popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

b.exe

Malicious Library Admin Tool (Sysinternals etc ...) UPX Malicious Packer PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 17, 2021, 5:32 p.m. Aug. 17, 2021, 5:38 p.m.
Size 1.9MB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 bfa3677a1d68a0b2bec0f0cba4c34416
SHA256 b8ac779bad0064cb5e6371e1b1e745bbf9a7751f95d77729c2f461c5a2fc185e
CRC32 86018B4E
ssdeep 49152:enzwtiBW+oUcWH9b7eD3cQFP2QlQoZ/6kRgJiRSwH:wztW0dZlQlQoZ/6UgJy
Yara
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
silentlegion.duckdns.org
A 3.142.212.137
3.142.212.137
hashlegion.duckdns.org
A 3.67.42.250
3.67.42.250
IP Address Status Action
164.124.101.2 Active Moloch
3.142.212.137 Active Moloch
3.67.42.250 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.102:64034 -> 164.124.101.2:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity
UDP 192.168.56.102:52062 -> 164.124.101.2:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features HTTP version 1.0 used suspicious_request GET http://silentlegion.duckdns.org/badproc.txt
domain hashlegion.duckdns.org
domain silentlegion.duckdns.org
request GET http://silentlegion.duckdns.org/badproc.txt
file C:\Windows\splwin.exe
file C:\Users\test22\AppData\Local\Temp\nsr7C8C.tmp\nsProcess.dll
file C:\Users\test22\AppData\Local\Temp\nsr7C8C.tmp\nsExec.dll
Time & API Arguments Status Return Repeated

CreateServiceW

 service_start_name:
start_type: 2
password:
display_name: IntelService
filepath: C:\Windows\splwin.exe
service_name: svswin
filepath_r: C:\Windows\splwin.exe
desired_access: 983551
service_handle: 0x0065b878
error_control: 1
service_type: 16
service_manager_handle: 0x0065b918
1 6666360 0
cmdline C:\Windows\system32\cmd.exe /C net stop svswin
cmdline C:\Windows\system32\cmd.exe /C Sc create svswin binpath= C:\Windows\splwin.exe start= auto DisplayName= IntelService
cmdline C:\Windows\system32\cmd.exe /C Sc delete svswin
cmdline C:\Windows\system32\cmd.exe /C sc description svswin ServiceManagerForWin
cmdline C:\Windows\system32\cmd.exe /C net start svswin
file C:\Users\test22\AppData\Local\Temp\nsr7C8C.tmp\nsExec.dll
file C:\Users\test22\AppData\Local\Temp\nsr7C8C.tmp\nsProcess.dll
cmdline net start svswin
cmdline C:\Windows\system32\cmd.exe /C net stop svswin
cmdline Sc create svswin binpath= C:\Windows\splwin.exe start= auto DisplayName= IntelService
cmdline C:\Windows\system32\cmd.exe /C Sc create svswin binpath= C:\Windows\splwin.exe start= auto DisplayName= IntelService
cmdline sc description svswin ServiceManagerForWin
cmdline C:\Windows\system32\cmd.exe /C Sc delete svswin
cmdline net stop svswin
cmdline Sc delete svswin
cmdline C:\Windows\system32\cmd.exe /C sc description svswin ServiceManagerForWin
cmdline C:\Windows\system32\cmd.exe /C net start svswin
service_name svswin service_path C:\Windows\splwin.exe
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Zusy.325941
FireEye Generic.mg.bfa3677a1d68a0b2
CAT-QuickHeal Trojan.Agent
ALYac Gen:Variant.Zusy.325941
Cylance Unsafe
Sangfor Suspicious.Win32.Save.a
K7AntiVirus Trojan-Downloader ( 0050e5cf1 )
Alibaba Trojan:Win32/CoinMiner.04215d33
K7GW Trojan-Downloader ( 0050e5cf1 )
CrowdStrike win/malicious_confidence_60% (W)
Cyren W32/Trojan.SMLD-6675
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Delf.BBD
APEX Malicious
Kaspersky HEUR:Trojan.Win32.Generic
BitDefender Gen:Variant.Zusy.325941
SUPERAntiSpyware Trojan.Agent/Gen-Zusy
Avast Win32:Trojan-gen
Tencent Win32.Trojan.Generic.Pjxb
Sophos Mal/Generic-S
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition BehavesLike.Win32.Generic.tc
Emsisoft Gen:Variant.Zusy.325941 (B)
Ikarus Trojan.Delf.CoinMiner
Avira HEUR/AGEN.1138164
Antiy-AVL Trojan/Generic.ASMalwS.337C6A3
Gridinsoft Malware.Win32.Gen.cc!s5
Microsoft Trojan:Win32/Sabsik.TE.B!ml
ZoneAlarm HEUR:Trojan.Win32.Generic
GData Gen:Variant.Zusy.325941
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Fuery.R202739
McAfee Artemis!BFA3677A1D68
MAX malware (ai score=87)
VBA32 Trojan.Sabsik.TE
Malwarebytes Malware.AI.4240736848
Rising Trojan.CoinMiner/NSIS!1.D88C (CLASSIC)
Yandex Trojan.Delf!YJMVO1Sclss
SentinelOne Static AI - Suspicious PE
Fortinet W32/Delf.BBD!tr
BitDefenderTheta Gen:NN.ZelphiF.34088.@V0@aCEm37ki
AVG Win32:Trojan-gen
Cybereason malicious.a1d68a
Panda Trj/CI.A