Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 9, 2024, 4:42 p.m.	Aug. 9, 2024, 4:46 p.m.

Size	3.0MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`ba027ccb7de0f4a3769f48136d183dbd`
SHA256	`4cb86d1b9775321a7f8ed4f751e3ece271402e0be07070f72e68df038877dc8e`
CRC32	`E07EE585`
ssdeep	`49152:u2LuWAXniueagRswaRfZ/G+eUmOpw80D:uWta28AOpw`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) UPX_Zero - UPX packed file

66b24859611ad_agent_3.exe "C:\Users\test22\AppData\Local\Temp\66b24859611ad_agent_3.exe"
2544
- nv.exe "C:\Program Files (x86)\NetVoyager\nv.exe"
  2644

Name	Response	Post-Analysis Lookup
agent-runner-service2.com	A 95.164.44.107	95.164.44.107

IP Address	Status	Action
164.124.101.2	Active	Moloch
95.164.44.107	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49164 -> 95.164.44.107:5000	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.symtab

Creates executable files on the filesystem (1 event)

file	C:\Program Files (x86)\NetVoyager\nv.exe

Drops a binary and executes it (1 event)

file	C:\Program Files (x86)\NetVoyager\nv.exe

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NetVoyager

reg_value

"C:\Program Files (x86)\NetVoyager\nv.exe" -run -s agent-runner-service2.com:5000

Detects the presence of Wine emulator (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Aug. 9, 2024, 4:42 p.m.	ordinal: 0 function_address: 0x0018fd88 function_name: wine_get_version module: ntdll module_address: 0x76f10000		3221225785	0
LdrGetProcedureAddress Aug. 9, 2024, 4:42 p.m.	ordinal: 0 function_address: 0x0018fd88 function_name: wine_get_version module: ntdll module_address: 0x76f10000		3221225785	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Gomal.a!c
Elastic	malicious (moderate confidence)
Cynet	Malicious (score: 99)
Skyhigh	Artemis!PUP
ALYac	Gen:Variant.Doina.71068
Cylance	Unsafe
VIPRE	Gen:Variant.Doina.71068
K7AntiVirus	Trojan ( 0056ccf01 )
BitDefender	Gen:Variant.Doina.71068
K7GW	Trojan ( 0056ccf01 )
Cybereason	malicious.b7de0f
Arcabit	Trojan.Doina.D1159C
VirIT	Trojan.Win32.Genus.WFT
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
McAfee	Artemis!BA027CCB7DE0
Avast	Win32:Malware-gen
Kaspersky	Trojan-Downloader.Win32.Gomal.yn
Alibaba	TrojanDownloader:Win32/Gomal.2c9f633f
NANO-Antivirus	Trojan.Win32.Gomal.kkmmnn
MicroWorld-eScan	Gen:Variant.Doina.71068
Rising	Downloader.Gomal!8.1778E (CLOUD)
Emsisoft	Gen:Variant.Doina.71068 (B)
F-Secure	Trojan.TR/Redcap.turvo
TrendMicro	Trojan.Win32.PRIVATELOADER.YXEHGZ
McAfeeD	ti!4CB86D1B9775
FireEye	Gen:Variant.Doina.71068
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Avira	TR/Redcap.turvo
MAX	malware (ai score=84)
Antiy-AVL	Trojan[Downloader]/Win32.Gomal
Kingsoft	Win32.Trojan-Downloader.Gomal.yn
Gridinsoft	Trojan.Win32.Downloader.ca
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Trojan-Downloader.Win32.Gomal.yn
GData	Gen:Variant.Doina.71068
AhnLab-V3	Malware/Win.Generic.C5598730
BitDefenderTheta	Gen:NN.ZexaF.36810.9YW@aa7gNuk
DeepInstinct	MALICIOUS
VBA32	suspected of Trojan.Downloader.gen
Malwarebytes	Trojan.MalPack.GO
TrendMicro-HouseCall	Trojan.Win32.PRIVATELOADER.YXEHGZ
Tencent	Malware.Win32.Gencirc.11c51c15
MaxSecure	Trojan.Malware.234711975.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:Malware-gen
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_60% (D)

66b24859611ad_agent_3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All