Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 8, 2025, noon	March 8, 2025, 12:54 p.m.

Size	968.5KB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`5d43f5bb6521b71f084afe8f3eab201a`
SHA256	`5e4fcbbd458a244fcf2dc879ffabdbc6feba611a5934887e6eefc5b42d5ca37d`
CRC32	`56F56F17`
ssdeep	`24576:ulBq4/QlK9/CqNzb5lgV6tZVPKilGRx1D:ulBj/V6QtGile`
PDB Path	c:\users\Administrator\Desktop\crypter\crypter\x64\Release\crypter.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature ftp_command - ftp command IsPE64 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

a53ed9c6-b552-4b04-a2c3-d557eae174a4.exe "C:\Users\test22\AppData\Local\Temp\a53ed9c6-b552-4b04-a2c3-d557eae174a4.exe"
1616

Name	Response	Post-Analysis Lookup
api.telegram.org	A 149.154.167.220	149.154.167.220

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2033966	ET HUNTING Telegram API Domain in DNS Lookup	Misc activity
TCP 149.154.167.220:443 -> 192.168.56.103:49163	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.103:49163 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.103:49163 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.103:49163 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity

No Suricata TLS

pdb_path

c:\users\Administrator\Desktop\crypter\crypter\x64\Release\crypter.pdb

Time & API	Arguments	Status	Return
bind March 8, 2025, noon	ip_address: 127.0.0.1 socket: 140 port: 0	1	0
listen March 8, 2025, noon	socket: 140 backlog: 1	1	0
accept March 8, 2025, noon	ip_address: socket: 140 port: 0	1	148

host

147.124.213.50

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress March 8, 2025, noon	ordinal: 0 function_address: 0x000000000000000f function_name: wine_get_version module: ntdll module_address: 0x00000000776c0000		-1073741511	0

Lionic	Trojan.Win32.ClipBanker.Z!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Sonbokli
ALYac	Trojan.GenericKD.75922704
Cylance	Unsafe
VIPRE	Trojan.GenericKD.75922704
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_60% (D)
BitDefender	Trojan.GenericKD.75922704
K7GW	Riskware ( 00584baa1 )
K7AntiVirus	Riskware ( 00584baa1 )
Arcabit	Trojan.Generic.D4867D10
VirIT	Trojan.Win64.Genus.HWB
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/TrojanDownloader.Agent.BMW
Avast	Win64:CrypterX-gen [Trj]
Kaspersky	Trojan-Banker.MSIL.ClipBanker.ckj
MicroWorld-eScan	Trojan.GenericKD.75922704
Rising	Downloader.Agent!8.B23 (TFE:5:XAKLZVWUl5Q)
Emsisoft	Trojan.GenericKD.75922704 (B)
F-Secure	Trojan.TR/Dldr.Agent.fgtqd
Zillya	Trojan.ClipBanker.Win32.24634
McAfeeD	ti!5E4FCBBD458A
CTX	exe.trojan.clipbanker
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Trojan.GenericKD.75922704
Google	Detected
Avira	TR/Dldr.Agent.fgtqd
Antiy-AVL	Trojan[Banker]/MSIL.ClipBanker
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Trojan.Win64.Gen.cl
Microsoft	Trojan:Win64/Amadey.BS!MTB
GData	Trojan.GenericKD.75922704
Varist	W64/ABTrojan.PSKE-0377
AhnLab-V3	Trojan/Win.Generic.C5735487
McAfee	Artemis!5D43F5BB6521
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Downloader
Ikarus	Trojan-Downloader.Win64.Agent
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H09C525
MaxSecure	Trojan.Malware.218710588.susgen
AVG	Win64:CrypterX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan[stealer]:MSIL/Sonbokli.A9uj

a53ed9c6-b552-4b04-a2c3-d557eae174a4