Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 26, 2024, 9:35 a.m.	Aug. 26, 2024, 9:42 a.m.

Size	2.0MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`4e18e7b1280ebf97a945e68cda93ce33`
SHA256	`30b84843ed02b74dfd6c280aa14001a724490379e9e9e32f5f61a86f8e24976d`
CRC32	`24D01240`
ssdeep	`49152:8i1FLAGEVvj+rY5gisiOrG5Xa+y0qdrANNf5eKX:tMhqWBIQX`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) Generic_Malware_Zero - Generic Malware

Name	Response	Post-Analysis Lookup
jirafasaltas.fun	A 172.67.193.102 A 104.21.57.227	172.67.193.102

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.193.102	Active	Moloch

Flow	SID	Signature	Category
TCP 192.168.56.103:49163 -> 172.67.193.102:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49163 172.67.193.102:443	C=US, O=Google Trust Services, CN=WE1	CN=jirafasaltas.fun	31:71:0c:85:3c:07:8e:e4:0c:d8:9c:4a:a0:f4:b1:9a:6e:06:35:17

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1	0

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 26, 2024, 9:28 a.m.		1	1	0

suspicious_features

POST method with no referer header

suspicious_request

POST https://jirafasaltas.fun/b3-205451?um3ickbumck=jtrAm6FtGDmmrAtei2CBfxKwUe2D8I1G8jaRTth%2BhOJvhN50mwPlZBcgVsKnGVYei25HaV5GyBWUn1y8fD5lWg%3D%3D

request

POST https://jirafasaltas.fun/b3-205451?um3ickbumck=jtrAm6FtGDmmrAtei2CBfxKwUe2D8I1G8jaRTth%2BhOJvhN50mwPlZBcgVsKnGVYei25HaV5GyBWUn1y8fD5lWg%3D%3D

request

POST https://jirafasaltas.fun/b3-205451?um3ickbumck=jtrAm6FtGDmmrAtei2CBfxKwUe2D8I1G8jaRTth%2BhOJvhN50mwPlZBcgVsKnGVYei25HaV5GyBWUn1y8fD5lWg%3D%3D

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 652 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004790000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000047a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000047a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

section

{u'size_of_data': u'0x0000c800', u'virtual_address': u'0x001d5000', u'entropy': 7.884018071893988, u'name': u'.data', u'virtual_size': u'0x0000c640'}

entropy

7.88401807189

description

A section with a high entropy has been found

registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 Override
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.SleepObf.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Win64
ALYac	Trojan.GenericKD.73875671
Cylance	Unsafe
VIPRE	Trojan.GenericKD.73875671
Sangfor	Trojan.Win64.Kryptik.Vc2e
K7AntiVirus	Trojan ( 005b85c31 )
BitDefender	Trojan.GenericKD.73875671
K7GW	Trojan ( 005b85c31 )
Arcabit	Trojan.Generic.D46740D7
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Kryptik.EMS
APEX	Malicious
McAfee	Artemis!4E18E7B1280E
Avast	Win64:CrypterX-gen [Trj]
Kaspersky	Trojan.Win64.SleepObf.gg
Alibaba	Trojan:Win64/SleepObf.79070aa3
MicroWorld-eScan	Trojan.GenericKD.73875671
Rising	Trojan.Kryptik!8.8 (CLOUD)
Emsisoft	Trojan.GenericKD.73875671 (B)
F-Secure	Trojan.TR/Kryptik.icaaj
TrendMicro	Trojan.Win64.AMADEY.YXEHTZ
McAfeeD	ti!30B84843ED02
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.4e18e7b1280ebf97
Sophos	Mal/Generic-S
Google	Detected
Avira	TR/Kryptik.icaaj
MAX	malware (ai score=82)
Antiy-AVL	Trojan/Win64.SleepObf
Microsoft	Trojan:Win32/Phonzy.A!ml
ViRobot	Trojan.Win.Z.Wacatac.2052608
ZoneAlarm	Trojan.Win64.SleepObf.gg
GData	Trojan.GenericKD.73875671
AhnLab-V3	Trojan/Win.TrojanX-gen.C5656555
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.ShellCode
Ikarus	Trojan.Win64.Crypt
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win64.AMADEY.YXEHTZ
Tencent	Malware.Win32.Gencirc.14174774
MaxSecure	Trojan.Malware.276088877.susgen
Fortinet	W64/Kryptik.EMS!tr
AVG	Win64:CrypterX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_100% (W)
alibabacloud	Trojan:Win/Wacatac.B9nj

build9.exe