Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 17, 2024, 10:21 a.m.	June 17, 2024, 10:23 a.m.

Size	4.2MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`ccd45a73d555f6a89b06924e150680e5`
SHA256	`c86218367d0caf1b3939762afbb20f97e941da48d10725eb49239126dacd2422`
CRC32	`03676E6E`
ssdeep	`49152:uh0L6UQC+fua+hyHdzy8XkH5DaJc9zOPoze8MoRwFS0bM1qck0zdB0VF1NVm:uyL6Uouxhf9zOPozzE0zqV`
Yara	Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

b.exe "C:\Users\test22\AppData\Local\Temp\b.exe"
2672
- cmd.exe cmd.exe /c "reg add \"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\" /v WinUpdate /t REG_SZ /d \"C:\Users\test22\AppData\Local\Temp\b.exe\""
  2772
  - reg.exe reg add \"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\" /v WinUpdate /t REG_SZ /d \"C:\Users\test22\AppData\Local\Temp\b.exe\"
    2852

Name	Response	Post-Analysis Lookup
comprobacion-aerolineas.com	A 94.156.67.86	94.156.67.86

IP Address	Status	Action
164.124.101.2	Active	Moloch
94.156.67.86	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 94.156.67.86:9090 -> 192.168.56.101:49163	2400014	ET DROP Spamhaus DROP Listed Traffic Inbound group 15	Misc Attack
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49164 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49163 -> 94.156.67.86:9090	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.symtab

Creates a suspicious process (1 event)

cmdline

cmd.exe /c "reg add \"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\" /v WinUpdate /t REG_SZ /d \"C:\Users\test22\AppData\Local\Temp\b.exe\""

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	cmd.exe /c "reg add \"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\" /v WinUpdate /t REG_SZ /d \"C:\Users\test22\AppData\Local\Temp\b.exe\""
cmdline	reg add \"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\" /v WinUpdate /t REG_SZ /d \"C:\Users\test22\AppData\Local\Temp\b.exe\"

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress June 17, 2024, 10:21 a.m.	ordinal: 0 function_address: 0x0018fe29 function_name: wine_get_version module: ntdll module_address: 0x76f10000		3221225785	0

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Convagent.a!c
Elastic	malicious (moderate confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Trojan.rh
Cylance	Unsafe
Sangfor	Trojan.Win32.Agent.Vzab
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of WinGo/Agent.SC
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	Trojan-Downloader.Win32.Gomal.aex
Rising	Trojan.Generic@AI.86 (RDML:y3xovI/YB4mn4C9dvZIYtQ)
F-Secure	Trojan.TR/Crypt.XPACK.Gen
McAfeeD	ti!C86218367D0C
FireEye	Generic.mg.ccd45a73d555f6a8
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
Google	Detected
Avira	TR/Crypt.XPACK.Gen
Kingsoft	Win32.Trojan-Downloader.Gomal.aex
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:Win32/Casdet!rfn
ViRobot	Trojan.Win.Z.Agent.4402176.A
ZoneAlarm	Trojan-Downloader.Win32.Gomal.aex
GData	Win32.Trojan.Agent.6WPJIH
Varist	W32/ABRisk.SYPB-6483
AhnLab-V3	Trojan/Win.CobaltStrike.C4705188
BitDefenderTheta	AI:Packer.A94DE9E621
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Win64.Agent
Malwarebytes	Malware.AI.4085937375
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.256267328.susgen
Fortinet	W32/Agent.SC!tr
AVG	Win32:Malware-gen
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (D)
alibabacloud	Trojan:Multi/XPACK.Gyf

b.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All