195.85	Active	Moloch
185.62.75.179	Active	Moloch
191.96.56.157	Active	Moloch
193.31.27.127	Active	Moloch
194.195.84.59	Active	Moloch
194.36.45.220	Active	Moloch
195.35.33.11	Active	Moloch
216.246.47.153	Active	Moloch
217.160.0.58	Active	Moloch
43.230.201.100	Active	Moloch
66.235.200.146	Active	Moloch
66.235.200.147	Active	Moloch
69.10.36.187	Active	Moloch
74.208.236.229	Active	Moloch
85.208.144.164	Active	Moloch
89.117.169.122	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 85.208.144.164:443 -> 192.168.56.103:49174	2522773	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 774	Misc Attack
TCP 193.31.27.127:9001 -> 192.168.56.103:49173	2522302	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303	Misc Attack

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 29, 2024, 9:32 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW March 29, 2024, 9:32 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 29, 2024, 9:32 a.m.			0	0
IsDebuggerPresent March 29, 2024, 9:32 a.m.			0	0
IsDebuggerPresent March 29, 2024, 9:32 a.m.			0	0
IsDebuggerPresent March 29, 2024, 9:32 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA March 29, 2024, 9:32 a.m.	buffer: Unhandled Exception: console_handle: 0x0000000b	1	1	0
WriteConsoleA March 29, 2024, 9:32 a.m.	buffer: System.MissingMethodException: Method not found: '!!0 System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(IntPtr)'. at MSG_NET.Angelo.ReturnSpecialList() at MSG_NET.Angelo..ctor() at MSG_NET.Program.Main(String[] args) console_handle: 0x0000000b	1	1	0

This executable has a PDB path (1 event)

pdb_path

Reboot.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 29, 2024, 9:32 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 29, 2024, 9:32 a.m.	process_identifier: 660 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 9:32 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2024, 9:32 a.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2024, 9:32 a.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 9:32 a.m.	process_identifier: 660 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 9:32 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 9:32 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 9:32 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 9:32 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 9:32 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00671000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 9:32 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 9:32 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 9:32 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 9:32 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00075a00', u'virtual_address': u'0x00002000', u'entropy': 7.970313012497091, u'name': u'.text', u'virtual_size': u'0x000758f4'}

entropy

7.9703130125

description

A section with a high entropy has been found

entropy

0.995767195767

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (32 events)

host	103.130.216.153
host	103.180.163.202
host	103.241.192.11
host	103.82.23.11
host	108.163.147.62
host	134.0.9.202
host	144.76.62.230
host	148.72.70.150
host	150.95.115.130
host	154.49.142.244
host	154.56.47.107
host	154.56.47.11
host	154.56.47.99
host	172.67.137.14
host	172.67.184.164
host	172.67.192.137
host	173.236.195.85
host	185.62.75.179
host	191.96.56.157
host	193.31.27.127
host	194.195.84.59
host	194.36.45.220
host	195.35.33.11
host	216.246.47.153
host	217.160.0.58
host	43.230.201.100
host	66.235.200.146
host	66.235.200.147
host	69.10.36.187
host	74.208.236.229
host	85.208.144.164
host	89.117.169.122

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Stealer.12!c
Skyhigh	Artemis!Trojan
ALYac	Trojan.GenericKD.72129319
Cylance	unsafe
VIPRE	Trojan.GenericKD.72129319
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 005b36331 )
BitDefender	Trojan.GenericKD.72129319
K7GW	Trojan ( 005b36331 )
Arcabit	Trojan.Generic.D44C9B27
VirIT	Trojan.Win32.GenusT.DVOY
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.GVJR
APEX	Malicious
McAfee	Artemis!76DF4A59B141
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
Alibaba	Trojan:MSIL/LummaC.06a7b46b
MicroWorld-eScan	Trojan.GenericKD.72129319
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:5RtpVHdi13XtfAvrv69i0Q)
Emsisoft	Trojan.GenericKD.72129319 (B)
F-Secure	Trojan.TR/AD.GenSteal.euxfz
TrendMicro	Trojan.Win32.AMADEY.YXEC1Z
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.76df4a59b141eb56
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Crypt
Google	Detected
Avira	TR/AD.GenSteal.euxfz
MAX	malware (ai score=81)
Kingsoft	MSIL.Trojan-Spy.Stealer.gen
Gridinsoft	Malware.Win32.ZgRAT.tr
Microsoft	Trojan:MSIL/LummaC.AMME!MTB
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
GData	Trojan.GenericKD.72129319
Varist	W32/MSIL_Stealer.U.gen!Eldorado
AhnLab-V3	Trojan/Win.TrojanX-gen.C5605126
BitDefenderTheta	Gen:NN.ZemsilF.36802.Dm0@aK!GDgb
DeepInstinct	MALICIOUS
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.Crypt.MSIL.Generic
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXEC1Z
Tencent	Malware.Win32.Gencirc.1406d705
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/GenKryptik.GVHR!tr
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)
alibabacloud	Trojan[spy]:MSIL/Stealer.gen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	172.67.137.14:443
dead_host	191.96.56.157:443

appdata.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All