Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 11, 2024, 1:57 p.m.	Oct. 11, 2024, 1:59 p.m.

Size	6.5MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`3394808f2d5c141b86e33a51ace8a577`
SHA256	`277eafa55c929bc4c805bd1d540d2385922ddcc26ad360af7b947987ca45e758`
CRC32	`D68FAE85`
ssdeep	`49152:zX1kYWFZc6jmmW1RXZmRUd0/Gj4L1iNhQG3nHeSy/o+8k547W9UXwgZJ5hWGDPfk:zSzjmhasSGj4L0NhN3H1y/o+ZwW9`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

service123.exe "C:\Users\test22\AppData\Local\Temp\service123.exe"
2688
schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\test22\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
2732

Name	Response	Post-Analysis Lookup
sevtvr17ht.top	A 185.244.181.140	185.244.181.140

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.244.181.140	Active	Moloch

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 185.244.181.140:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 185.244.181.140:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 185.244.181.140:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected
TCP 192.168.56.103:49163 -> 185.244.181.140:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 11, 2024, 1:59 p.m.	computer_name: TEST22-PC	1	1	0

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 11, 2024, 1:59 p.m.	buffer: WARNING: Task may not run because /ST is earlier than current time. console_handle: 0x0000000b	1	1	0
WriteConsoleW Oct. 11, 2024, 1:59 p.m.	buffer: SUCCESS: The scheduled task "ServiceData4" has successfully been created. console_handle: 0x00000007	1	1	0

suspicious_features

POST method with no referer header

suspicious_request

POST http://sevtvr17ht.top/v1/upload.php

request

POST http://sevtvr17ht.top/v1/upload.php

request

POST http://sevtvr17ht.top/v1/upload.php

domain

sevtvr17ht.top

description

Generic top level domain TLD

file	C:\Users\test22\AppData\Local\Temp\MDOYzeAgMMgkpMuUeSyA.dll
file	C:\Users\test22\AppData\Local\Temp\service123.exe

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
ALYac	Trojan.GenericKDZ.108181
VIPRE	Trojan.GenericKDZ.108181
Sangfor	Trojan.Win32.Kryptik.V6fl
CrowdStrike	win/malicious_confidence_90% (D)
BitDefender	Trojan.GenericKDZ.108181
Arcabit	Trojan.Generic.D1A695
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/GenKryptik.HBZR
APEX	Malicious
Avast	Win32:CrypterX-gen [Trj]
Alibaba	Trojan:Win32/CryptBot.676ec99a
MicroWorld-eScan	Trojan.GenericKDZ.108181
Rising	Trojan.Kryptik!8.8 (TFE:5:25KWoxie6RB)
Emsisoft	Trojan.GenericKDZ.108181 (B)
F-Secure	Trojan.TR/Kryptik.xoyug
TrendMicro	Trojan.Win32.AMADEY.YXEJKZ
McAfeeD	ti!277EAFA55C92
CTX	exe.trojan.genkryptik
Sophos	Mal/Generic-S
FireEye	Trojan.GenericKDZ.108181
Webroot	W32.Trojan.GenKDZ
Google	Detected
Avira	TR/Kryptik.xoyug
Antiy-AVL	Trojan/Win32.GenKryptik
Gridinsoft	Trojan.Win32.CryptBot.tr
Microsoft	Trojan:Win32/CryptBot.AM!MTB
ViRobot	Trojan.Win.Z.Agent.6810624
GData	Win32.Trojan.Agent.CJGQ47
Varist	W32/Agent.JMJ.gen!Eldorado
AhnLab-V3	Infostealer/Win.CryptBot.C5677842
McAfee	Artemis!3394808F2D5C
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.MalPack
Ikarus	Trojan-PSW.Agent
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXEJKZ
Tencent	Win32.Trojan.Genkryptik.Jtgl
AVG	Win32:CrypterX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:Win/CryptBot.AZ8PHU

JavUmar.exe