Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 4, 2024, 5:43 p.m.	Aug. 4, 2024, 5:45 p.m.

Size	2.0MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`85b1854b81d15ac9116aa200304d7ca0`
SHA256	`f1530d12529d8b0ed379457feee1a7cfc223596f455ea0d0771f414699bc88f5`
CRC32	`D5DF62C7`
ssdeep	`49152:wv9EtY/18WmXsQyVOwJoNWu1vCHdrWTz+pmjjhnlQD38kF:uWm8sQF1vCMe`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) Generic_Malware_Zero - Generic Malware

pic5.jpg.exe "C:\Users\test22\AppData\Local\Temp\pic5.jpg.exe"
2544

Name	Response	Post-Analysis Lookup
mundoparachicas.space	A 172.67.199.148 A 104.21.42.29	104.21.42.29

IP Address	Status	Action
104.21.42.29	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49163 -> 104.21.42.29:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49163 104.21.42.29:443	C=US, O=Google Trust Services, CN=WE1	CN=mundoparachicas.space	ef:c3:09:ce:17:d9:1d:ed:79:52:ca:9c:fd:3e:dc:01:9b:91:03:40

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 4, 2024, 5:43 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST https://mundoparachicas.space/imageFolio.cgi?qehii0w3ze9sn=nO6wgakvlUvUKyvVvRezNJaB0mAvGbPqVKo12a3LOUvhvPrA9eFcs3uIBjr2ICTAiCiRSrnI1BD1Zngf6t0fTw%3D%3D

Performs some HTTP requests (1 event)

request

POST https://mundoparachicas.space/imageFolio.cgi?qehii0w3ze9sn=nO6wgakvlUvUKyvVvRezNJaB0mAvGbPqVKo12a3LOUvhvPrA9eFcs3uIBjr2ICTAiCiRSrnI1BD1Zngf6t0fTw%3D%3D

Sends data using the HTTP POST Method (1 event)

request

POST https://mundoparachicas.space/imageFolio.cgi?qehii0w3ze9sn=nO6wgakvlUvUKyvVvRezNJaB0mAvGbPqVKo12a3LOUvhvPrA9eFcs3uIBjr2ICTAiCiRSrnI1BD1Zngf6t0fTw%3D%3D

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 4, 2024, 5:43 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 4, 2024, 5:43 p.m.	process_identifier: 2544 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006030000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 4, 2024, 5:43 p.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 4, 2024, 5:43 p.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006172000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0000d200', u'virtual_address': u'0x001df000', u'entropy': 7.916465937119629, u'name': u'.data', u'virtual_size': u'0x0000d1c0'}

entropy

7.91646593712

description

A section with a high entropy has been found

Harvests credentials from local FTP client softwares (2 events)

registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 Override
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Bkav	W64.AIDetectMalware
Elastic	malicious (high confidence)
Cylance	Unsafe
Sangfor	Trojan.Win64.Agent.V1u9
ESET-NOD32	a variant of Win64/Kryptik.EMS
APEX	Malicious
Kaspersky	Trojan.Win64.SleepObf.eb
Rising	Trojan.Kryptik@AI.86 (RDML:FvvkDlCfmSj2WKWCy6wOUA)
F-Secure	Trojan.TR/Kryptik.hemnz
TrendMicro	Trojan.Win64.SMOKELOADER.YXEHDZ
McAfeeD	ti!F1530D12529D
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.85b1854b81d15ac9
Avira	TR/Kryptik.hemnz
Kingsoft	Win32.Troj.Unknown.a
ZoneAlarm	Trojan.Win64.SleepObf.eb
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
TrendMicro-HouseCall	Trojan.Win64.SMOKELOADER.YXEHDZ
CrowdStrike	win/malicious_confidence_100% (W)
alibabacloud	Trojan:Win/Kryptik.EZK

pic5.jpg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All