popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Taskmgr.exe

Generic Malware Malicious Library UPX PE64 PE File OS Processor Check
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 17, 2024, 1:26 p.m. Sept. 17, 2024, 1:48 p.m.
Size 111.0KB
Type PE32+ executable (console) x86-64, for MS Windows
MD5 ea257066a195cc1bc1ea398e239006b2
SHA256 81e95eaca372c94265746b08aac50120c45e6baae7c521a8a23dd0dfdc3b9410
CRC32 D8CE6E96
ssdeep 3072:zCvmX1nsRlNQNvaZJr7+zttP7yuCd6b6fh:NXeRlEiD7+5tPF
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
down.mvip8.ru
A 172.67.130.102
A 104.21.8.89
104.21.8.89
IP Address Status Action
104.21.8.89 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49162 -> 104.21.8.89:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49162
104.21.8.89:443 		C=US, O=Google Trust Services, CN=WE1 CN=mvip8.ru 35:e1:ae:2d:30:4d:83:8e:e0:87:d1:a2:66:d8:bf:ff:7f:dc:4a:3a

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
section .fptable
request GET https://down.mvip8.ru/Taskmgr.bin
domain down.mvip8.ru description Russian Federation domain TLD
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002420000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0
name RT_VERSION language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0001e0a0 size 0x000002c4
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4104192
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x0000000180001000
process_handle: 0xffffffffffffffff
1 0 0
Bkav W64.AIDetectMalware
Lionic Riskware.Win32.Razy.1!c
Cynet Malicious (score: 100)
Skyhigh Artemis!Trojan
ALYac Gen:Variant.Razy.941668
Cylance Unsafe
VIPRE Gen:Variant.Razy.941668
Sangfor CoinMiner.Win32.Razy.Vnmd
CrowdStrike win/malicious_confidence_90% (W)
BitDefender Trojan.GenericKD.74139678
Arcabit Trojan.Razy.DE5E64
VirIT Trojan.Win64.Agent.HHA
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Generik.NONWRLW
APEX Malicious
Avast FileRepMalware [Miner]
Kaspersky not-a-virus:RiskTool.Win32.BitCoinMiner.orhz
Alibaba RiskWare:Win32/BitCoinMiner.1c1354e8
MicroWorld-eScan Trojan.GenericKD.74139678
Rising Trojan.Undefined!8.1327C (CLOUD)
Emsisoft Trojan.GenericKD.74139678 (B)
Zillya Tool.BitCoinMiner.Win32.43550
McAfeeD ti!81E95EACA372
CTX exe.trojan.razy
Sophos Generic Reputation PUA (PUA)
Ikarus Trojan.SuspectCRC
FireEye Generic.mg.ea257066a195cc1b
Webroot W32.Malware.Gen
Google Detected
Antiy-AVL RiskWare[RiskTool]/Win32.BitCoinMiner
Kingsoft Win32.Troj.Unknown.a
Gridinsoft Trojan.Win64.CoinMiner.sa
Xcitium Malware@#vrqfrmdujs4f
Microsoft Trojan:Win32/Wacatac.B!ml
ZoneAlarm not-a-virus:RiskTool.Win32.BitCoinMiner.orhz
GData Trojan.GenericKD.74139678
AhnLab-V3 Malware/Win.Generic.C5654606
McAfee Artemis!EA257066A195
DeepInstinct MALICIOUS
Malwarebytes Generic.Malware/Suspicious
TrendMicro-HouseCall TROJ_GEN.R002H09GQ24
Tencent Malware.Win32.Gencirc.14145ac9
MaxSecure Trojan.Malware.273174250.susgen
Fortinet W32/PossibleThreat
AVG FileRepMalware [Miner]
Paloalto generic.ml
alibabacloud Miner:Win/BitCoinMiner.oxer