Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 28, 2021, 5:44 p.m.	Aug. 28, 2021, 5:59 p.m.

Size	554.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`73db2b58503ec0b2b56c4f9fdff3fe40`
SHA256	`b143f984cc0745b1529e2253761eaff547509e7fa44d20c220d44d176a7952e7`
CRC32	`28BC2B4B`
ssdeep	`12288:5Xe9PPlowWX0t6mOQwg1Qd15CcYk0We1NPcOo+shpo7+:ghloDX0XOf4XPe+sk7+`
Yara	PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file IsPE32 - (no description)

Name	Response	Post-Analysis Lookup
a.uguu.se	A 144.76.201.136	144.76.201.136

Flow	SID	Signature	Category
TCP 192.168.56.101:49201 -> 144.76.201.136:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49199 -> 144.76.201.136:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 144.76.201.136:443 -> 192.168.56.101:49202	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 28, 2021, 5:44 p.m.			0	0

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 28, 2021, 5:44 p.m.		1	1	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 28, 2021, 5:44 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a62000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 28, 2021, 5:44 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04020000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

section

{u'size_of_data': u'0x00054400', u'virtual_address': u'0x000b9000', u'entropy': 7.9359027984096, u'name': u'UPX1', u'virtual_size': u'0x00055000'}

entropy

7.93590279841

description

A section with a high entropy has been found

entropy

0.608852755194

description

Overall entropy of this PE file is high

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

host

91.193.75.168

Lionic	Trojan.Win32.Zenlod.a!c
Elastic	malicious (high confidence)
MicroWorld-eScan	AIT:Trojan.Nymeria.4901
FireEye	AIT:Trojan.Nymeria.4901
McAfee	Artemis!73DB2B58503E
Cylance	Unsafe
Sangfor	Trojan.Win32.Zenlod.lcz
CrowdStrike	win/malicious_confidence_60% (W)
Alibaba	TrojanDownloader:Win32/Zenlod.23fc2978
K7GW	Trojan-Downloader ( 005817c31 )
K7AntiVirus	Trojan-Downloader ( 005817c31 )
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/TrojanDownloader.Autoit.PEK
APEX	Malicious
Kaspersky	Trojan-Downloader.Win32.Zenlod.lcz
BitDefender	AIT:Trojan.Nymeria.4901
Avast	Win32:Trojan-gen
Ad-Aware	AIT:Trojan.Nymeria.4901
Emsisoft	AIT:Trojan.Nymeria.4901 (B)
McAfee-GW-Edition	BehavesLike.Win32.TrojanAitInject.hc
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win32.AutoIt
MAX	malware (ai score=80)
Kingsoft	Win32.TrojDownloader.Zenlod.l.(kcloud)
Microsoft	Trojan:Script/Phonzy.C!ml
GData	AIT:Trojan.Nymeria.4901 (3x)
Cynet	Malicious (score: 100)
ALYac	AIT:Trojan.Nymeria.4901
Malwarebytes	Malware.AI.214323910
Tencent	Win32.Trojan.Heur.Aish
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Autoit.PEK!tr
AVG	Win32:Trojan-gen
Panda	Trj/CI.A

vbc.exe