Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 21, 2024, 11:46 p.m.	April 21, 2024, 11:46 p.m.

Size	600.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`628e9b3aa525960223fd93bae86b5e7d`
SHA256	`a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb`
CRC32	`12EDA0AB`
ssdeep	`12288:nUG2pBoy4QQbDRfEk9Iz/rduerdgpjtDNzNpEsRkP7mHqx9bsejWgsWsHQb0Awwc:VuBoyw`
PDB Path	Cinoshi.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

faintxakers-76060706313.exe "C:\Users\test22\AppData\Local\Temp\faintxakers-76060706313.exe"
2556

Name	Response	Post-Analysis Lookup
tryno.ru	A 194.58.112.165	194.58.112.165

IP Address	Status	Action
164.124.101.2	Active	Moloch
194.58.112.165	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49162 -> 194.58.112.165:443	2046803	ET MALWARE Cinoshi Clipper Domain (tryno .ru) in TLS SNI	A Network Trojan was detected
TCP 192.168.56.101:49162 -> 194.58.112.165:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49162 194.58.112.165:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign GCC R6 AlphaSSL CA 2023	CN=*.reg.ru	33:e4:2b:56:55:e7:18:c3:be:b7:69:ed:b2:d4:b8:9d:29:f1:a3:23

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA April 21, 2024, 11:46 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 21, 2024, 11:46 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 21, 2024, 11:46 p.m.			0	0
IsDebuggerPresent April 21, 2024, 11:46 p.m.			0	0
IsDebuggerPresent April 21, 2024, 11:46 p.m.			0	0
IsDebuggerPresent April 21, 2024, 11:46 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

Cinoshi.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 21, 2024, 11:46 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	\x0bZr;I\x1a )
section

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

tryno.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (25 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00032000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f75000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 11:46 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 21, 2024, 11:46 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00027600', u'virtual_address': u'0x00002000', u'entropy': 7.998824790306015, u'name': u'\\x0bZr;I\\x1a\r)', u'virtual_size': u'0x00027568'}

entropy

7.99882479031

description

A section with a high entropy has been found

entropy

0.262718932444

description

Overall entropy of this PE file is high

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Lionic	Trojan.Win32.Seraph.4!c
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
Skyhigh	BehavesLike.Win32.Generic.jm
ALYac	Gen:Variant.Cerbu.165427
Cylance	unsafe
VIPRE	Gen:Variant.Cerbu.165427
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Cerbu.165427
K7GW	Spyware ( 005936451 )
K7AntiVirus	Spyware ( 005936451 )
Arcabit	Trojan.Cerbu.D28633
VirIT	Trojan.Win32.Genus.OCJ
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Spy.Agent.DXY
APEX	Malicious
McAfee	Artemis!628E9B3AA525
Avast	Win32:SpywareX-gen [Trj]
Kaspersky	HEUR:Trojan-Downloader.MSIL.Seraph.gen
Alibaba	TrojanDownloader:MSIL/Seraph.52786f1c
NANO-Antivirus	Trojan.Win32.Seraph.jvczjk
MicroWorld-eScan	Gen:Variant.Cerbu.165427
Rising	Malware.Obfus/MSIL@AI.90 (RDM.MSIL2:qyBRnNBjRrpODXsT1ERA1g)
Emsisoft	Gen:Variant.Cerbu.165427 (B)
F-Secure	Heuristic.HEUR/AGEN.1311394
DrWeb	Trojan.Siggen20.722
Zillya	Trojan.Agent.Win32.3271319
TrendMicro	TrojanSpy.MSIL.CINOSHI.SMTH
FireEye	Generic.mg.628e9b3aa5259602
Sophos	Mal/Generic-S
Ikarus	Trojan-Spy.Cinoshi
Webroot	W32.Spyware.Gen
Google	Detected
Avira	HEUR/AGEN.1311394
MAX	malware (ai score=84)
Antiy-AVL	Trojan[Spy]/MSIL.Agent
Kingsoft	Win32.Troj.Undef.a
Gridinsoft	Trojan.Heur!.03013281
Xcitium	Malware@#6vt83ohtbngv
Microsoft	Trojan:MSIL/CinoshiStealer.A!MTB
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.Seraph.gen
GData	Gen:Variant.Cerbu.165427
Varist	W32/MSIL_Kryptik.JAN.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R561300
BitDefenderTheta	Gen:NN.ZemsilF.36744.Lu0@ambO4Ro
DeepInstinct	MALICIOUS
VBA32	CIL.HeapOverride.Heur
Malwarebytes	Generic.Malware.AI.DDS
Panda	Trj/Chgt.AD

faintxakers-76060706313.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All