Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 1, 2021, 9:32 a.m.	Sept. 1, 2021, 9:36 a.m.

Size	368.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`3b0b40fc6119f8ac909a86a6522e8e4a`
SHA256	`f8efdc806be878faaf8c96d42603f505f207f034106779d8a1a356d1eab253d6`
CRC32	`B86FC1C3`
ssdeep	`6144:j4XrK9PX7Fp6Gh2wWRGl0EDDf1PisZQ5rAGQwg1QtP1f4paaYlsdcaMJEdbI0Pze:sXe9PPlowWX0t6mOQwg1Qd15CcYk0WeO`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file AutoIt - autoit IsPE32 - (no description)

Name	Response	Post-Analysis Lookup
pomf.lain.la	A 107.191.99.49 A 198.244.149.184 A 167.114.3.98	107.191.99.49

IP Address	Status	Action
164.124.101.2	Active	Moloch
198.244.149.184	Active	Moloch

Flow	SID	Signature	Category
TCP 192.168.56.102:49164 -> 198.244.149.184:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 198.244.149.184:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 198.244.149.184:443 -> 192.168.56.102:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 1, 2021, 9:32 a.m.			0	0

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 1, 2021, 9:32 a.m.		1	1	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 1, 2021, 9:32 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 1, 2021, 9:32 a.m.	process_identifier: 2456 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02db0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

section

{u'size_of_data': u'0x00054200', u'virtual_address': u'0x0008c000', u'entropy': 7.937160624488138, u'name': u'UPX1', u'virtual_size': u'0x00055000'}

entropy

7.93716062449

description

A section with a high entropy has been found

entropy

0.91689373297

description

Overall entropy of this PE file is high

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	AIT:Trojan.Nymeria.4914
FireEye	Generic.mg.3b0b40fc6119f8ac
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_60% (W)
Cyren	W32/AutoIt.UX.gen!Eldorado
APEX	Malicious
Kaspersky	UDS:Backdoor.Win32.Androm
BitDefender	AIT:Trojan.Nymeria.4914
Avast	FileRepMetagen [Malware]
Tencent	Malware.Win32.Gencirc.10cecbe6
Ad-Aware	AIT:Trojan.Nymeria.4914
Sophos	Mal/Generic-R
McAfee-GW-Edition	BehavesLike.Win32.Generic.fc
Emsisoft	AIT:Trojan.Nymeria.4914 (B)
Webroot	Pua.Yukleyici
Microsoft	Trojan:Script/Phonzy.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Win32.Trojan.PSE.JCXCHA
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4609845
McAfee	Artemis!3B0B40FC6119
MAX	malware (ai score=87)
Malwarebytes	Malware.AI.891801861
Fortinet	AutoIt/Injector.BFC6!tr
AVG	FileRepMetagen [Malware]

vbc.exe