Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 2, 2024, 9:52 a.m.	Sept. 2, 2024, 9:59 a.m.

Size	6.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4386df2790a9752e9cf0424dca91ad15`
SHA256	`e2f0e525c66dba847bedf887398405348159ce607bc6cc826bef73651fd7135d`
CRC32	`11308678`
ssdeep	`49152:B0QJDHck3aW3sg1Kptd473sgCMMqfHFIUYIIKdkiT1dEKIOLxlbid:B9JLckf31QtG3sghMqfH+V81ddLxl+d`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

Name	Response	Post-Analysis Lookup
sevxv17pt.top	A 195.133.13.230	195.133.13.230

IP Address	Status	Action
164.124.101.2	Active	Moloch
195.133.13.230	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 195.133.13.230:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 195.133.13.230:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 195.133.13.230:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 195.133.13.230:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://sevxv17pt.top/v1/upload.php

Performs some HTTP requests (1 event)

request

POST http://sevxv17pt.top/v1/upload.php

Sends data using the HTTP POST Method (1 event)

request

POST http://sevxv17pt.top/v1/upload.php

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

sevxv17pt.top

description

Generic top level domain TLD

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\BawuYOCdGNZiqevXAMeS.dll
file	C:\Users\test22\AppData\Local\Temp\service123.exe

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x000e2400', u'virtual_address': u'0x00b39000', u'entropy': 6.841635613240144, u'name': u'.reloc', u'virtual_size': u'0x000e22dc'}

entropy

6.84163561324

description

A section with a high entropy has been found

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Elastic	malicious (high confidence)
ALYac	Generic.Dacic.3683.930236D9
VIPRE	Generic.Dacic.3683.930236D9
K7AntiVirus	Password-Stealer ( 0054cf561 )
BitDefender	Generic.Dacic.3683.930236D9
K7GW	Password-Stealer ( 0054cf561 )
Arcabit	Generic.Dacic.3683.930236D9
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/PSW.Agent.OGR
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
ClamAV	Win.Malware.Barys-10032866-0
Kaspersky	VHO:Trojan-PSW.Win32.Stealer.gen
MicroWorld-eScan	Generic.Dacic.3683.930236D9
Rising	Trojan.CryptBot!8.19865 (TFE:5:du8Y4XG1zuF)
Emsisoft	Generic.Dacic.3683.930236D9 (B)
FireEye	Generic.Dacic.3683.930236D9
Google	Detected
MAX	malware (ai score=88)
Microsoft	Trojan:Win32/CryptBot.CCJD!MTB
ZoneAlarm	VHO:Trojan-PSW.Win32.Stealer.gen
GData	Win32.Trojan.PSE.1D64ECY
AhnLab-V3	Trojan/Win.CryptBot.C5659071
BitDefenderTheta	Gen:NN.ZexaF.36812.@@Z@aCOEHzb
Malwarebytes	Spyware.Stealer
Ikarus	Trojan-PSW.Agent
Panda	Trj/Genetic.gen
Fortinet	W32/Agent.OGR!tr
AVG	Win32:Evo-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (D)

joffer2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All