Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 1, 2021, 7:41 a.m.	Sept. 1, 2021, 7:43 a.m.

Size	577.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`be748577200ac649a36bf877a9e95f12`
SHA256	`39bceabd43cf3472c7d45aed5ebf68ed44b0aa83cad61b4b1d7a57038b17f200`
CRC32	`985E36BB`
ssdeep	`12288:fXe9PPlowWX0t6mOQwg1Qd15CcYk0We10Va5VmuZYYmQkI:mhloDX0XOf495VmIhvp`
Yara	PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file AutoIt - autoit IsPE32 - (no description) Schwerer_IN - Schwerer

Name	Response	Post-Analysis Lookup
pomf.lain.la	A 107.191.99.49 A 198.244.149.184 A 167.114.3.98	167.114.3.98

IP Address	Status	Action
107.191.99.49	Active	Moloch
164.124.101.2	Active	Moloch

Flow	SID	Signature	Category
TCP 107.191.99.49:443 -> 192.168.56.102:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49164 -> 107.191.99.49:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49165 -> 107.191.99.49:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 1, 2021, 7:41 a.m.			0	0

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 1, 2021, 7:41 a.m.		1	1	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 1, 2021, 7:41 a.m.	process_identifier: 1092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 1, 2021, 7:41 a.m.	process_identifier: 1092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

section

{u'size_of_data': u'0x00054400', u'virtual_address': u'0x000bf000', u'entropy': 7.935932357990196, u'name': u'UPX1', u'virtual_size': u'0x00055000'}

entropy

7.93593235799

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0003be00', u'virtual_address': u'0x00114000', u'entropy': 7.361723467938201, u'name': u'.rsrc', u'virtual_size': u'0x0003c000'}

entropy

7.36172346794

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Lionic	Trojan.Win32.Noon.l!c
Elastic	malicious (high confidence)
MicroWorld-eScan	AIT:Trojan.Nymeria.4914
FireEye	Generic.mg.be748577200ac649
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_70% (W)
Arcabit	AIT:Trojan.Nymeria.D1332
ESET-NOD32	Win32/TrojanDownloader.Autoit.PET
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:Trojan-Spy.Win32.Noon
BitDefender	AIT:Trojan.Nymeria.4914
Avast	FileRepMalware
Ad-Aware	AIT:Trojan.Nymeria.4914
Sophos	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.TrojanAitInject.hc
Emsisoft	AIT:Trojan.Nymeria.4914 (B)
Ikarus	Trojan.Autoit
MAX	malware (ai score=89)
Microsoft	Trojan:Win32/Woreflint.A!cl
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	AIT:Trojan.Nymeria.4914 (3x)
McAfee	Artemis!BE748577200A
Malwarebytes	Malware.AI.2137099754
eGambit	Unsafe.AI_Score_99%
Fortinet	AutoIt/Injector.BFC6!tr
AVG	FileRepMalware
Cybereason	malicious.396de1

win767.exe