Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 11, 2024, 10:36 a.m.	Sept. 11, 2024, 10:40 a.m.

Size	6.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e52fc4b24fffbcde2ea11efb2efa1f08`
SHA256	`95704aebba0511e4853ac25736a52048cb4f87b74df5ae42886602f9ca0f1808`
CRC32	`A86EE245`
ssdeep	`98304:e/vu1NXotYuJgvgfHxIL87vkxlCxRNsHYkX5:Ku1JRSYgvwXCxRNxkX5`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

Name	Response	Post-Analysis Lookup
fivev5pn.top	A 185.244.181.38	185.244.181.38

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.244.181.38	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 185.244.181.38:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 185.244.181.38:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.244.181.38:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 185.244.181.38:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://fivev5pn.top/v1/upload.php

Performs some HTTP requests (1 event)

request

POST http://fivev5pn.top/v1/upload.php

Sends data using the HTTP POST Method (1 event)

request

POST http://fivev5pn.top/v1/upload.php

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

fivev5pn.top

description

Generic top level domain TLD

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\AcjUskBhyKbMmQUydNUN.dll
file	C:\Users\test22\AppData\Local\Temp\service123.exe

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x000e2c00', u'virtual_address': u'0x00b3f000', u'entropy': 6.841551263059048, u'name': u'.reloc', u'virtual_size': u'0x000e2b50'}

entropy

6.84155126306

description

A section with a high entropy has been found

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Lionic	Trojan.Win32.CryptBot.4!c
Elastic	malicious (high confidence)
ALYac	Generic.Dacic.3704.141816D0
VIPRE	Generic.Dacic.3704.141816D0
Sangfor	Infostealer.Win32.Cryptbot.Vr77
K7AntiVirus	Password-Stealer ( 0054cf561 )
BitDefender	Generic.Dacic.3704.141816D0
K7GW	Password-Stealer ( 0054cf561 )
Arcabit	Generic.Dacic.3704.141816D0
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/PSW.Agent.OGR
Avast	Win32:Evo-gen [Trj]
ClamAV	Win.Malware.Barys-10032866-0
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	TrojanPSW:Win32/CryptBot.c2a78318
MicroWorld-eScan	Generic.Dacic.3704.141816D0
Rising	Trojan.CryptBot!8.19865 (TFE:5:du8Y4XG1zuF)
Emsisoft	Generic.Dacic.3704.141816D0 (B)
TrendMicro	Trojan.Win32.PRIVATELOADER.YXEIKZ
McAfeeD	ti!95704AEBBA05
FireEye	Generic.Dacic.3704.141816D0
Sophos	Mal/Generic-S
Webroot	W32.ConvaGent
Google	Detected
Avira	TR/PSW.Agent.njyvu
MAX	malware (ai score=87)
Antiy-AVL	Trojan/Win32.Cryptbot
Kingsoft	Win32.Trojan-PSW.Cryptnot.cxa
Gridinsoft	Trojan.Win32.CryptBot.tr
Microsoft	Trojan:Win32/CryptBot.CCJD!MTB
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Win32.Trojan.PSE.17KK2SY
AhnLab-V3	Trojan/Win.CryptBot.C5659071
McAfee	Artemis!E52FC4B24FFF
DeepInstinct	MALICIOUS
Malwarebytes	Spyware.Stealer
Ikarus	Win32.Outbreak
Panda	Trj/Genetic.gen
TrendMicro-HouseCall	TROJ_GEN.R014C0DIA24
Tencent	Trojan.Win32.Agent.16001366
Fortinet	W32/Agent.OGR!tr
AVG	Win32:Evo-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_60% (D)
alibabacloud	Trojan[stealer]:Win/CryptBot.CWU!3DGW

66e0736c4382a_lyla.exe#lyla

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All