Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 4, 2021, 10:09 a.m.	Aug. 4, 2021, 10:11 a.m.

Size	266.5KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`270c3859591599642bd15167765246e3`
SHA256	`dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019`
CRC32	`D9D2C587`
ssdeep	`6144:Rxa4Hg2gf0jOrkOWnNwZvbMoq2T4qi+AHPHrr:JHg727Nwyo9Av/`
Yara	PE_Header_Zero - PE File Signature Ficker_Stealer_Zero - Ficker Stealer UPX_Zero - UPX packed file IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

7sdjhui32sof.exe "C:\Users\test22\AppData\Local\Temp\7sdjhui32sof.exe"
1524

Name	Response	Post-Analysis Lookup
api.ipify.org	A 54.225.219.20 A 54.235.176.177 CNAME nagano-19599.herokussl.com A 54.225.245.108 A 50.16.216.118 A 23.21.224.49 A 54.235.88.121 A 54.243.175.83 CNAME elb097307-934924932.us-east-1.elb.amazonaws.com A 23.21.173.155	50.16.239.65
pospvisis.com	A 95.213.179.67 A 92.62.115.177	95.213.179.67

IP Address	Status	Action
164.124.101.2	Active	Moloch
54.225.245.108	Active	Moloch
95.213.179.67	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49161 -> 54.225.245.108:80	2029622	ET POLICY External IP Lookup (ipify .org)	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Performs some HTTP requests (1 event)

request

GET http://api.ipify.org/?format=xml

Looks up the external IP address (1 event)

domain

api.ipify.org

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00002e00', u'virtual_address': u'0x00037000', u'entropy': 6.918254569016699, u'name': u'.rdata', u'virtual_size': u'0x00002da8'}

entropy

6.91825456902

description

A section with a high entropy has been found

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Lionic	Trojan.Win32.Zudochka.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Doina.7190
FireEye	Generic.mg.270c385959159964
CAT-QuickHeal	Trojan.Zudochka
McAfee	GenericRXMH-DA!270C38595915
Cylance	Unsafe
Zillya	Trojan.Agent.Win32.2176835
K7AntiVirus	Trojan ( 0001555e1 )
Alibaba	TrojanDownloader:Win32/Stealer.e3f3d02c
K7GW	Trojan ( 0001555e1 )
CrowdStrike	win/malicious_confidence_100% (W)
BitDefenderTheta	Gen:NN.ZexaF.34050.qGX@aOESqXf
Cyren	W32/Agent.CFX.gen!Eldorado
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/Agent.UKB
TrendMicro-HouseCall	TrojanSpy.Win32.FICKERSTEALER.SMTH.hp
Paloalto	generic.ml
ClamAV	Win.Trojan.FickerStealer-9805476-1
Kaspersky	HEUR:Trojan.Win32.Zudochka.vho
BitDefender	Gen:Variant.Doina.7190
NANO-Antivirus	Trojan.Win32.Ficker.iqqcxe
APEX	Malicious
Ad-Aware	Gen:Variant.Doina.7190
Emsisoft	Trojan.Agent (A)
Comodo	Malware@#23yxbayqoakan
DrWeb	Trojan.PWS.Stealer.29929
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.Win32.FICKERSTEALER.SMTH.hp
McAfee-GW-Edition	BehavesLike.Win32.Generic.dh
Sophos	Mal/Generic-R + Troj/Steal-BUK
Ikarus	Trojan-Spy.FickerStealer
Jiangmin	Trojan.PSW.Ficker.ej
eGambit	Unsafe.AI_Score_97%
Avira	TR/Agent.bjchm
Antiy-AVL	Trojan/Generic.ASMalwS.3374A20
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Ransom:Win32/Zudochka
Gridinsoft	Trojan.Win32.Downloader.sa
ViRobot	Trojan.Win32.Z.Zudochka.272910
GData	Gen:Variant.Doina.7190
Cynet	Malicious (score: 100)
AhnLab-V3	Infostealer/Win.FickerStealer.R352614
VBA32	BScope.Trojan.Zudochka
MAX	malware (ai score=100)
Malwarebytes	Spyware.FickerStealer
Avast	Win32:TrojanX-gen [Trj]
Tencent	Malware.Win32.Gencirc.11c521eb
Yandex	Trojan.Zudochka!822ndTsjxTI
SentinelOne	Static AI - Suspicious PE

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (42 events)

dead_host	192.168.56.103:49193
dead_host	192.168.56.103:49181
dead_host	192.168.56.103:49190
dead_host	192.168.56.103:49177
dead_host	192.168.56.103:49186
dead_host	192.168.56.103:49174
dead_host	192.168.56.103:49201
dead_host	192.168.56.103:49167
dead_host	192.168.56.103:49198
dead_host	192.168.56.103:49170
dead_host	192.168.56.103:49191
dead_host	192.168.56.103:49163
dead_host	192.168.56.103:49194
dead_host	95.213.179.67:80
dead_host	192.168.56.103:49182
dead_host	192.168.56.103:49187
dead_host	192.168.56.103:49175
dead_host	192.168.56.103:49164
dead_host	192.168.56.103:49178
dead_host	192.168.56.103:49199
dead_host	192.168.56.103:49171
dead_host	192.168.56.103:49188
dead_host	192.168.56.103:49202
dead_host	192.168.56.103:49195
dead_host	192.168.56.103:49183
dead_host	192.168.56.103:49184
dead_host	192.168.56.103:49172
dead_host	192.168.56.103:49165
dead_host	192.168.56.103:49179
dead_host	192.168.56.103:49196
dead_host	192.168.56.103:49168
dead_host	192.168.56.103:49189
dead_host	192.168.56.103:49203
dead_host	192.168.56.103:49192
dead_host	192.168.56.103:49180
dead_host	192.168.56.103:49185
dead_host	192.168.56.103:49173
dead_host	192.168.56.103:49176
dead_host	192.168.56.103:49197
dead_host	192.168.56.103:49169
dead_host	192.168.56.103:49200
dead_host	192.168.56.103:49166

7sdjhui32sof.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All