Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 12, 2024, 11:27 a.m.	Aug. 12, 2024, 11:36 a.m.

Size	2.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d9c2521c8dd6cfdb84244a46a681dfa8`
SHA256	`a38b514a313e566ffef61acfc7bb9fd07c0499cb87cc795815e84eb2618427c9`
CRC32	`1F342E78`
ssdeep	`49152:3b/FFiGqsqUTUZefhTfOJrqXA/5jn917fFHrle:3i+ULdo`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

222fastsetup.exe "C:\Users\test22\AppData\Local\Temp\222fastsetup.exe"
2548

Name	Response	Post-Analysis Lookup
fixz5sb.top	A 172.67.146.82 A 104.21.79.151	104.21.79.151

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.146.82	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49162 -> 172.67.146.82:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 172.67.146.82:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected
TCP 192.168.56.101:49162 -> 172.67.146.82:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 172.67.146.82:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 172.67.146.82:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected
TCP 192.168.56.101:49162 -> 172.67.146.82:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 172.67.146.82:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 172.67.146.82:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 172.67.146.82:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 12, 2024, 11:27 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://fixz5sb.top/v1/upload.php

Performs some HTTP requests (1 event)

request

POST http://fixz5sb.top/v1/upload.php

Sends data using the HTTP POST Method (1 event)

request

POST http://fixz5sb.top/v1/upload.php

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

fixz5sb.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 12, 2024, 11:27 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73451000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 11:27 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 11:27 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 11:27 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75591000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 11:27 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 11:27 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 11:27 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x730d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 11:27 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73401000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00012000', u'virtual_address': u'0x007ce000', u'entropy': 6.8171981211773005, u'name': u'.reloc', u'virtual_size': u'0x00011e88'}

entropy

6.81719812118

description

A section with a high entropy has been found

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
ALYac	Generic.Dacic.3471.CF314CA1
VIPRE	Generic.Dacic.3471.CF314CA1
K7AntiVirus	Password-Stealer ( 0054d1a31 )
BitDefender	Generic.Dacic.3471.CF314CA1
K7GW	Password-Stealer ( 0054d1a31 )
Cybereason	malicious.c8dd6c
Arcabit	Trojan.Zusy.D87939
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/PSW.Agent.OGR
APEX	Malicious
McAfee	Artemis!D9C2521C8DD6
Avast	Win32:Evo-gen [Trj]
ClamAV	Win.Malware.Barys-10032866-0
MicroWorld-eScan	Generic.Dacic.3471.CF314CA1
Rising	Stealer.Agent!8.C2 (TFE:5:rLw0cFpN2KM)
Emsisoft	Generic.Dacic.3471.CF314CA1 (B)
McAfeeD	Real Protect-LS!D9C2521C8DD6
FireEye	Generic.Dacic.3471.CF314CA1
Sophos	Mal/Generic-S
Google	Detected
MAX	malware (ai score=87)
Antiy-AVL	Trojan[PSW]/Win32.Stealer
Microsoft	Trojan:Win32/Cryptnot.QYAA!MTB
GData	Generic.Dacic.3471.CF314CA1
Varist	W32/Stealer.HD.gen!Eldorado
AhnLab-V3	Infostealer/Win.CryptBot.R659955
BitDefenderTheta	Gen:NN.ZexaF.36810.E!Z@aq04k3b
Malwarebytes	Spyware.PasswordStealer
Ikarus	Trojan-PSW.Agent
Panda	Trj/Genetic.gen
huorong	TrojanSpy/Stealer.lt
Fortinet	W32/Agent.OGR!tr.pws
AVG	Win32:Evo-gen [Trj]

222fastsetup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All