Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 12, 2021, 2:44 p.m.	Sept. 12, 2021, 2:47 p.m.

Size	273.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`df46f7077499c629fda43a178a70d6a0`
SHA256	`754baa6b4007335878ec474d4347f7a8bb42a9955324e84365f8c98c0d376617`
CRC32	`7FD6D952`
ssdeep	`6144:TO9EMhhQ1rAc4wdi890rljSktzx4Fm7Lcl1nbQOa1:MEMhh6rAc4wdERj9tzT7Lc/b`
PDB Path	C:\Habit_Blink\Release\Demo_Blink.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description)

Habit_Blink.exe "C:\Users\test22\AppData\Local\Temp\Habit_Blink.exe"
1896
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
xz.tq886.cn	A 119.206.200.180 CNAME xz.tq886.cn.wsdvs.com	119.206.200.180
tj.rxgif.cn	A 106.75.135.138	106.75.135.138
down.rxgif.cn	A 119.206.200.180 CNAME down.rxgif.cn.wsdvs.com	119.206.200.180

IP Address	Status	Action
106.75.135.138	Active	Moloch
119.206.200.180	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\Habit_Blink\Release\Demo_Blink.pdb

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, POST method with no useragent header

suspicious_request

POST http://tj.rxgif.cn/api/count/setup2

Performs some HTTP requests (4 events)

request	GET http://down.rxgif.cn/ddcfg/sbcfg.ini?v202191302442
request	GET http://down.rxgif.cn/ddcfg/desk_info.ini
request	GET http://xz.tq886.cn/ico/qsxg.ico
request	POST http://tj.rxgif.cn/api/count/setup2

Sends data using the HTTP POST Method (1 event)

request

POST http://tj.rxgif.cn/api/count/setup2

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 12, 2021, 2:44 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728c2000 process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 12, 2021, 2:44 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13725687808 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0
GetDiskFreeSpaceExW Sept. 12, 2021, 2:45 p.m.	total_number_of_free_bytes: 13726683136 free_bytes_available: 13726683136 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Foreign language identified in PE resource (8 events)

name

RT_ICON

language

LANG_CHINESE

filetype

dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4286971018, next used block 4286774411

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00041810

size

0x000025a8

name

RT_ICON

language

LANG_CHINESE

filetype

dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4286971018, next used block 4286774411

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00041810

size

0x000025a8

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00043db8

size

0x00000050

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00043e08

size

0x00000128

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00043f30

size

0x00000046

name

RT_ACCELERATOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00043f78

size

0x00000010

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00043f9c

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00043f9c

size

0x00000014

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\Desktop\ÇáËÉÑø³ÉºÃÏ°¹ß.lnk

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\Desktop\ÇáËÉÑø³ÉºÃÏ°¹ß.lnk

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Lionic	Trojan.Win32.Doina.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Doina.21329
FireEye	Generic.mg.df46f7077499c629
ALYac	Gen:Variant.Doina.21329
Cylance	Unsafe
Alibaba	Trojan:Win32/Generic.478f817c
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.GMRYELG
APEX	Malicious
Paloalto	generic.ml
BitDefender	Gen:Variant.Doina.21329
Avast	Win32:Trojan-gen
Ad-Aware	Gen:Variant.Doina.21329
Sophos	Mal/Generic-S
McAfee-GW-Edition	RDN/Generic.hbg
Emsisoft	Gen:Variant.Doina.21329 (B)
Webroot	W32.Trojan.Gen
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Script/Phonzy.A!ml
GData	Gen:Variant.Doina.21329
Cynet	Malicious (score: 100)
McAfee	RDN/Generic.hbg
MAX	malware (ai score=87)
VBA32	suspected of Trojan.Downloader.gen
Malwarebytes	Malware.AI.4287017190
Ikarus	Trojan.SuspectCRC
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
BitDefenderTheta	Gen:NN.ZexaF.34142.ruW@ay18pRcj
AVG	Win32:Trojan-gen
Cybereason	malicious.a93f23
Panda	Trj/GdSda.A

Habit_Blink.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All