Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 21, 2021, 8:30 a.m.	May 21, 2021, 8:35 a.m.

Size	160.5KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`83377601918cdc76c76ed36c06a01546`
SHA256	`54d7c29b440127f8d9c901d9c1bef5c40c0dfbaddc51cb680e9d06040dd74131`
CRC32	`6D0A005E`
ssdeep	`3072:jOzPcXa+ND32eioGHlz8rnAE0HCXh0edLvbYMjMqqDvFf:jOTcK+NrRioGHlz8rz0i/bzQqqDvFf`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description)

00.exe "C:\Users\test22\AppData\Local\Temp\00.exe"
1016
- Host.exe "C:\Users\test22\AppData\Roaming\Install\Host.exe"
  2680

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
54.169.190.71	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 21, 2021, 8:30 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 21, 2021, 8:30 a.m.		1	1	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Install\Host.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\Install\Host.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\Install\Host.exe

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00004e00', u'virtual_address': u'0x00022000', u'entropy': 7.008280393331452, u'name': u'.data', u'virtual_size': u'0x00004c7c'}

entropy

7.00828039333

description

A section with a high entropy has been found

Communicates with host for which no DNS query was performed (1 event)

host

54.169.190.71

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Roaming\Install\Host.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

54.169.190.71:3030

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Agent.FCZE
FireEye	Generic.mg.83377601918cdc76
ALYac	Trojan.Agent.FCZE
Cylance	Unsafe
Zillya	Trojan.Weecnaw.Win32.761
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005485311 )
K7GW	Trojan ( 005485311 )
Cybereason	malicious.1918cd
BitDefenderTheta	Gen:NN.ZexaF.34690.kCW@amsq2rh
Cyren	W32/S-6c6572b7!Eldorado
Symantec	Infostealer
ESET-NOD32	a variant of Win32/Spy.Weecnaw.P
TrendMicro-HouseCall	Backdoor.Win32.NETWIRED.SMK
ClamAV	Win.Dropper.NetWire-8025706-0
Kaspersky	Backdoor.Win32.NetWiredRC.lac
BitDefender	Trojan.Agent.FCZE
NANO-Antivirus	Trojan.Win32.Wirenet.hlbptg
Avast	Win32:RATX-gen [Trj]
Rising	Backdoor.NetWire!1.C98D (RDMK:cmRtazq3PBhEnW/blO6SstfiNIb2)
Ad-Aware	Trojan.Agent.FCZE
TACHYON	Trojan/W32.NetWiredRC.164352
Emsisoft	Trojan.Agent.FCZE (B)
DrWeb	BackDoor.Wirenet.557
TrendMicro	Backdoor.Win32.NETWIRED.SMK
McAfee-GW-Edition	BehavesLike.Win32.PWSZbot.ch
Sophos	ML/PE-A
Ikarus	Trojan-Spy.Agent
Jiangmin	Backdoor.NetWiredRC.bld
Avira	TR/Spy.Gen
Antiy-AVL	Trojan/Generic.ASMalwS.309056C
Microsoft	Trojan:MSIL/NetWire.AD!MTB
Gridinsoft	Ransom.Win32.Wacatac.oa!s1
Arcabit	Trojan.Agent.FCZE
GData	Win32.Trojan.Netwire.C
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_NetWiredRC.R342610
McAfee	GenericRXKH-LK!83377601918C
MAX	malware (ai score=88)
VBA32	BScope.TrojanSpy.Loyeetro
Malwarebytes	Backdoor.Quasar
APEX	Malicious
Tencent	Malware.Win32.Gencirc.10ce3933
Yandex	Trojan.GenAsa!DOgbQEDHp9A
SentinelOne	Static AI - Suspicious PE
eGambit	Unsafe.AI_Score_71%
Fortinet	W32/Ulise.103681!tr
MaxSecure	Trojan.Malware.102170081.susgen
AVG	Win32:RATX-gen [Trj]

00.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All