Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 5, 2021, 10:44 a.m.	June 5, 2021, 10:46 a.m.

Size	124.0KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`1eb15f19afe77f525510b2a3f2f7aba3`
SHA256	`b8edc36da64ff688d0ce92996a9207790063a6d3068da6516f0b83dc28501f79`
CRC32	`38B9072B`
ssdeep	`3072:Mmjga722qlwJlpnTeDq3btOfb5zIpKe6eV5orfVzKfE+wMxIgF:Mmj9993Te+3btOflsjWrRKfEKIg`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

shttp3.exe "C:\Users\test22\AppData\Local\Temp\shttp3.exe"
5904

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

Feokt.

The executable uses a known packer (1 event)

packer

Feokt

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 5, 2021, 10:44 a.m.	process_identifier: 5904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Small HTTP server\Small HTTP server.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Small HTTP server\Small HTTP server.lnk

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001ec00', u'virtual_address': u'0x00001000', u'entropy': 7.979279296744818, u'name': u'Feokt.', u'virtual_size': u'0x00027000'}

entropy

7.97927929674

description

A section with a high entropy has been found

entropy

0.995951417004

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetectVM.malware2
Elastic	malicious (high confidence)
DrWeb	Program.Server.43
FireEye	Generic.mg.1eb15f19afe77f52
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Unwanted-Program ( 005323b21 )
K7GW	Unwanted-Program ( 005323b21 )
Cybereason	malicious.1fa7ff
Cyren	W32/Tool.ZMGP-7906
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Server-Web.SmallHTTP.AA potentially unsafe
APEX	Malicious
Paloalto	generic.ml
Kaspersky	not-a-virus:Server-Web.Win32.SmallHTTP.30565
NANO-Antivirus	Riskware.Win32.ServerWeb.enjdq
Sophos	Small HTTP (PUA)
Comodo	Malware@#3rv2smigq80h6
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0DHC20
McAfee-GW-Edition	BehavesLike.Win32.VirRansom.cc
SentinelOne	Static AI - Suspicious PE
Jiangmin	Server-Web.SmallHTTP.h
Webroot	W32.Trojan.Gen
Antiy-AVL	RiskWare[Server-Web]/Win32.SmallHTTP
Gridinsoft	PUP.Win32.Presenoker.vb!s1
Microsoft	Trojan:Win32/Occamy.AA
AegisLab	Riskware.Win32.SmallHTTP.1!c
ZoneAlarm	not-a-virus:Server-Web.Win32.SmallHTTP.30565
Cynet	Malicious (score: 100)
McAfee	RDN/Generic PUP.z
MAX	malware (ai score=98)
Malwarebytes	PUP.Optional.SmallHTTP
TrendMicro-HouseCall	TROJ_GEN.R002C0DHC20
Rising	Trojan.Generic@ML.100 (RDMK:V45pwdSUo6HmNDGS0xuWuQ)
Yandex	Riskware.WebSrv!xIU6S+mmHjs
Ikarus	not-a-virus:Server-Web.Win32.SmallHTTP
eGambit	Generic.Malware
Fortinet	Riskware/SmallHTTP
MaxSecure	Trojan.Malware.375167.susgen
CrowdStrike	win/malicious_confidence_80% (W)
Qihoo-360	Win32/Virus.f7c

shttp3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All