Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 17, 2024, 10:11 p.m.	Aug. 17, 2024, 10:29 p.m.

Size	2.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2dbdc645b9776239b18f772c30c1a626`
SHA256	`2b92d1c34b7f0278703c98e9fd755e061d0f120eea327996b223dfc65610dfcd`
CRC32	`7B4767F6`
ssdeep	`49152:hhVSCIoIdMdFH/x0EtwDPbtjlEzVu0K64EiSADdUNigC:7Ivnq80bODdU6`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

DOC.exe "C:\Users\test22\AppData\Local\Temp\DOC.exe"
2544

Name	Response	Post-Analysis Lookup
fivexc5vt.top	A 172.67.161.137 A 104.21.15.43	104.21.15.43

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.161.137	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49162 -> 172.67.161.137:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected
TCP 192.168.56.101:49162 -> 172.67.161.137:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 172.67.161.137:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 172.67.161.137:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 172.67.161.137:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 172.67.161.137:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 172.67.161.137:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 17, 2024, 10:11 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://fivexc5vt.top/v1/upload.php

Performs some HTTP requests (1 event)

request

POST http://fivexc5vt.top/v1/upload.php

Sends data using the HTTP POST Method (1 event)

request

POST http://fivexc5vt.top/v1/upload.php

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

fivexc5vt.top

description

Generic top level domain TLD

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00011c00', u'virtual_address': u'0x007d9000', u'entropy': 6.815201248601815, u'name': u'.reloc', u'virtual_size': u'0x00011ae4'}

entropy

6.8152012486

description

A section with a high entropy has been found

Generates some ICMP traffic

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Dacic.i!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Cryptnot
ALYac	Generic.Dacic.3471.C7BA7BD0
Cylance	Unsafe
VIPRE	Generic.Dacic.3471.C7BA7BD0
K7AntiVirus	Password-Stealer ( 0054cf561 )
BitDefender	Generic.Dacic.3471.C7BA7BD0
K7GW	Password-Stealer ( 0054cf561 )
Cybereason	malicious.5b9776
Arcabit	Trojan.Zusy.D87939
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/PSW.Agent.OGR
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
ClamAV	Win.Malware.Barys-10032866-0
Kaspersky	Trojan-PSW.Win32.Cryptnot.byl
Alibaba	TrojanPSW:Win32/Cryptnot.73942b3c
MicroWorld-eScan	Generic.Dacic.3471.C7BA7BD0
Rising	Stealer.Agent!8.C2 (TFE:5:rLw0cFpN2KM)
Emsisoft	Generic.Dacic.3471.C7BA7BD0 (B)
F-Secure	Trojan.TR/PSW.Agent.fkjil
TrendMicro	Trojan.Win32.AMADEY.YXEHNZ
McAfeeD	Real Protect-LS!2DBDC645B977
FireEye	Generic.Dacic.3471.C7BA7BD0
Sophos	Mal/Generic-S
Google	Detected
Avira	TR/PSW.Agent.fkjil
MAX	malware (ai score=89)
Antiy-AVL	Trojan[PSW]/Win32.Stealer
Gridinsoft	Trojan.Win32.Agent.sa
Microsoft	Trojan:Win32/Cryptnot.QYAA!MTB
ZoneAlarm	Trojan-PSW.Win32.Cryptnot.byl
GData	Generic.Dacic.3471.C7BA7BD0
Varist	W32/Stealer.HD.gen!Eldorado
AhnLab-V3	Infostealer/Win.CryptBot.R659955
BitDefenderTheta	Gen:NN.ZexaF.36810.I!Z@a86dO!m
DeepInstinct	MALICIOUS
Malwarebytes	Spyware.PasswordStealer
Ikarus	Trojan-PSW.Agent
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXEHNZ
Tencent	Win32.Trojan-QQPass.QQRob.Swhl
huorong	TrojanSpy/Stealer.lt
Fortinet	W32/Agent.OGR!tr.pws
AVG	Win32:Evo-gen [Trj]
Paloalto	generic.ml
alibabacloud	RiskWare:Win/Cryptnot.QNZO3DGW

DOC.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All