cfsm.txt.exe| Category | Machine | Started | Completed |
|---|---|---|---|
| FILE | s1_win7_x6402 | March 19, 2021, 2:36 p.m. | March 19, 2021, 2:38 p.m. |
-
cfsm.txt.exe "C:\Users\test22\AppData\Local\Temp\cfsm.txt.exe"
2616
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| No hosts contacted. | ||
| IP Address | Status | Action |
|---|---|---|
| 172.217.25.14 | Active | Moloch |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
| section | {u'size_of_data': u'0x00008000', u'virtual_address': u'0x00001000', u'entropy': 7.702766603856263, u'name': u'.text', u'virtual_size': u'0x00007ebf'} | entropy | 7.70276660386 | description | A section with a high entropy has been found | |||||||||
| entropy | 1.0 | description | Overall entropy of this PE file is high | |||||||||||
| description | Code injection with CreateRemoteThread in a remote process | rule | inject_thread | ||||||
| description | Create a windows service | rule | create_service | ||||||
| description | Communications over UDP network | rule | network_udp_sock | ||||||
| description | Listen for incoming communication | rule | network_tcp_listen | ||||||
| description | Communications over P2P network | rule | network_p2p_win | ||||||
| description | Communications over HTTP | rule | network_http | ||||||
| description | File downloader/dropper | rule | network_dropper | ||||||
| description | Communications over FTP | rule | network_ftp | ||||||
| description | Communications over RAW socket | rule | network_tcp_socket | ||||||
| description | Communications use DNS | rule | network_dns | ||||||
| description | Communication using dga | rule | network_dga | ||||||
| description | Escalade priviledges | rule | escalate_priv | ||||||
| description | Take screenshot | rule | screenshot | ||||||
| description | Run a keylogger | rule | keylogger | ||||||
| description | Steal credential | rule | cred_local | ||||||
| description | Record Audio | rule | sniff_audio | ||||||
| description | APC queue tasks migration | rule | migrate_apc | ||||||
| description | Malware can spread east-west using share drive | rule | spreading_share | ||||||
| description | Create or check mutex | rule | win_mutex | ||||||
| description | Affect system registries | rule | win_registry | ||||||
| description | Affect system token | rule | win_token | ||||||
| description | Affect private profile | rule | win_private_profile | ||||||
| description | Affect private profile | rule | win_files_operation | ||||||
| description | Match Winsock 2 API library declaration | rule | Str_Win32_Winsock2_Library | ||||||
| description | Match Windows Inet API library declaration | rule | Str_Win32_Wininet_Library | ||||||
| description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
| description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
| description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
| description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
| description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
| description | (no description) | rule | DebuggerHiding__Thread | ||||||
| description | (no description) | rule | DebuggerHiding__Active | ||||||
| description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
| description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
| description | (no description) | rule | ThreadControl__Context | ||||||
| description | (no description) | rule | SEH__vectored | ||||||
| description | (no description) | rule | Check_Dlls | ||||||
| description | Checks if being debugged | rule | anti_dbg | ||||||
| description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
| description | Bypass DEP | rule | disable_dep | ||||||
| description | Affect hook table | rule | win_hook | ||||||
| host | 172.217.25.14 | |||
| Bkav | W32.AIDetect.malware1 |
| Elastic | malicious (high confidence) |
| DrWeb | Trojan.PWS.Spy.21017 |
| MicroWorld-eScan | Gen:Variant.Ser.Razy.7042 |
| FireEye | Generic.mg.9ac835c38d4d0c64 |
| CAT-QuickHeal | Trojan.Generic |
| ALYac | Trojan.Agent.Dofoil |
| Cylance | Unsafe |
| Sangfor | Trojan.Win32.Save.a |
| K7AntiVirus | Trojan ( 005778b31 ) |
| Alibaba | Trojan:Win32/Smokeloader.0202d126 |
| K7GW | Trojan ( 005778b31 ) |
| CrowdStrike | win/malicious_confidence_100% (W) |
| BitDefenderTheta | AI:Packer.EB5DFF611E |
| Cyren | W32/Dofoil.H.gen!Eldorado |
| Symantec | ML.Attribute.HighConfidence |
| APEX | Malicious |
| Avast | Win32:Malware-gen |
| ClamAV | Win.Malware.Razy-7588168-0 |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| BitDefender | Gen:Variant.Ser.Razy.7042 |
| NANO-Antivirus | Trojan.Win32.Zurgop.fednlb |
| Paloalto | generic.ml |
| AegisLab | Trojan.Win32.Generic.4!c |
| Tencent | Win32.Trojan.Generic.Hwwm |
| Ad-Aware | Gen:Variant.Ser.Razy.7042 |
| Sophos | ML/PE-A + Mal/Behav-204 |
| Comodo | Malware@#1fdmmmodezc7m |
| VIPRE | Trojan.Win32.Winwebsec.m (v) |
| TrendMicro | Trojan.Win32.ZURGOP.SM |
| McAfee-GW-Edition | BehavesLike.Win32.VirRansom.nc |
| Emsisoft | Trojan-Downloader.Zurgop (A) |
| SentinelOne | Static AI - Malicious PE |
| Avira | TR/Crypt.XPACK.Gen |
| Kingsoft | Win32.Heur.KVMH008.a.(kcloud) |
| Gridinsoft | Trojan.Win32.Downloader.sa |
| Microsoft | TrojanDownloader:Win32/Dofoil.AD |
| ViRobot | Trojan.Win32.Z.Zurgop.33280.BS |
| AhnLab-V3 | Trojan/Win32.Dofoil.R223509 |
| GData | Gen:Variant.Ser.Razy.7042 |
| Cynet | Malicious (score: 100) |
| ESET-NOD32 | a variant of Win32/Smokeloader.J |
| Acronis | suspicious |
| McAfee | GenericRXGK-YC!9AC835C38D4D |
| MAX | malware (ai score=100) |
| VBA32 | TScope.Malware-Cryptor.SB |
| Malwarebytes | Trojan.Agent |
| TrendMicro-HouseCall | Trojan.Win32.ZURGOP.SM |
| Rising | Downloader.Zurgop!8.4BB (TFE:3:5GsXFg1cBOC) |
| Ikarus | Trojan-Downloader.Win32.Dofoil |