Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 16, 2021, 9:01 a.m.	June 16, 2021, 9:14 a.m.

Size	145.5KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`50aaf6913329c08eb8be0560cb5a2434`
SHA256	`a863a77b7a0b09530e3bf38fe9714496fe692106f7fe3ec774991d0ad5ddca19`
CRC32	`85B258A1`
ssdeep	`3072:umlS4kfzNcgUOexdmDzttz1KBiJ+3QcafQ8dOAGfmE7JXwMeVoe:um04m1c45UAJ+jcVTEVAMVe`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

shttp3.exe "C:\Users\test22\AppData\Local\Temp\shttp3.exe"
6704

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

Feokt.

The executable uses a known packer (1 event)

packer

Feokt

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 16, 2021, 9:01 a.m.	process_identifier: 6704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Small HTTP server\Small HTTP server.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Small HTTP server\Small HTTP server.lnk

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00024200', u'virtual_address': u'0x00001000', u'entropy': 7.983702547070459, u'name': u'Feokt.', u'virtual_size': u'0x0002d000'}

entropy

7.98370254707

description

A section with a high entropy has been found

entropy

0.996551724138

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetectVM.malware2
FireEye	Generic.mg.50aaf6913329c08e
CAT-QuickHeal	Serverweb.Smallhttp
Malwarebytes	PUP.Optional.SmallHTTP
Zillya	Trojan.ServerWeb.Win32.31
Sangfor	Malware
K7AntiVirus	Unwanted-Program ( 005323b21 )
K7GW	Unwanted-Program ( 005323b21 )
Cybereason	malicious.74e844
Invincea	heuristic
APEX	Malicious
Kaspersky	not-a-virus:Server-Web.Win32.SmallHTTP.30565
NANO-Antivirus	Riskware.Win32.ServerWeb.enjdq
AegisLab	Riskware.Win32.SmallHTTP.1!c
Comodo	Malware@#xmfpa0qotwwr
F-Secure	PrivacyRisk.SPR/SmallHTTP.B
DrWeb	Program.Server.219
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Trapmine	malicious.high.ml.score
CMC	Server-Web.Win32.SmallHTTP!O
Sophos	Small HTTP (PUA)
SentinelOne	DFI - Suspicious PE
Jiangmin	Server-Web.SmallHTTP.b
Webroot	W32.Rogue.Gen
Avira	SPR/SmallHTTP.B
Antiy-AVL	GrayWare[Server-Web]/Win32.SmallHTTP
Microsoft	Trojan:Win32/Occamy.C
Endgame	malicious (high confidence)
ZoneAlarm	not-a-virus:Server-Web.Win32.SmallHTTP.30565
GData	Win32.Application.Agent.SK0OJQ
McAfee	Generic PUP.ju
ESET-NOD32	Win32/Server-Web.SmallHTTP.AA potentially unsafe
Rising	Trojan.Generic@ML.100 (RDMK:gxJj3CLIbpszGPvpZpIfzQ)
Yandex	Riskware.WebSrv!
Ikarus	not-a-virus:Server-Web.Win32.SmallHTTP
eGambit	Generic.Malware
Fortinet	Riskware/SmallHTTP
MaxSecure	Trojan.Malware.375167.susgen
CrowdStrike	win/malicious_confidence_80% (W)

shttp3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All