Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 12, 2024, 6:41 p.m.	Oct. 12, 2024, 6:44 p.m.

Size	10.5MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`356279b22763084935165ad080b0ae9a`
SHA256	`4635a9149c53a2fbc072ceb338351d3b149e093cd43163e01d629bb016f8cd7c`
CRC32	`D68FFA57`
ssdeep	`196608:lLdF2/rYqrt2P5M6X8wvmOwfiQr+5oSJkT:lpM/rYqrkxHvGWoSM`
Yara	ROMCOM_RAT - Unit 42 observed threat actor Tropical Scorpius using this RAT in operations where also Cuba ransomware was deployed. PE_Header_Zero - PE File Signature IsPE64 - (no description)

67065227a0640_rrrrrrrr.exe "C:\Users\test22\AppData\Local\Temp\67065227a0640_rrrrrrrr.exe"
2556

Name	Response	Post-Analysis Lookup
pool.hashvault.pro	A 131.153.76.130 A 125.253.92.50	131.153.76.130

IP Address	Status	Action
125.253.92.50	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49164 125.253.92.50:443	None	None	None

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section	.00cfg
section	.text0
section	.text1
section	.text2

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00a49200', u'virtual_address': u'0x00f44000', u'entropy': 7.975177319525645, u'name': u'.text2', u'virtual_size': u'0x00a49050'}

entropy

7.97517731953

description

A section with a high entropy has been found

entropy

0.981913951429

description

Overall entropy of this PE file is high

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.CoinMiner.4!c
Skyhigh	BehavesLike.Win64.Trojan.vc
ALYac	Trojan.GenericKD.74274000
Cylance	Unsafe
VIPRE	Trojan.GenericKD.74274000
Sangfor	Trojan.Win64.Agent.V7pm
CrowdStrike	win/malicious_confidence_90% (D)
BitDefender	Trojan.GenericKD.74274000
Arcabit	Trojan.Generic.D46D54D0
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/Packed.VMProtect.AC suspicious
Avast	Win64:Evo-gen [Trj]
Kaspersky	UDS:Trojan.Win32.Staser.ewsw
Alibaba	Trojan:Win32/Staser.05c0fa60
MicroWorld-eScan	Trojan.GenericKD.74274000
Rising	Trojan.Agent!8.B1E (TFE:5:FkFUO8h2JGR)
Emsisoft	Trojan.GenericKD.74274000 (B)
McAfeeD	Real Protect-LS!356279B22763
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.vmprotect
Sophos	Mal/Generic-S
Ikarus	PUA.VMProtect
FireEye	Trojan.GenericKD.74274000
Webroot	W32.Backdoor.Gen
Google	Detected
Antiy-AVL	GrayWare/Win32.Wacapew
Microsoft	Trojan:Win32/Wacatac.H!ml
ZoneAlarm	UDS:Trojan.Win32.Staser.ewsw
GData	Trojan.GenericKD.74274000
AhnLab-V3	Trojan/Win.Miner.C5674474
McAfee	Artemis!356279B22763
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.CoinMiner
Tencent	Win32.Trojan.Staser.Anhl
Fortinet	Riskware/Application
AVG	Win64:Evo-gen [Trj]
Paloalto	generic.ml
alibabacloud	VirTool:Win/Packed.VMProtect.AW

67065227a0640_rrrrrrrr.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All