Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.22 04:09
2.exe
09.21 02:09
random.exe
09.21 02:09
sdhsfd.exe
09.21 02:09
66edb89bc4073_crypted....
09.21 02:09
66ed33772bbe7_vdfhsjf1...
09.21 02:09
game.exe
09.21 02:09
66ebb3bf78bd6_Send.exe...
09.21 02:09
66ed33717e4c1_vfdshfda...
09.21 02:09
random.exe
09.21 02:09
66ed336eac985_vdfhssfd...

Latest News
09.22 06:09
Cards Against Humanity...
09.22 05:09
Linux, Now In Real Time
09.22 04:09
Was können Roboter wir...
09.22 04:09
Schluss mit Basis-Auth...
09.22 04:09
Deutsches Jugendherber...
09.22 02:09
Learn How to Dissect B...
09.22 02:09
Jumperless Breadboard ...
09.22 02:09
Hacker behind Snowflak...
09.22 01:09
03 - Identifying Signs...
09.22 01:09
Hacktivist Group Twelv...

Summary | ZeroBOX

ALL.TXT

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 27, 2021, 9:45 a.m.	April 27, 2021, 9:49 a.m.

Size	1.2KB
Type	ASCII text, with CRLF line terminators
MD5	`52552b7037fd640317f7d2de1b854288`
SHA256	`0d74a33006727ab086e281681cc8ee3d71ee7843f19b6fa52a86efc92b0444a1`
CRC32	`4BCBDC0E`
ssdeep	`24:mdfz1RoYFZl8V7OOMm8V7LOsTjMtXiOiP659who5lKuPxNYK/tC9+NYfwQcB:mB1KYFZl8TMm80s3qyOiP6LGZuPxNltV`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "eYCRcOqv" C:\Users\test22\AppData\Local\Temp\ALL.TXT
7092
- notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\test22\AppData\Local\Temp\ALL.TXT
  6988

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 27, 2021, 9:45 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 27, 2021, 9:45 a.m.	process_identifier: 6988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (12 events)

description	Take screenshot				rule	screenshot
description	Affect system registries				rule	win_registry
description	Affect system token				rule	win_token
description	Affect private profile				rule	win_files_operation
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

MicroWorld-eScan	Heur.BZC.PZQ.Boxter.794.C1C92E66
FireEye	Heur.BZC.PZQ.Boxter.794.C1C92E66
ALYac	Heur.BZC.PZQ.Boxter.794.C1C92E66
Symantec	ISB.Downloader!gen281
ESET-NOD32	PowerShell/TrojanDownloader.Agent.DTA
Avast	Script:SNH-gen [Trj]
BitDefender	Heur.BZC.PZQ.Boxter.794.C1C92E66
Ad-Aware	Heur.BZC.PZQ.Boxter.794.C1C92E66
Arcabit	Heur.BZC.PZQ.Boxter.794.C1C92E66
GData	Heur.BZC.PZQ.Boxter.794.C1C92E66
MAX	malware (ai score=83)
AVG	Script:SNH-gen [Trj]