Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 21, 2024, 1:26 p.m.	Aug. 21, 2024, 1:43 p.m.

Size	6.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`37263ede84012177cab167dc23457074`
SHA256	`9afd9e70b6f166cfc6de30e206dff5963073a6faeff5bcc93ee131df79894fc2`
CRC32	`2FFD6616`
ssdeep	`98304:RYXXi4g+Xlxnn0wG9lY/3HeEqD1iG05rY:REXiJ+Xlxnn5Ydpb8rY`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

Setup2.exe "C:\Users\test22\AppData\Local\Temp\Setup2.exe"
2580

Name	Response	Post-Analysis Lookup
fivexc5pt.top

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 21, 2024, 1:26 p.m.		1	1	0

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

fivexc5pt.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 21, 2024, 1:26 p.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73451000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:26 p.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:26 p.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:26 p.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75591000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:26 p.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:26 p.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:26 p.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x730d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:26 p.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73401000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x000e2600', u'virtual_address': u'0x00b39000', u'entropy': 6.84171602764939, u'name': u'.reloc', u'virtual_size': u'0x000e253c'}

entropy

6.84171602765

description

A section with a high entropy has been found

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Lionic	Trojan.Win32.Stealer.12!c
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.Kryptik.vh
Sangfor	Infostealer.Win32.Agent.Vw2w
K7AntiVirus	Password-Stealer ( 0054cf561 )
BitDefender	Trojan.Generic.36720577
K7GW	Password-Stealer ( 0054cf561 )
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/PSW.Agent.OGR
APEX	Malicious
McAfee	Artemis!37263EDE8401
Avast	Win32:Evo-gen [Trj]
ClamAV	Win.Malware.Barys-10032866-0
Kaspersky	Trojan-PSW.Win32.Cryptnot.cae
Alibaba	TrojanPSW:Win32/Cryptnot.e992e804
MicroWorld-eScan	Trojan.Generic.36720577
Rising	Trojan.CryptBot!8.19865 (TFE:5:du8Y4XG1zuF)
Emsisoft	Trojan.Generic.36720577 (B)
F-Secure	Trojan.TR/PSW.Agent.lkoxs
TrendMicro	Trojan.Win32.AMADEY.YXEHQZ
McAfeeD	ti!9AFD9E70B6F1
FireEye	Trojan.Generic.36720577
Sophos	Mal/Generic-S
Google	Detected
Avira	TR/PSW.Agent.lkoxs
MAX	malware (ai score=85)
Antiy-AVL	Trojan/Win32.Cryptbot
Microsoft	Trojan:Win32/CryptBot.CCJD!MTB
ZoneAlarm	Trojan-PSW.Win32.Cryptnot.cae
GData	Win32.Trojan.Agent.TERNBI
AhnLab-V3	Trojan/Win.CryptBot.C5659071
BitDefenderTheta	Gen:NN.ZexaF.36812.@@Z@aGJn11c
DeepInstinct	MALICIOUS
Malwarebytes	Spyware.Stealer
Ikarus	Trojan-PSW.Agent
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXEHQZ
Tencent	Win32.Trojan-QQPass.QQRob.Pnkl
Fortinet	W32/Agent.OGR!tr.pws
AVG	Win32:Evo-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_60% (D)
alibabacloud	Trojan[stealer]:Win/CryptBot.CWU!3DGW

Setup2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All