Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 11, 2024, 2:29 p.m.	Aug. 11, 2024, 3:16 p.m.

Size	187.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`278ee1426274818874556aa18fd02e3a`
SHA256	`37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb`
CRC32	`35387B04`
ssdeep	`3072:/k9W0KFj5qj6o8KaxfE54HnnGqaKl+b2n8O43tIFmpKa:/kE/j5K62aOanGqCbAq3SFAKa`
Yara	Malicious_Library_Zero - Malicious_Library Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature Antivirus - Contains references to security software IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.100	Active	Moloch

Flow	SID	Signature	Category
TCP 185.215.113.100:80 -> 192.168.56.101:49161	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49161 -> 185.215.113.100:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Aug. 11, 2024, 2:29 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA Aug. 11, 2024, 2:29 p.m.	computer_name: TEST22-PC	1	1	0

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 11, 2024, 2:29 p.m.		1	1	0

suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.215.113.100/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address				suspicious_request	POST http://185.215.113.100/e2b1563c6670f193.php

request	GET http://185.215.113.100/
request	POST http://185.215.113.100/e2b1563c6670f193.php

request

POST http://185.215.113.100/e2b1563c6670f193.php

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 11, 2024, 2:29 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

host

185.215.113.100

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealerc.tsCt
Elastic	Windows.Generic.Threat
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Trojan.ch
ALYac	Gen:Variant.Zusy.546982
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.546982
Sangfor	Infostealer.Win32.Stealerc.Vdff
K7AntiVirus	Trojan ( 005afa591 )
Alibaba	TrojanPSW:Win32/Stealerc.484a4f51
K7GW	Trojan ( 005afa591 )
Cybereason	malicious.262748
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Stealc.A
APEX	Malicious
McAfee	Artemis!278EE1426274
Paloalto	generic.ml
ClamAV	Win.Malware.Stealerc-10034234-0
Kaspersky	Trojan-PSW.Win32.Stealerc.lzc
BitDefender	Gen:Variant.Zusy.546982
NANO-Antivirus	Virus.Win32.Gen.ccmw
MicroWorld-eScan	Gen:Variant.Zusy.546982
Rising	Stealer.Agent!8.C2 (TFE:2:DQwxTsXk3kJ)
Emsisoft	Gen:Variant.Zusy.546982 (B)
F-Secure	Trojan.TR/AD.Stealc.mjdov
DrWeb	Trojan.PWS.StealC.4
McAfeeD	Real Protect-LS!278EE1426274
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.278ee14262748188
Sophos	Troj/Stealc-AAB
SentinelOne	Static AI - Malicious PE
Webroot	W32.Stealerc
Google	Detected
Avira	TR/AD.Stealc.mjdov
MAX	malware (ai score=84)
Antiy-AVL	Trojan[PSW]/Win32.StealerC
Kingsoft	malware.kb.a.997
Gridinsoft	Trojan.Win32.Agent.sa
Xcitium	Malware@#3iqg7wwdr07a2
Arcabit	Trojan.Zusy.D858A6
ViRobot	Trojan.Win.Z.Stealerc.192000.D
ZoneAlarm	Trojan-PSW.Win32.Stealerc.lzc
GData	Gen:Variant.Zusy.546982
AhnLab-V3	Trojan/Win.Stealerc.R660025
BitDefenderTheta	AI:Packer.BA8144FB1E
TACHYON	Trojan/W32.Agent.192000.SH
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Downloader
Malwarebytes	Spyware.Stealc

random.exe