Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 6, 2025, 9:50 a.m.	Feb. 6, 2025, 9:54 a.m.

Size	439.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e1d10be0d41ba9e8dbad2a53876b3a00`
SHA256	`5bc044ef951c5095e4b7c094df6e54b19dfaafcd148583bb694625b7a0900f1c`
CRC32	`69A72A6F`
ssdeep	`12288:1O7k28xC7HMDVBjfbL5S6IZ7OGQN/RutyU3ivG/Jt9:+OS6IZ7QN/R8yoaG/L`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

install.exe "C:\Users\test22\AppData\Local\Temp\install.exe"
2560

Name	Response	Post-Analysis Lookup
ts1.aco.net	A 193.171.23.163	193.171.23.163
time.apple.com	CNAME time.g.aaplimg.com A 17.253.114.43 A 17.253.68.251 A 17.253.114.35	17.253.114.35
time-a-g.nist.gov	A 129.6.15.28	129.6.15.28
ntp.nict.jp	A 61.205.120.130 A 133.243.238.163 A 133.243.238.243 A 133.243.238.244 A 133.243.238.164	61.205.120.130
gbg1.ntp.se	A 194.58.203.20 CNAME gbg1.ntp.netnod.se	194.58.203.20
time.cloudflare.com	A 162.159.200.1 A 162.159.200.123	162.159.200.1
x.ns.gin.ntt.net	A 129.250.35.250	129.250.35.250

IP Address	Status	Action
129.250.35.250	Active	Moloch
129.6.15.28	Active	Moloch
133.243.238.164	Active	Moloch
162.159.200.123	Active	Moloch
164.124.101.2	Active	Moloch
17.253.114.43	Active	Moloch
193.171.23.163	Active	Moloch
194.58.203.20	Active	Moloch
81.19.131.103	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49162 81.19.131.103:4381	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=81.19.131.103: Self-signed certificate	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=81.19.131.103: Self-signed certificate	61:8e:a4:ce:53:ca:98:9a:70:7f:dc:49:83:e0:19:0a:1e:ae:c1:fc
TLS 1.2 192.168.56.101:49164 81.19.131.103:4381	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=81.19.131.103: Self-signed certificate	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=81.19.131.103: Self-signed certificate	61:8e:a4:ce:53:ca:98:9a:70:7f:dc:49:83:e0:19:0a:1e:ae:c1:fc
TLS 1.2 192.168.56.101:49166 81.19.131.103:443	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=81.19.131.103: Self-signed certificate	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=81.19.131.103: Self-signed certificate	c4:17:75:19:23:e7:20:ce:1c:66:d9:49:d8:db:92:7a:d8:7a:b7:7a
TLS 1.2 192.168.56.101:49165 81.19.131.103:4381	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=81.19.131.103: Self-signed certificate	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=81.19.131.103: Self-signed certificate	61:8e:a4:ce:53:ca:98:9a:70:7f:dc:49:83:e0:19:0a:1e:ae:c1:fc

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.textbss

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 6, 2025, 9:50 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 6, 2025, 9:50 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f56000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 6, 2025, 9:50 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4128768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e0000 process_handle: 0xffffffff	1

Communicates with host for which no DNS query was performed (1 event)

host

81.19.131.103

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Bkav	W32.Common.7F85737C
Lionic	Trojan.Win32.Rhadamanthys.i!c
MicroWorld-eScan	Dump:Generic.Dacic.4686.0C67AAF5
CAT-QuickHeal	Trojan.Ghanarava.17386575166b3a00
ALYac	Dump:Generic.Dacic.4686.0C67AAF5
Cylance	Unsafe
VIPRE	Dump:Generic.Dacic.4686.0C67AAF5
CrowdStrike	win/malicious_confidence_70% (W)
BitDefender	Dump:Generic.Dacic.4686.0C67AAF5
K7GW	Spyware ( 005bd62e1 )
K7AntiVirus	Spyware ( 005bd62e1 )
VirIT	Trojan.Win32.Genus.XFK
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	Win32/Spy.Rhadamanthys.AA
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-PSW.Win32.Rhadamanthys.gen
Alibaba	TrojanPSW:Win32/Rhadamanthys.5d23032a
SUPERAntiSpyware	Trojan.Agent/Gen-Lazy
Rising	Trojan.Rhadamanthys!8.178A1 (TFE:1:EE65rmTGwTO)
Emsisoft	Dump:Generic.Dacic.4686.0C67AAF5 (B)
F-Secure	Trojan.TR/AVI.Rhadamanthys.sjutw
DrWeb	Trojan.DownLoader47.36298
Zillya	Trojan.Rhadamanthys.Win32.19
TrendMicro	TrojanSpy.Win32.RHADAMANTHYS.YXFBCZ
McAfeeD	ti!5BC044EF951C
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.rhadamanthys
Sophos	Troj/Rhadaman-B
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.e1d10be0d41ba9e8
Jiangmin	Trojan.PSW.Azorult.hge
Webroot	Win.Ransom.Gen
Google	Detected
Antiy-AVL	Trojan[PSW]/Win32.Rhadamanthys
Kingsoft	Win32.Trojan-PSW.Rhadamanthys.gen
Gridinsoft	Ransom.Win32.AzorUlt.sa
Arcabit	Dump:Generic.Dacic.4686.0C67AAF5
Microsoft	Trojan:Win32/Rhadamanthys.TBM!MTB
Varist	W32/ABTrojan.HPLH-0051
AhnLab-V3	Trojan/Win.Evo-gen.R683211
VBA32	TrojanPSW.Rhadamanthys
DeepInstinct	MALICIOUS
Malwarebytes	Spyware.Rhadamanthys
Ikarus	Trojan-Ransom.Play
TrendMicro-HouseCall	TrojanSpy.Win32.RHADAMANTHYS.YXFBCZ
Tencent	Malware.Win32.Gencirc.10c0710f
huorong	Trojan/Agent.cat

install.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All