Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 14, 2021, 9:35 a.m.	Oct. 14, 2021, 9:49 a.m.

Size	1.4MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`0449f28450f8e5877b6526782d225f5f`
SHA256	`c31c4fbaa4b7a4f9667cc17a3c12cedc9605bc86ebd1934c084a8626eea92da7`
CRC32	`363CBC77`
ssdeep	`24576:ur0Y0b3wTBY0zc3OHmIOss9/DQTBlFadP6WNltPSQv:ub6gT20iOHmIPWDQll86Ytfv`
PDB Path	D:\workspace\workspace_c\shellcode_ms\SCY7VJ5UA3Du3GAh1_jm1\x64\Release\SCY7VJ5UA3Du3GAh1_jm1.pdb
Yara	ASPack_Zero - ASPack packed file IsPE64 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library

customer9.exe "C:\Users\test22\AppData\Local\Temp\customer9.exe"
1428

Name	Response	Post-Analysis Lookup
staticimg.youtuuee.com	A 45.136.151.102	45.136.151.102
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
164.124.101.2	Active	Moloch
208.95.112.1	Active	Moloch
45.136.151.102	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49163 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

D:\workspace\workspace_c\shellcode_ms\SCY7VJ5UA3Du3GAh1_jm1\x64\Release\SCY7VJ5UA3Du3GAh1_jm1.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 14, 2021, 9:35 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TXT

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://staticimg.youtuuee.com/api/?sid=653153&key=fc33e5156f1abb17adfb9073acf9139d

Performs some HTTP requests (3 events)

request	GET http://ip-api.com/json/
request	GET http://staticimg.youtuuee.com/api/fbtime
request	POST http://staticimg.youtuuee.com/api/?sid=653153&key=fc33e5156f1abb17adfb9073acf9139d

Sends data using the HTTP POST Method (1 event)

request

POST http://staticimg.youtuuee.com/api/?sid=653153&key=fc33e5156f1abb17adfb9073acf9139d

Steals private information from local Internet browsers (50 out of 105 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 36\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 65\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 62\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 3\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 24\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 75\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 98\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 28\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 93\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 92\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 97\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 47\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 74\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 21\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 83\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 17\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 69\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 50\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 57\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 63\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 66\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 34\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 80\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 84\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 77\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 64\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 8\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 31\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 4\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 35\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 6\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 72\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 13\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 53\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 23\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 25\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 61\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 82\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 7\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 12\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 95\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 22\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 70\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 73\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 18\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 56\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 55\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 49\Cookies

Looks up the external IP address (1 event)

domain

ip-api.com

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 14, 2021, 9:35 a.m.	flags: 15 family: 0		111	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W32.QuiccellK.Trojan
Lionic	Trojan.Win32.Fabookie.trRO
MicroWorld-eScan	Trojan.Generic.30361720
CAT-QuickHeal	TrojanPWS.Agent
ALYac	Trojan.Generic.30361720
Cylance	Unsafe
Zillya	Trojan.Agent.Win32.2475875
Sangfor	Trojan.Win32.Agent.gen
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Backdoor:Win64/TurtleLoader.444e6246
K7GW	Trojan ( 0058895b1 )
K7AntiVirus	Trojan ( 0058895b1 )
Arcabit	Trojan.Generic.D1CF4878
ESET-NOD32	a variant of Win64/Agent.ATS
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Spyagent-9830839-0
Kaspersky	HEUR:Trojan-PSW.Win32.Agent.gen
BitDefender	Trojan.Generic.30361720
ViRobot	Trojan.Win32.Z.Agent.1422336.I
Avast	Win64:PWSX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10cf5e9a
Ad-Aware	Trojan.Generic.30361720
Emsisoft	Trojan.Agent (A)
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.Generic.30361720
Sophos	Mal/Generic-S
Ikarus	Trojan.Win64.Agent
Jiangmin	Trojan.PSW.Agent.cqm
Webroot	W32.Trojan.Gen
Avira	TR/Agent.jiqur
Antiy-AVL	Trojan/Generic.ASMalwS.34AA7AC
Gridinsoft	Trojan.Win64.Agent.ns
Microsoft	Backdoor:Win64/TurtleLoader.S
GData	Trojan.Generic.30361720
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.R444062
McAfee	GenericRXAA-AA!0449F28450F8
MAX	malware (ai score=83)
VBA32	TrojanPSW.Agent
Malwarebytes	Spyware.PasswordStealer
TrendMicro-HouseCall	TROJ_GEN.R002C0DJ821
Rising	Stealer.FBAdsCard!1.D97B (CLASSIC)
Yandex	Trojan.Agent!ztmnNuryMyE
Fortinet	W32/PossibleThreat
AVG	Win64:PWSX-gen [Trj]
Panda	Trj/CI.A
MaxSecure	Trojan.Malware.12570143.susgen

customer9.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All