Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 2, 2021, 4:11 p.m.	July 2, 2021, 4:13 p.m.

Size	72.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`6c77c76454570716846ba6815034ba10`
SHA256	`7e2d72b0a1edfdcbff3274250989bebcfae867c42f1417057c8a5adc4c2daf58`
CRC32	`3B74B261`
ssdeep	`768:KYVNd+RLgdC85OhXarCuthQazw5zwTCunEQWf0oE6jxdCjq/awSpW+Nzsj8EZMuS:XVNoRKCWOhXicluEPrHI4+KZqi5K`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

%E4%BD%9C%E8%80%85.exe "C:\Users\test22\AppData\Local\Temp\%E4%BD%9C%E8%80%85.exe"
112

Name	Response	Post-Analysis Lookup
i.qq.com	A 203.205.254.103	203.205.254.103
user.qzone.qq.com	A 203.205.254.103	203.205.254.103

IP Address	Status	Action
150.158.157.34	Active	Moloch
164.124.101.2	Active	Moloch
203.205.254.103	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49206 -> 203.205.254.103:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49204 -> 203.205.254.103:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49210 -> 203.205.254.103:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49208 -> 203.205.254.103:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49198 -> 150.158.157.34:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49198 -> 150.158.157.34:80	2008974	ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible))	Possibly Unwanted Program Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49206 203.205.254.103:443	C=US, O=DigiCert Inc, CN=DigiCert Secure Site CN CA G3	C=CN, ST=Guangdong Province, L=Shenzhen, O=Shenzhen Tencent Computer Systems Company Limited, CN=qrobot.qq.com	1e:78:2f:5f:26:2b:1b:23:32:61:8a:69:d9:eb:4b:b0:33:73:5d:26
TLSv1 192.168.56.101:49204 203.205.254.103:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Secure Site CA G2	C=CN, ST=Guangdong Province, L=Shenzhen, O=Shenzhen Tencent Computer Systems Company Limited, OU=R&D, CN=*.qzone.qq.com	89:39:26:02:eb:fd:36:ce:7d:93:4f:b3:e5:16:96:06:0f:b6:9a:5b
TLSv1 192.168.56.101:49210 203.205.254.103:443	None	None	None
TLSv1 192.168.56.101:49208 203.205.254.103:443	None	None	None

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 2, 2021, 4:11 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://150.158.157.34/NetSyst88.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://user.qzone.qq.com/12345678
suspicious_features	GET method with no useragent header	suspicious_request	GET http://i.qq.com/?s_url=http%3A%2F%2Fuser.qzone.qq.com%2F12345678
suspicious_features	GET method with no useragent header	suspicious_request	GET https://user.qzone.qq.com/12345678
suspicious_features	GET method with no useragent header	suspicious_request	GET https://i.qq.com/?s_url=http%3A%2F%2Fuser.qzone.qq.com%2F12345678

Performs some HTTP requests (5 events)

request	GET http://150.158.157.34/NetSyst88.dll
request	GET http://user.qzone.qq.com/12345678
request	GET http://i.qq.com/?s_url=http%3A%2F%2Fuser.qzone.qq.com%2F12345678
request	GET https://user.qzone.qq.com/12345678
request	GET https://i.qq.com/?s_url=http%3A%2F%2Fuser.qzone.qq.com%2F12345678

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 2, 2021, 4:11 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3203072 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 2, 2021, 4:11 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030f000 process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

%E4%BD%9C%E8%80%85.exe tried to sleep 221 seconds, actually delayed analysis time by 221 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW July 2, 2021, 4:11 p.m.	total_number_of_free_bytes: 13726703616 free_bytes_available: 13726703616 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (1 event)

file	C:\Program Files\AppPatch\NetSyst88.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (15 events)

Time & API	Arguments	Status	Return
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: pw.exe process_identifier: 2368	1	1
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: taskhost.exe process_identifier: 752	1	1
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 112	1	1
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7143523		0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7667815		0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7536748		0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7340109		0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 6357102		0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7340129		0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 3342433		0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 6357089		0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7733363		0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 6881388		0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7536741		0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 6750305		0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0000d200', u'virtual_address': u'0x0003a000', u'entropy': 7.891539968040035, u'name': u'UPX1', u'virtual_size': u'0x0000e000'}

entropy

7.89153996804

description

A section with a high entropy has been found

entropy

0.734265734266

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (31 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7602224		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7536688		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 3014768		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7274573		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 5046390		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 6815859		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 6881397		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7602277		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 6553715		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7143523		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 6619235		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 4456552		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7536758		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 6684769		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 4390992		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 6553705		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7667815		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 6750273		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7536748		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7340109		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 6357102		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7340129		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 6553705		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 3342433		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 6357089		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7733363		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 6881388		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7536741		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 7536758		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 6750305		0	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000003cc process_name: %E4%BD%9C%E8%80%85.exe process_identifier: 6881397		0	0

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

150.158.157.34

Network activity contains more than one unique useragent (2 events)

process	%E4%BD%9C%E8%80%85.exe				useragent	Mozilla/4.0 (compatible)
process	%E4%BD%9C%E8%80%85.exe				useragent

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W32.AIDetect.malware2
MicroWorld-eScan	Trojan.Cud.Gen.1
Cylance	Unsafe
VIPRE	Trojan-Downloader.Win32.Zegost.al (v)
Sangfor	Trojan.Win32.Generic.ky
K7AntiVirus	Trojan-Downloader ( 0055e3da1 )
Alibaba	Backdoor:Win32/Zlob.180910
K7GW	Trojan-Downloader ( 0055e3da1 )
Cybereason	malicious.454570
Baidu	Win32.Trojan-Downloader.Agent.bh
Cyren	W32/Trojan.IM1.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.CHD
APEX	Malicious
Avast	FileRepMalware
ClamAV	Win.Downloader.Zegost-6484584-1
Kaspersky	HEUR:Backdoor.Win32.Generic
BitDefender	Trojan.Cud.Gen.1
NANO-Antivirus	Trojan.Win32.AD.dvpspc
Paloalto	generic.ml
ViRobot	Trojan.Win32.Z.Agent.74240.AAP
Tencent	Win32.Trojan.Generic.Wqxb
Ad-Aware	Trojan.Cud.Gen.1
Emsisoft	Trojan.Cud.Gen.1 (B)
DrWeb	BackDoor.Spy.2978
Zillya	Downloader.Agent.Win32.311750
TrendMicro	BKDR_ZEGOST.SM22
McAfee-GW-Edition	Trojan-FJYJ!0159CAD8C8FE
FireEye	Trojan.Cud.Gen.1
Sophos	Mal/Generic-S
Jiangmin	Backdoor.Generic.afio
Avira	TR/Taranis.2302
MAX	malware (ai score=80)
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Redosdru.V
GData	Trojan.Cud.Gen.1
Cynet	Malicious (score: 99)
McAfee	Artemis!6C77C7645457
VBA32	BScope.Backdoor.Agent
TrendMicro-HouseCall	BKDR_ZEGOST.SM22
Yandex	Trojan.GenAsa!tNjW2qB+pcY
Ikarus	Trojan-Downloader.Win32.Agent
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Agent.AVF!tr.dldr
AVG	FileRepMalware
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Win32/Backdoor.Redosdru.HgIASXEA

%E4%BD%9C%E8%80%85.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All