Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 15, 2024, 2:17 p.m.	Oct. 15, 2024, 2:24 p.m.

Size	2.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`05894e6439e626412c11b1c23eac073f`
SHA256	`042e2c5e4fe54168736c408dea6ce251a01ad59c1961f47438033204405ea2bb`
CRC32	`9B10F831`
ssdeep	`49152:uA/QyO+qnbHx11BLNTzrSTpah/yRjap+vMLBW5HEWoIthmrJGCxpbTjCw:zqrr5YpaN2nvM14HEZIngJGK`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

CrazyCoach.exe "C:\Users\test22\AppData\Local\Temp\CrazyCoach.exe"
2552
- update.exe C:\Users\test22\AppData\Local\Temp\update.exe 2552
  2680
  - CrazyCoach.exe C:\Users\test22\AppData\Local\Temp\CrazyCoach.exe
    2832
    - update.exe C:\Users\test22\AppData\Local\Temp\update.exe 2832
      2884

Name	Response	Post-Analysis Lookup
coach.028csc.com	A 47.240.68.28	47.240.68.28
s.z163.xyz	A 45.32.92.201	45.32.92.201

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.32.92.201	Active	Moloch
47.240.68.28	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 47.240.68.28:81	2016879	ET POLICY Unsupported/Fake Windows NT Version 5.0	Potential Corporate Privacy Violation
TCP 47.240.68.28:81 -> 192.168.56.101:49161	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.101:49195 -> 47.240.68.28:81	2007695	ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System	Potential Corporate Privacy Violation
TCP 192.168.56.101:49195 -> 47.240.68.28:81	2016870	ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.	Potential Corporate Privacy Violation
TCP 47.240.68.28:81 -> 192.168.56.101:49195	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.101:49161 -> 47.240.68.28:81	2016879	ET POLICY Unsupported/Fake Windows NT Version 5.0	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 15, 2024, 2:17 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXTINCLUDE

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (25 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73442000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73441000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73404000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73442000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73441000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73404000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73442000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7257f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x764b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75831000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73271000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x730d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73441000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73404000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2024, 2:17 p.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73442000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (50 out of 64 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002fd048

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002fd048

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002fd048

size

0x00000151

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002ff6b0

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002fe678

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002fe678

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002fe1c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002fe1c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002fe1c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002fe1c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002fe1c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002fe1c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002fe1c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002fe1c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002fe1c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002fe1c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002fe1c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002fe1c0

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x003000c8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x003000c8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x003000c8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x003000c8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x003000c8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x003000c8

size

0x00000024

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\libcurl.dll
file	C:\Users\test22\AppData\Local\Temp\update.exe
file	C:\Users\test22\AppData\Local\Temp\gzip.dll

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\gzip.dll
file	C:\Users\test22\AppData\Local\Temp\update.exe
file	C:\Users\test22\AppData\Local\Temp\libcurl.dll

An executable file was downloaded by the process crazycoach.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Oct. 15, 2024, 2:17 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¬µcà#'"¬B "Dk0C_5C@ àA£ ðAì0B @BëDT<0ôA¤.textÜ""``.data ""@À.rdata@ýÀ"þ¨"@@.eh_fram¬îÀ<ð¦<@@.bss )°AÀ.edata£ àA A@@.idataìðA A@À.CRT0BºA@À.tls B¼A@À.rsrc 0B¾A@À.relocë@BìÄA@BìÇ$°kèQ"ÄÃ´&¶WVSìD$$Àur¡°k1ÒÀ~Wè=<õk1ö£°kët&Ç$èÿ×ìºðð±¤ÍkÃÀuß¡¨ÍkøÑÇ$èµ "ºÄÐ[^_Ât&øuæd¡=<õkX1öë´&9Ã°Ç$èÿ×ìðð±¤ÍkÀuÞ1Û¡¨Íkøî¡¨ÍkÀ¡¨Íkø«Ûtw¡@TkÀtT$(ÇD$T$T$ $ÿÐì°kºéIÿÿÿ´&fÇ$°kèô"Ç¨Ík¤Íkéÿÿÿ´&»ébÿÿÿ¶¤ÍkëÇD$kÇ$kÇ¨Íkè²"éLÿÿÿt&ÇD$kÇ$kè"Ç¨Íké2ÿÿÿt&Ç$èT"éÿÿÿ´&´&UWÏVÆSÓìì¸fkÒuI¡°kÀthèA!\|$\$4$è«S!ìÅÛîûåÇì¸fkÿÿÿÿÄè[^_]ÃèË@!Cÿ\|$\$4$øôèýÿÿìÀu1íë¿t&\|$\$4$è0S!ìÀÕûqÿÿÿè=!\|$ÇD$4$èS!ìÅÀqÿÿÿ\|$ÇD$4$èòR!ì\|$ÇD$4$èËR!ì\|$1íÇD$4$èýÿÿìé%ÿÿÿ´&v\|$\$4$èR!ìÅ\|$\$4$èËüÿÿìÀëþÿÿ1íéäþÿÿ´&fèkR!ìÅé»þÿÿût1íé¿þÿÿt&ìÇ¼ÍkL$T$D$èRþÿÿÄÂ´&t&ìD$ Ç$°kD$è¹"ÄÃUåWVSìÇ$Àfkÿ¤ôkìÀtsÃÇ$Àfkÿèôk=¬ôkì£°kÇD$Àfk$ÿ×ìÆÇD$)Àfk$ÿ×ì£ fkötÇD$°kÇ$$ÁkÿÖÇ$Dkè^ÿÿÿeô[^_]Ã¶¸¾ëÀt&Uåì¡ fkÀt Ç$$ÁkÿÐ¡°kÀt$ÿ\|ôkìÉÃUW×VÆSì,L$ÇD$Ç$0ÿ fkÀ¤4$Ãè"4$Åÿ fkÀtkíuM<$ÿ fkCÀtUD$CD$@CD$D$èk=fCD$H$è[=fCÄ,Ø[^_]Ãt&\|.ÿ.u¬ÆD(ÿë¥´&v$ÿ fkC$ÿ fk$ÿ fkÄ,1ÛØ[^_]Ãt&UWÏVÖSì,D$¶Àuë~¶¶AÁÀtm< tñ< tíÊë"´&f< Ã< ÀÃt¶BÂÀthÅåýuÜD$Ó)Ët.9ûs*\$4$L$èl"ÆÄ,1À[^_]Ã¶D$Ä,¸+[^_]Ãt&ìD$(ÇD$`ÀfkD$D$ $è±!ÄÃ´&¶UWVSì¼D$0ÐT$LL$HT$(T$P\$bT$$t$WT$mL$¼$¯L$D¬$®T$ \|$\$L$l$t$ÇD$`Àfk$èbÿÿÿø t Ä¼[^_]ÃfT$m$è´þÇD$ÀfkD$<D$H$D$4D$DD$8è°ÀøÇD$Àfk$èÀ0$1ÛÇD$Àfkè~ÇD$Àfk4$ÀÃÁãèfÀÇD$Àfk4$èNÀÖÇD$Àfk4$è6¹ À<ÿÿÿÛ4ÿÿÿD$4$úD$D$8D$èèåüÿÿÀÿÿÿT$LL$P\|$0t$<P 1ÒÉÂpPP$T$D$GD$G$èpÄ¼[^_]Ãt&»ÇD$Àfk4$èÀuGÇD$Àfk4$èÀ9ÿÿÿ¹éTÿÿÿt&¹é=ÿÿÿ¶»ë®´&f¹é%ÿÿÿ¶¹é ÿÿÿ¶D$ºÀfkèøw ÂfkÐÃt&SìÇD$Ç$ÿ fkÃÀt@ÇD$$ènÇCÄØ[ÃWVSì\|$ \$$$ÿ fk$ÿ fkÀ´ÇD$Àfk$èä²ÆÀtoÇ$ÿÿ fkÃÀtevt$ÇD$ÿ$è°Àt0¶ÚÀuët&¶BÂÀt< tñ< tí<#tÁøèÒüÿÿë¸$ÿ fk4$è"1ÀÄ[^_Ã$ÿ fkÇÇ$ÿ fk4$èð"¸ëÌ´&fT$¸+Òt D$P1ÀÃ´&fUWVSìl$0}ÿtR_Ût0´&3[$ÿ fkF$ÿ fk4$ÿ fkÛu×$ÿ fk<$ÿ fkÇEÄ[^_]Ãt&UWVSì¬´$ÄÇD$x¼$ÈötfFàÿtR1ÛÀu=1Û?t6D$x\|$D$D$tD$$À$èâÃÀt<D$x$ÿ fkÄ¬Ø[^_]Ãf>ÀuÿuªÄ¬1ÛØ[^_]Ã´&D$tÇD$uÇD$D$Ç$Àfkèì"vöä\$l¼$ÈéCk ºÀfkL$\|D$D$D$H$D$L$D$P$ÀD$T$lD$X·CD$\CD$`Cèøw Âfk·CD$dD$hCl$<èøÌ\$DL$4 request_handle: 0x00cc000c	1	1	0
InternetReadFile Oct. 15, 2024, 2:17 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÜãåÀÀÀÀ³À®¤À_À®¤ÀÀÀãÀÀÎÀ´ÀúÀÀÀÅÀpÀòÀpÀÀÀ¼À_ÀÀRichÀPELf ifà` pö° @0ûÄ¤ÄvÀ à `° T@à.rsrc X@À3.95UPX! )&A¨L´Ê,ÛgF°I±°hÄ9Í¦a4X@ð´¬q®7Å{Bº~Ý¾©cøh<s=q`Ç,ÆÇ%Ú¹¿eÝÛ°«Ú2ßÄ}¢wæ ð±nj/)Iq¾b`"xTÄo¦Çº6¥uÿ8y¶¦«'ßZxr\|ý¦E ÎÙPÈ+Ë(÷¼uRbÃ¢`Jøel,TW ~hªÓ#a¸KóÁ0×Òü )ÿ_hÉLw¹4AÐ²îì¿RëÜÚ¨ÎüÂ»¬\|¨Ù>°},!çÃoU`?õC£ÇL÷÷ñ´¸+GFzþ]¿çuÞSuJüâ$ÉÉ»QVc[ëqK?©ým;&Þtß\aò·°6óóZ>´è3LÎTïSÔ¸nVeÞ=ÕmöºÏàÿ¯>-ðFÑ$¯ö½Z4{H¢L Aßî7º4[L£eí~u ÍcðqC¡U1 Ý<Ðf$WÏEÛ{²Où«1hf)WÛ1 É#È`+&¸å¹lHñeÃ§ùÍ ¿ðNª Q¥ ªsdóÙ éÌ÷ßôß X50þÍ¨Cjc±q·.,UhÛ\ü0^g:Üng!n2&D¨[F²õoúW£åÒp{ï¶kÞ¥÷iÀ+X\|µ3ÛN¼ `öyÿa+¦ÏOºOGÛCký§¢i±¯3{3<êÔÇòòo¹F¦;@Õ\$è é³£37íÅRº5È[Ãpèñý@ã<Tè/ S±ÛÙ9XF ò½5±¢PuFc#{5ËUÃôÖ_h;81q~Ä~4¯%ñ¥EQ·Îæ%Ã[1ºyÎßÄ2t\îc·ÛQìÁ&9)r-uDÄä{ñ¡×ãçâ ï»§p 6¯?f=1³ÂìblçþÀy@«Æ(Ãókô´ùýW;ÆÉÃÂtØýmÇõ5,IÝqa@Ì5ÒqÝf¢ÍbR/T](LÅHÕWâ@m81À~·uëePÔDµ±ñîP5'p÷¾ÿ¢aÍ@Â¾3äpâXõÎI¨F¢\Ä36îÎèlï#y.?;üçA9NÎþ)`Ý!ùÒdÓ# #<_ÂC ýfØ=_ÐÝ^1ü"µ"Cl$ª5VdnëÛ"÷ aç×éw,\Lí{Y÷p;Üyubb¢á«ëä ª³)IÒI¥ÔÜbÜÓRâ.)£EáCÕÿå)@ÏtÜû ®ÂYM1àwÏüTvqQv¯æ!ø`Ç¬¶cö×k²¨"#3 îik3ÎömèýÙtùs¦NzJ½VZÈlÅ¿t.D\\|$·C)$ûI/E i5ã`4èJvPöo£Ñ<-Ä.3Ö;;@y;iôÄÚÃª©0)qX[ì¹Aêâbò£ñqdV·vEãvÉ-p²¨QFF=6Å?ª.,Pu!À¨{¬t×åô;?#PC¾ç81:?ÆOÚg`×úùìõ`RÐ½p¤NqåÏ©PçÜ0W ü:ÑÃoòÔûS½Q¡M6ß;£«è$=öòªæùÇ§1uuòÞmEà¤@±CâÌxJê¼qzÿÏ0sØ¼¥¸°¡Øto¦%&^m7£8Â^RI/3ºVEiOB.+Å]Óa7ç¤EOâZöõèo£¡/No_ë`d¨É_N wm è\|kÊå)#µÆÄåÓ]PLZ±=¢ÆBÕjOÔþrñCÏLu³VÅKå¸ÓH!Ø@ÑÃ+ÞM{1ÂK=:,A¯ Y¥ðWñcÓB bó^Un£w³sÿÕà³Yü§Nó;V1 ÷¬ÝöV¡E:iþ¸IeG"1Ä$8w<Êh%Ó5&.þ3mþÀ~ØÃL#=ffµXFîe~Æ·Ó®´ë¹A ¬ÜjÅZB]°÷©¼ ë©ÆN/öxvëÒ(ãAc, k.7å³^ÇF{X_ZàÍ4jà2TæÊß½å ý´ÏÔ5Ö;ùÓâ ÎtÀWd6FÛ¸7¡?EWéZ>mNZªYÖ¦ßÚM'År9³Ô7Y§ýÆ y`×Q·%Ìl&ë>OÏ[VÔ@ë>óBfÔ»ê=ñ]~ç4 (_ö@þLù¶¼ÙÂ?»e6þuçã}¡\|Ûv½ªÁç*÷¿Ðx£wSóú¶ÞexßBø{1S#9µ«cÌÉì0ö\ =æà"&(y1ÍV,Ê]³I´ìæÆ¥/Ó#fFà×ñµ ~lMÜZZz[9¶[çt(. ÙSÒÂjÑÔG¤>2B 62¨Î(Äý9:$®2f\ª¦¦¿¹Ñ\aà;&$áñ!ºûòX~³`RoÄ\|jPz)ùç©\|_IFÑXWª@ ®U³@GRâÜÍ5 / u_'¢(u¸¤¼Q@÷ .¯ËrÖ¥;5ª7äZYQ,{Aîå¼}=÷qqúÎ÷Q²óÈÛ¯«G27mvv¡#© oäCñöhMj ,Ú-Òcnv Â¨ÉÝ¡æÞ¾ñÝã5;áR÷ÌgÉôò:ÏNùè¡Hh2\øq!,!OqKr(Pu¢ÇéÐ}$H"ÈI^^R¹ïufðÚ6i#dÿ#ä~á'ÄVÄû[ã\2%ÚûKÏÛcmiãÈì=qéì×FæäBhBÂïdb¸P¨/Ç,KÆXùþ"/ T[gr¶ìåf½ä/ÂTpðFÝOZÎý¨þ_XVç2Sg³¡q©Ü%ï~(¥TðÍÂMÊló_êçlä´RÁsf¤ Ý!oô Z¤^)9¨Ïdi®@a]XD6ÛÌ%`wbO+»]æýãÎ÷²@·ÔLÍ¬ »ÊÌh±¦u©KØIJá²¬êV06^ç´®2³$¹vÚC¯ à»ôÞÊü@fÎ>«n(ý/½É.Ãç+°êÞ¨ùÖ¼WÕ_p²¾méäË·úëú»´èpLñ\eèOm> ó27/'Ã!DÕ3çîÃ_ì¨þ<AyðìòÜ¬£¤#¼-A¢»©G?·}¼óeÓ./ßÚZmé»EãØÝg¬¶KM§ãjÞëÜ.$²Üdçc&ë«Ñ¢%ô[ÙþCà>Áß6ÉøBGP®ûyn!2ÔÂmëÿDpÌ¹ÊV¥¼~h`Ü¡É7 Â<}r Râµ´Ø-çùâé÷§6,Zm!eÁÝZSÚóxÒò±Øîê\|ºaÈD¤Ì$ksù'BYf£ÅÍ,#L¢L§eÕ;n¢DÐ´Eî@Æ üÒB÷9 dà-áø¦÷Ét:Cö;Nè7ßÌ)ý'¾,)°ÔÏÛêÊ`!5¾é ï Í²c> óNÈè¬A'Sñg>$=oRÂ<>¯otÂ2Ç»¯_¢f?óÈBv &Áx%pu®-DyPÆËtúÝ®TH5F®JkðcBmò¤û,;m¡zÌ-T@)0ôå#Ó¬¢$õ\|ÆïÂÑ«!Jî£ÆÑý§óò[Ç.wÁ¨^ì6©Ù÷R\ÈVckUã.J:¼YMºuK=%Ð request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x001e1c00', u'virtual_address': u'0x00001000', u'entropy': 7.359521858796242, u'name': u'.text', u'virtual_size': u'0x001e1b8e'}

entropy

7.3595218588

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000200', u'virtual_address': u'0x0031e000', u'entropy': 6.855434502813052, u'name': u'.text', u'virtual_size': u'0x00000200'}

entropy

6.85543450281

description

A section with a high entropy has been found

entropy

0.69572279372

description

Overall entropy of this PE file is high

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 15, 2024, 2:17 p.m.	status_code: 0x00000000 process_identifier: 2552 process_handle: 0x000003b8		0	0
NtTerminateProcess Oct. 15, 2024, 2:17 p.m.	status_code: 0x00000000 process_identifier: 2552 process_handle: 0x000003b8	1	0	0

Connects to an IRC server, possibly part of a botnet

Network activity contains more than one unique useragent (2 events)

process	CrazyCoach.exe				useragent	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
process	update.exe				useragent	Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.vc
ALYac	Gen:Variant.Babar.223737
Cylance	Unsafe
Sangfor	Trojan.Win32.Agent.Vck8
CrowdStrike	win/malicious_confidence_90% (D)
BitDefender	Gen:Variant.Babar.223737
K7GW	Trojan ( 0040f54a1 )
K7AntiVirus	Trojan ( 0040f54a1 )
Arcabit	Trojan.Babar.D369F9
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.FlyStudio.AA potentially unwanted
APEX	Malicious
Avast	Win32:Pasta [Cryp]
ClamAV	Win.Malware.Trojanx-9951053-0
Kaspersky	UDS:DangerousObject.Multi.Generic
NANO-Antivirus	Virus.Win32.Agent.dvixmz
MicroWorld-eScan	Gen:Variant.Babar.223737
Rising	Packer.Win32.Agent.g (CLASSIC)
Emsisoft	Gen:Variant.Babar.223737 (B)
DrWeb	Trojan.PWS.Wsgame.57795
VIPRE	Gen:Variant.Babar.223737
McAfeeD	Real Protect-LS!05894E6439E6
Trapmine	malicious.high.ml.score
CTX	exe.trojan.generic
Sophos	Mal/EncPk-AQI
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.05894e6439e62641
Jiangmin	Trojan/Agent.edyx
Google	Detected
Antiy-AVL	Trojan/Win32.SBadur
Kingsoft	malware.kb.a.988
Gridinsoft	Ransom.Win32.Wacatac.sa
Xcitium	TrojWare.Win32.Agent.OSCF@5rs7jr
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Win32.Trojan.PSE.1TYMTF4
Varist	W32/Trojan.CLL.gen!Eldorado
AhnLab-V3	Malware/Win.Generic.R668664
Acronis	suspicious
McAfee	Flyagent.d
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.MulDrop
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Trojan.Win32.Disabler
Zoner	Probably Heur.ExeHeaderL
MaxSecure	Trojan.Malware.300983.susgen

CrazyCoach.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All