popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

CryptoWall.exe

ScreenShot KeyLogger AntiDebug PE File PE32 AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 6, 2024, 6:22 p.m. July 6, 2024, 6:24 p.m.
Size 132.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 919034c8efb9678f96b47a20fa6199f2
SHA256 e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734
CRC32 8B373D46
ssdeep 3072:naRQpzd/99wen3XgWorw8I3h8LkMvqCgQfBUnPy8L6kssU:nJdTwo30ri3h8LkMvqCgQfBUPy8L6ksP
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
myexternalip.com
A 34.117.118.44
34.117.118.44
ip-addr.es
A 188.165.164.184
188.165.164.184
IP Address Status Action
185.172.128.90 Active Moloch
164.124.101.2 Active Moloch
188.165.164.184 Active Moloch
209.148.85.151 Active Moloch
34.117.118.44 Active Moloch
91.121.12.127 Active Moloch
94.247.28.156 Active Moloch
94.247.28.26 Active Moloch
94.247.31.19 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 185.172.128.90:80 -> 192.168.56.101:49163 2400032 ET DROP Spamhaus DROP Listed Traffic Inbound group 33 Misc Attack
TCP 192.168.56.101:49163 -> 188.165.164.184:80 2020105 ET INFO HTTP Request for External IP Check (ip-addr .es) Device Retrieving External IP Address Detected
TCP 192.168.56.101:49171 -> 188.165.164.184:80 2020105 ET INFO HTTP Request for External IP Check (ip-addr .es) Device Retrieving External IP Address Detected
TCP 192.168.56.101:49164 -> 34.117.118.44:80 2019980 ET POLICY External IP Check myexternalip.com Device Retrieving External IP Address Detected
TCP 192.168.56.101:49172 -> 34.117.118.44:80 2019980 ET POLICY External IP Check myexternalip.com Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

request GET http://ip-addr.es/
request GET http://myexternalip.com/raw
domain ip-addr.es
domain myexternalip.com
section {u'size_of_data': u'0x00009400', u'virtual_address': u'0x00019000', u'entropy': 7.586665796448093, u'name': u'.data', u'virtual_size': u'0x0000a500'} entropy 7.58666579645 description A section with a high entropy has been found
entropy 0.2890625 description Overall entropy of this PE file is high
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Run a KeyLogger rule KeyLogger
buffer Buffer with sha1: 246422be21276cf15ba6f4b7af31b49d62773914
host 185.172.128.90
host 209.148.85.151
host 91.121.12.127
host 94.247.28.156
host 94.247.28.26
host 94.247.31.19
Process injection Process 2552 manipulating memory of non-child process 2604
Time & API Arguments Status Return Repeated

NtMapViewOfSection

 section_handle: 0x000000a0
process_identifier: 2604
commit_size: 151552
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
base_address: 0x000b0000
allocation_type: 0 ()
section_offset: 0
view_size: 151552
process_handle: 0x00000090
1 0 0
Process injection Process 2552 resumed a thread in remote process 2604
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000a0
suspend_count: 1
process_identifier: 2604
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2608
thread_handle: 0x00000094
process_identifier: 2604
current_directory:
filepath: C:\Windows\SysWOW64\explorer.exe
track: 1
command_line:
filepath_r: C:\Windows\syswow64\explorer.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000090
1 1 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Cryptodef.tqGM
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Ransom.CryptoWall.77
CAT-QuickHeal Ransom.Crowti.16508
ALYac Gen:Variant.Ransom.CryptoWall.77
Cylance Unsafe
VIPRE Gen:Variant.Ransom.CryptoWall.77
K7AntiVirus Trojan ( 00498ab51 )
Alibaba TrojanDropper:Win32/dropper.ali1003001
K7GW Trojan ( 00498ab51 )
Cybereason malicious.8efb96
VirIT Trojan.Win32.FileCryptor.UR
Symantec ML.Attribute.HighConfidence
tehtris Generic.Malware
ESET-NOD32 a variant of Win32/Filecoder.CryptoWall.A
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky Trojan-Ransom.Win32.Cryptodef.cbs
BitDefender Gen:Variant.Ransom.CryptoWall.77
NANO-Antivirus Trojan.Win32.YOTD2256.dncaot
Rising Ransom.Crowti!8.37D (TFE:2:jCQ8i3u36MH)
Emsisoft Gen:Variant.Ransom.CryptoWall.77 (B)
F-Secure Trojan.TR/Crypt.XPACK.Gen
DrWeb Trojan.Encoder.514
Zillya Trojan.FileCoder.Win32.7
TrendMicro TROJ_CRYPWALL.SMJC
McAfeeD Real Protect-LS!919034C8EFB9
Trapmine malicious.high.ml.score
FireEye Generic.mg.919034c8efb9678f
Sophos Troj/Ransom-AGU
Ikarus Trojan-Ransom.Crowti
Jiangmin Trojan.Cryptodef.jf
Webroot W32.Trojan.TR.Crypt.XPACK
Google Detected
Avira TR/Crypt.XPACK.Gen
MAX malware (ai score=100)
Antiy-AVL Trojan[Ransom]/Win32.Cryptodef
Kingsoft Win32.Trojan-Ransom.Cryptodef.cbs
Gridinsoft Malware.Win32.GenericMC.cc
Xcitium Malware@#1gyh86oymb1d1
Arcabit Trojan.Ransom.CryptoWall.77
ViRobot Trojan.Win32.Z.Crowti.135168
ZoneAlarm Trojan-Ransom.Win32.Cryptodef.cbs
GData Gen:Variant.Ransom.CryptoWall.77
Varist W32/Cryptowall.B.gen!Eldorado
AhnLab-V3 Trojan/Win32.CryptoWall.R135312
BitDefenderTheta Gen:NN.ZexaF.36808.iqX@a8QE4fp
DeepInstinct MALICIOUS
dead_host 94.247.31.19:8080
dead_host 209.148.85.151:8080
dead_host 94.247.28.156:8081
dead_host 91.121.12.127:4141
dead_host 94.247.28.26:2525