Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 17, 2024, 1:32 p.m.	Sept. 17, 2024, 1:35 p.m.

Size	4.1MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`abdbcc23bd8f767e671bac6d2ff60335`
SHA256	`45a7b861baac5f8234433fefd9dbdd0a5f288a18b72346b6b6917cf56882bf85`
CRC32	`06D7A6B4`
ssdeep	`49152:HYcdjDQdrscIC5SmTT+mfkj8J6iKG7suEAeMDsaUmxb7WnpRGnKuAsF33PKQTunw:HK/f+mfNptIZ/alxGR7uA8Phanzuhjf`
PDB Path	BotClient.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

66e705d09b33c_jack.exe "C:\Users\test22\AppData\Local\Temp\66e705d09b33c_jack.exe"
1952
- 66e705d09b33c_jack.exe "C:\Users\test22\AppData\Local\Temp\66e705d09b33c_jack.exe"
  2580

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
92.119.114.169	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 17, 2024, 1:32 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:32 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

BotClient.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 17, 2024, 1:32 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sdata

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (30 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00596000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b5d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b5e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db4000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:33 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b5f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:33 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:33 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:33 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04691000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:33 p.m.	process_identifier: 1952 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:33 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04698000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:33 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04699000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:33 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0469a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x003e9c00', u'virtual_address': u'0x00002000', u'entropy': 7.553461154156743, u'name': u'.text', u'virtual_size': u'0x003e9ab4'}

entropy

7.55346115416

description

A section with a high entropy has been found

entropy

0.965774885515

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 17, 2024, 1:32 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (9 events)

url	https://aka.ms/msal-net-3x-cache-breaking-change
url	https://aka.msa/msal-net-3x-cache-breaking-change
url	https://aka.ms/msal-net-3-breaking-changes
url	https://www.newtonsoft.com/jsonschema
url	https://aka.ms/msal-net-2-released)
url	http://www.winimage.com/zLibDll
url	https://aka.ms/msal-net-application-configuration
url	https://www.nuget.org/packages/Microsoft.Identity.Json.Bson
url	https://aka.ms/msal-net-up)

Yara rule detected in process memory (12 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

92.119.114.169

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 17, 2024, 1:33 p.m.	process_identifier: 2580 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000248	1	0	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 17, 2024, 1:33 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $£¯&çÎüuçÎüuçÎüu¬¶ÿtìÎüu¬¶ùt%Îüu%OuãÎüu%OøtõÎüu%OÿtñÎüu%Oùt³Îüu¬¶øtðÎüu¬¶útæÎüu¬¶ýtìÎüuçÎýu{ÎüuLõtÿÎüuLuæÎüuLþtæÎüuRichçÎüuPEL*òæfà'Üàì:ð@ @0Xx à°øAÐà8@áà@ðä.textûÚÜ `.rdatarðtà@@.data&pT@À.rsrcà l@@.relocøA°Bn@B base_address: 0x00400000 process_identifier: 2580 process_handle: 0x00000248	1	1
WriteProcessMemory Sept. 17, 2024, 1:33 p.m.	buffer: 0 H` }<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0048a000 process_identifier: 2580 process_handle: 0x00000248	1	1
WriteProcessMemory Sept. 17, 2024, 1:33 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2580 process_handle: 0x00000248	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 17, 2024, 1:33 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $£¯&çÎüuçÎüuçÎüu¬¶ÿtìÎüu¬¶ùt%Îüu%OuãÎüu%OøtõÎüu%OÿtñÎüu%Oùt³Îüu¬¶øtðÎüu¬¶útæÎüu¬¶ýtìÎüuçÎýu{ÎüuLõtÿÎüuLuæÎüuLþtæÎüuRichçÎüuPEL*òæfà'Üàì:ð@ @0Xx à°øAÐà8@áà@ðä.textûÚÜ `.rdatarðtà@@.data&pT@À.rsrcà l@@.relocøA°Bn@B base_address: 0x00400000 process_identifier: 2580 process_handle: 0x00000248	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1952 called NtSetContextThread to modify thread in remote process 2580
NtSetContextThread Sept. 17, 2024, 1:33 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4471532 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000244 process_identifier: 2580	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1952 resumed a thread in remote process 2580
NtResumeThread Sept. 17, 2024, 1:33 p.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 2580	1	0	0

Executed a process and injected code into it, probably while unpacking (16 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 17, 2024, 1:32 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1952	1	0
NtResumeThread Sept. 17, 2024, 1:32 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1952	1	0
NtResumeThread Sept. 17, 2024, 1:32 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1952	1	0
NtResumeThread Sept. 17, 2024, 1:33 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 1952	1	0
CreateProcessInternalW Sept. 17, 2024, 1:33 p.m.	thread_identifier: 2584 thread_handle: 0x00000244 process_identifier: 2580 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\66e705d09b33c_jack.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\66e705d09b33c_jack.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000248	1	1
NtGetContextThread Sept. 17, 2024, 1:33 p.m.	thread_handle: 0x00000244	1	0
NtAllocateVirtualMemory Sept. 17, 2024, 1:33 p.m.	process_identifier: 2580 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000248	1	0
WriteProcessMemory Sept. 17, 2024, 1:33 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $£¯&çÎüuçÎüuçÎüu¬¶ÿtìÎüu¬¶ùt%Îüu%OuãÎüu%OøtõÎüu%OÿtñÎüu%Oùt³Îüu¬¶øtðÎüu¬¶útæÎüu¬¶ýtìÎüuçÎýu{ÎüuLõtÿÎüuLuæÎüuLþtæÎüuRichçÎüuPEL*òæfà'Üàì:ð@ @0Xx à°øAÐà8@áà@ðä.textûÚÜ `.rdatarðtà@@.data&pT@À.rsrcà l@@.relocøA°Bn@B base_address: 0x00400000 process_identifier: 2580 process_handle: 0x00000248	1	1
WriteProcessMemory Sept. 17, 2024, 1:33 p.m.	buffer: base_address: 0x00401000 process_identifier: 2580 process_handle: 0x00000248	1	1
WriteProcessMemory Sept. 17, 2024, 1:33 p.m.	buffer: base_address: 0x0046f000 process_identifier: 2580 process_handle: 0x00000248	1	1
WriteProcessMemory Sept. 17, 2024, 1:33 p.m.	buffer: base_address: 0x00487000 process_identifier: 2580 process_handle: 0x00000248	1	1
WriteProcessMemory Sept. 17, 2024, 1:33 p.m.	buffer: 0 H` }<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0048a000 process_identifier: 2580 process_handle: 0x00000248	1	1
WriteProcessMemory Sept. 17, 2024, 1:33 p.m.	buffer: base_address: 0x0048b000 process_identifier: 2580 process_handle: 0x00000248	1	1
WriteProcessMemory Sept. 17, 2024, 1:33 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2580 process_handle: 0x00000248	1	1
NtSetContextThread Sept. 17, 2024, 1:33 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4471532 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000244 process_identifier: 2580	1	0
NtResumeThread Sept. 17, 2024, 1:33 p.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 2580	1	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Generic.4!c
Skyhigh	Artemis!Trojan
ALYac	Gen:Variant.Tedy.635262
Cylance	Unsafe
VIPRE	Gen:Variant.Tedy.635262
Sangfor	Trojan.Msil.Kryptik.V34z
K7AntiVirus	Trojan ( 005ba32d1 )
BitDefender	Gen:Variant.MSILHeracles.180060
K7GW	Trojan ( 005ba32d1 )
Arcabit	Trojan.MSILHeracles.D2BF5C
VirIT	Trojan.Win32.MSIL.HHB
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AMGY
Avast	Win32:MalwareX-gen [Trj]
ClamAV	Win.Packed.Malwarex-10033462-0
Kaspersky	HEUR:Trojan.MSIL.Crypt.gen
Alibaba	Trojan:MSIL/Kryptik.82af2d2e
MicroWorld-eScan	Gen:Variant.MSILHeracles.180060
Rising	Trojan.Kryptik!8.8 (CLOUD)
Emsisoft	Gen:Variant.MSILHeracles.180060 (B)
F-Secure	Trojan.TR/AD.Nekark.dgidh
TrendMicro	Trojan.Win32.PRIVATELOADER.YXEIPZ
McAfeeD	ti!45A7B861BAAC
CTX	exe.trojan.msil
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Crypt
FireEye	Gen:Variant.MSILHeracles.180060
Webroot	W32.Malware.Gen
Google	Detected
Avira	TR/AD.Nekark.dgidh
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Trojan:Win32/Sabsik.TE.B!ml
ZoneAlarm	HEUR:Trojan.MSIL.Crypt.gen
GData	Gen:Variant.MSILHeracles.180060
AhnLab-V3	Trojan/Win.Generic.C5670866
McAfee	Artemis!ABDBCC23BD8F
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Crypt.MSIL.Generic
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.PRIVATELOADER.YXEIPZ
Tencent	Msil.Trojan.Crypt.Zmhl
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AMGY!tr
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:MSIL/Tedy.Gen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (41 events)

dead_host	192.168.56.103:49193
dead_host	192.168.56.103:49181
dead_host	192.168.56.103:49190
dead_host	192.168.56.103:49205
dead_host	192.168.56.103:49177
dead_host	192.168.56.103:49186
dead_host	192.168.56.103:49174
dead_host	192.168.56.103:49201
dead_host	192.168.56.103:49167
dead_host	192.168.56.103:49198
dead_host	192.168.56.103:49170
dead_host	192.168.56.103:49191
dead_host	192.168.56.103:49194
dead_host	92.119.114.169:80
dead_host	192.168.56.103:49182
dead_host	192.168.56.103:49175
dead_host	192.168.56.103:49206
dead_host	192.168.56.103:49178
dead_host	192.168.56.103:49199
dead_host	192.168.56.103:49171
dead_host	192.168.56.103:49188
dead_host	192.168.56.103:49202
dead_host	192.168.56.103:49195
dead_host	192.168.56.103:49183
dead_host	192.168.56.103:49184
dead_host	192.168.56.103:49172
dead_host	192.168.56.103:49179
dead_host	192.168.56.103:49196
dead_host	192.168.56.103:49168
dead_host	192.168.56.103:49189
dead_host	192.168.56.103:49203
dead_host	192.168.56.103:49192
dead_host	192.168.56.103:49180
dead_host	192.168.56.103:49185
dead_host	192.168.56.103:49173
dead_host	192.168.56.103:49204
dead_host	192.168.56.103:49176
dead_host	192.168.56.103:49197
dead_host	192.168.56.103:49169
dead_host	192.168.56.103:49200
dead_host	192.168.56.103:49166

66e705d09b33c_jack.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All