Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 14, 2024, 10:43 a.m.	Oct. 14, 2024, 10:46 a.m.

Size	5.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`53427254779ab9b1dfeab6058bc234c9`
SHA256	`fa54bd6b020260195fb20c0fab6c34dc86f4fd5e32e412a9a35f27f69fd958b6`
CRC32	`552F6D79`
ssdeep	`98304:OskhRCkLDQAgzZEuopBKuA8u7xyZZ3kUPtd7nMfv1pN0Eg0PJAwDyhwhW3miIHXS:23fQAMeuonKuArcz3nPcfviEgkUioBci`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

2.exe "C:\Users\test22\AppData\Local\Temp\2.exe"
2556
- 1.exe "C:\Users\test22\AppData\Roaming\1.exe"
  2684
- 2.exe "C:\Users\test22\AppData\Roaming\2.exe"
  2732
- 3.exe "C:\Users\test22\AppData\Roaming\3.exe"
  2772

Name	Response	Post-Analysis Lookup
bitbucket.org	A 104.192.140.24 A 104.192.140.25 A 104.192.140.26	104.192.140.25
pool.hashvault.pro	A 131.153.76.130 A 125.253.92.50	131.153.76.130

IP Address	Status	Action
104.192.140.26	Active	Moloch
131.153.76.130	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49170 -> 131.153.76.130:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49166 -> 104.192.140.26:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 104.192.140.26:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected
TCP 192.168.56.101:49170 -> 131.153.76.130:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 14, 2024, 10:43 a.m.	stacktrace: 1+0x281c1 @ 0x11a81c1 0x5 exception.instruction_r: 03 48 3c 89 4d dc c7 85 b0 fe ff ff 01 00 00 00 exception.symbol: 1+0xddeb exception.instruction: add ecx, dword ptr [eax + 0x3c] exception.module: 1.exe exception.exception_code: 0xc0000005 exception.offset: 56811 exception.address: 0x118ddeb registers.esp: 3982608 registers.edi: 0 registers.eax: 0 registers.ebp: 3993272 registers.edx: 16256 registers.ebx: 3993280 registers.esi: 1 registers.ecx: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 14, 2024, 10:43 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72dd2000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\3.exe
file	C:\Users\test22\AppData\Roaming\1.exe
file	C:\Users\test22\AppData\Roaming\2.exe

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Roaming\1.exe
file	C:\Users\test22\AppData\Roaming\2.exe
file	C:\Users\test22\AppData\Roaming\3.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\1.exe

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA Share

reg_value

C:\Users\test22\AppData\Roaming\ServiceAmd\3.exe

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Lumma.1u!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Win64
Skyhigh	BehavesLike.Win32.CoinMiner.tc
ALYac	Trojan.GenericKD.73953628
Cylance	Unsafe
VIPRE	Trojan.GenericKD.73953628
Sangfor	Dropper.Win64.Agent.Vkid
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Trojan.GenericKD.73953628
K7GW	Trojan ( 005b9d1a1 )
K7AntiVirus	Trojan ( 005b9d1a1 )
Arcabit	Trojan.Generic.D468715C
VirIT	Trojan.Win32.Genus.WJC
Symantec	Trojan.Gen.MBT
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
Avast	Win32:DropperX-gen [Drp]
ClamAV	Win.Packed.Bladabindi-10017056-0
Kaspersky	Trojan.Win64.Miner.lrnj
Alibaba	TrojanBanker:Win64/Miner.27b9c26e
NANO-Antivirus	Trojan.Win64.Kryptik.kschut
MicroWorld-eScan	Trojan.GenericKD.73953628
Rising	Trojan.Generic!8.C3 (CLOUD)
Emsisoft	Trojan.GenericKD.73953628 (B)
F-Secure	Trojan.TR/AVI.Lumma.bvoen
DrWeb	Trojan.DownLoad4.16698
TrendMicro	TrojanSpy.Win32.LUMMASTEALER.YXEH2Z
McAfeeD	ti!FA54BD6B0202
CTX	exe.trojan.lumma
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious SFX
FireEye	Generic.mg.53427254779ab9b1
Webroot	Trojan.Dropper.Gen
Google	Detected
Avira	TR/AVI.Lumma.bvoen
Antiy-AVL	Trojan[Banker]/Win32.ClipBanker
Kingsoft	Win64.Trojan.Miner.lrnj
Microsoft	Trojan:Win64/XMRig!pz
ZoneAlarm	HEUR:Trojan-PSW.Win32.Lumma.gen
GData	Trojan.GenericKD.73953628
Varist	W64/Injector.BMR.gen!Eldorado
McAfee	Artemis!53427254779A
DeepInstinct	MALICIOUS
VBA32	TrojanPSW.Lumma
Malwarebytes	Crypt.Trojan.MSIL.DDS
Ikarus	Trojan.Win64.Bladabindi
Panda	Trj/Genetic.gen
TrendMicro-HouseCall	TrojanSpy.Win32.LUMMASTEALER.YXEH2Z

2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All