Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe
11.15 01:11
msf.exe
11.15 01:11
lum250.exe
11.15 01:11
msf443.exe
11.13 04:11
hello.exe
11.13 03:11
espsemhvcioff.exe
11.13 02:11
Geek_se.exe
11.13 02:11
cred64.dll
11.13 02:11
svhost.exe

Latest News
11.17 06:11
World’s First Virtual ...
11.17 06:11
IT Sicherheitsnews stü...
11.17 06:11
KI und Coding: Wie Kün...
11.17 06:11
Bye-bye, Windows 10: E...
11.17 03:11
[일본 애니메이션]世界最高の暗殺者、異世界...
11.17 03:11
Playing Chess Against ...
11.17 03:11
IT Sicherheitsnews tae...
11.17 03:11
IT Sicherheitsnews tae...
11.17 01:11
IT Sicherheitsnews tae...
11.17 01:11
IT Sicherheitsnews tae...

Summary | ZeroBOX

PAYMENT.exe

Dimnie PE32 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 8, 2021, 9:36 a.m.	Sept. 8, 2021, 9:38 a.m.

Size	6.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d16088a5dce52983fccd16363d805cf7`
SHA256	`bbe5f86a8063e4604f53e8c73e2303a83d50a27b58d4cade475ac8a99d1ff80d`
CRC32	`0BAF72CD`
ssdeep	`96:l/v0pXbZZ8gnCsvb209jNJPD9FWVEFrjhx:l+LbJnjjNBDiV`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Dimnie_IN - Dimnie

PAYMENT.exe "C:\Users\test22\AppData\Local\Temp\PAYMENT.exe"
2088

Name	Response	Post-Analysis Lookup
img.neko.airforce	A 167.172.239.151	167.172.239.151

IP Address	Status	Action
164.124.101.2	Active	Moloch
167.172.239.151	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49200 -> 167.172.239.151:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49199 -> 167.172.239.151:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 167.172.239.151:443 -> 192.168.56.101:49203	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 8, 2021, 9:36 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01233000 process_handle: 0xffffffff	1	0	0

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.d16088a5dce52983
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
Cybereason	malicious.8f9c55
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.FVU
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:Trojan.Win64.Injects
Avast	Win32:MalwareX-gen [Trj]
Rising	Trojan.Generic@ML.90 (RDML:QitSBVLx5WW+JL7snoY5eA)
VIPRE	Lookslike.Win32.Sirefef.c!ag (v)
SentinelOne	Static AI - Malicious PE
Microsoft	Trojan:Win32/Woreflint.A!cl
BitDefenderTheta	Gen:NN.ZexaF.34126.auW@aOt23Bhi
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:MalwareX-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (D)