Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 22, 2024, 5:19 p.m.	Sept. 22, 2024, 5:24 p.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5	`049d2f0e9e03c057d906287c2003331b`
SHA256	`191640e0be19e828563b27d2f20f57a31eb8291e4ecb68567ab95b41fe35e002`
CRC32	`C5AC62F8`
ssdeep	`49152:KDmghls3y1+XfWL6Vcp5/oTUjcikfZCIQ8qeXQR/Z:wmghls5Bq/HkZQGi`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

66e579d0cbf2d_win.exe "C:\Users\test22\AppData\Local\Temp\66e579d0cbf2d_win.exe"
2672

Name	Response	Post-Analysis Lookup
win.ust.cx	A 154.91.34.235	154.91.34.235
www.google.com	A 142.250.71.132	142.250.207.100

IP Address	Status	Action
154.91.34.235	Active	Moloch
164.124.101.2	Active	Moloch
85.159.66.93	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

Creates executable files on the filesystem (1 event)

file	C:\ProgramData\Microsoft\csrss.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 22, 2024, 5:19 p.m.	flags: 16 family: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x001cd000', u'virtual_address': u'0x0039d000', u'entropy': 7.917145512294789, u'name': u'UPX1', u'virtual_size': u'0x001cd000'}

entropy

7.91714551229

description

A section with a high entropy has been found

entropy

0.99945799458

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

85.159.66.93

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Administrator

reg_value

C:\ProgramData\Microsoft\csrss.exe

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Sept. 22, 2024, 5:19 p.m.	ordinal: 0 function_address: 0x0027fd29 function_name: wine_get_version module: ntdll module_address: 0x76f10000		3221225785	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Gen:Variant.Fragtor.149252
Cylance	Unsafe
VIPRE	Gen:Variant.Fragtor.149252
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (D)
BitDefender	Gen:Variant.Fragtor.149252
Arcabit	Trojan.Fragtor.D24704
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of WinGo/Agent.HV
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
ClamAV	Win.Malware.Lazy-9969515-0
Kaspersky	Trojan.Win32.Chaos.omnd
MicroWorld-eScan	Gen:Variant.Fragtor.149252
Rising	Backdoor.Kaiji/Linux!1.E52B (CLASSIC)
Emsisoft	Gen:Variant.Fragtor.149252 (B)
F-Secure	Heuristic.HEUR/AGEN.1366851
DrWeb	BackDoor.Siggen2.4187
McAfeeD	Real Protect-LS!049D2F0E9E03
Trapmine	suspicious.low.ml.score
CTX	exe.unknown.fragtor
Ikarus	Trojan.WinGo.Agent
FireEye	Gen:Variant.Fragtor.149252
Webroot	W32.ConvaGent
Google	Detected
Avira	HEUR/AGEN.1366851
Antiy-AVL	Trojan/Win32.SGeneric
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Trojan.Win32.Chaos.omnd
GData	Gen:Variant.Fragtor.149252
AhnLab-V3	Trojan/Win.Generic.R531897
McAfee	GenericRXAA-AA!049D2F0E9E03
DeepInstinct	MALICIOUS
VBA32	TrojanRansom.Chaos
Malwarebytes	Trojan.Injector.UPX
Panda	Trj/Genetic.gen
Tencent	Trojan-Ransom.Win32.Foreign.ka
huorong	Backdoor/Chaos.a
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:Evo-gen [Trj]
alibabacloud	Trojan:Multi/Fragtor.42a7419c

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (50 out of 83 events)

dead_host	192.168.56.101:49191
dead_host	192.168.56.101:49161
dead_host	192.168.56.101:49222
dead_host	192.168.56.101:49171
dead_host	192.168.56.101:49192
dead_host	192.168.56.101:49202
dead_host	192.168.56.101:49231
dead_host	192.168.56.101:49233
dead_host	192.168.56.101:49211
dead_host	192.168.56.101:49165
dead_host	192.168.56.101:49242
dead_host	192.168.56.101:49175
dead_host	192.168.56.101:49196
dead_host	192.168.56.101:49206
dead_host	192.168.56.101:49219
dead_host	192.168.56.101:49176
dead_host	192.168.56.101:49237
dead_host	192.168.56.101:49215
dead_host	192.168.56.101:49184
dead_host	192.168.56.101:49223
dead_host	192.168.56.101:49180
dead_host	192.168.56.101:49193
dead_host	192.168.56.101:49203
dead_host	192.168.56.101:49224
dead_host	192.168.56.101:49234
dead_host	192.168.56.101:49188
dead_host	192.168.56.101:49243
dead_host	192.168.56.101:49168
dead_host	192.168.56.101:49197
dead_host	192.168.56.101:49207
dead_host	192.168.56.101:49228
dead_host	192.168.56.101:49177
dead_host	192.168.56.101:49238
dead_host	192.168.56.101:49208
dead_host	192.168.56.101:49172
dead_host	192.168.56.101:49185
dead_host	192.168.56.101:49163
dead_host	192.168.56.101:49216
dead_host	192.168.56.101:49181
dead_host	192.168.56.101:49194
dead_host	192.168.56.101:49212
dead_host	192.168.56.101:49225
dead_host	192.168.56.101:49235
dead_host	192.168.56.101:49189
dead_host	154.91.34.235:8090
dead_host	192.168.56.101:49167
dead_host	192.168.56.101:49220
dead_host	192.168.56.101:49169
dead_host	192.168.56.101:49198
dead_host	192.168.56.101:49200

66e579d0cbf2d_win.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All