Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 18, 2022, 10:14 a.m.	Jan. 18, 2022, 10:18 a.m.

Size	385.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`dabae535097a94f593d5afad04acd5ea`
SHA256	`e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391`
CRC32	`AAFF5F11`
ssdeep	`12288:Zzj8qPa/HOT28EnUB10QkrtMZm0IHuPK27wb8/BE:ZXzPa9JnU4750h7wbKi`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

Service.bmp "C:\Users\test22\AppData\Local\Temp\Service.bmp"
2768

Name	Response	Post-Analysis Lookup
yandex.ru	A 5.255.255.5 A 77.88.55.77 A 77.88.55.80 A 5.255.255.60	77.88.55.77
twitter.com	A 104.244.42.193	104.244.42.129
telegram.org	A 149.154.167.99	149.154.167.99

IP Address	Status	Action
104.244.42.193	Active	Moloch
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
2.56.59.42	Active	Moloch
212.193.30.45	Active	Moloch
5.255.255.5	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 18, 2022, 10:14 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://212.193.30.45/proxies.txt

Performs some HTTP requests (2 events)

request	GET http://212.193.30.45/proxies.txt
request	GET https://yandex.ru/

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

yandex.ru

description

Russian Federation domain TLD

Communicates with host for which no DNS query was performed (2 events)

host	2.56.59.42
host	212.193.30.45

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

2.56.59.42:80

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.403762
FireEye	Generic.mg.dabae535097a94f5
CAT-QuickHeal	Trojan.GenericRI.S25215857
McAfee	GenericRXMT-VE!DABAE535097A
Cylance	Unsafe
Sangfor	Trojan.Win32.Sabsik.FL
K7AntiVirus	Trojan-Downloader ( 0058214a1 )
Alibaba	TrojanPSW:Win32/Disbuk.9e9c4770
K7GW	Trojan-Downloader ( 0058214a1 )
CrowdStrike	win/malicious_confidence_100% (W)
BitDefenderTheta	Gen:NN.ZexaF.34160.yuW@aWwunpji
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.FWC
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Dropper.Xpiro-9918730-1
Kaspersky	HEUR:Trojan-PSW.Win32.Disbuk.gen
BitDefender	Gen:Variant.Zusy.403762
Avast	Win32:DropperX-gen [Drp]
Tencent	Win32.Trojan-downloader.Agent.Wuhe
Ad-Aware	Gen:Variant.Zusy.403762
Emsisoft	Gen:Variant.Zusy.403762 (B)
DrWeb	Trojan.PWS.Stealer.31121
TrendMicro	TROJ_GEN.R002C0PAH22
McAfee-GW-Edition	BehavesLike.Win32.Generic.fh
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win32.Agent
Jiangmin	Trojan.PSW.Disbuk.dm
Avira	HEUR/AGEN.1202301
MAX	malware (ai score=83)
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Gen:Variant.Zusy.403762
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Disbuk.C4724846
VBA32	BScope.TrojanRansom.FileCryptor
ALYac	Gen:Variant.Zusy.403762
Malwarebytes	Malware.AI.1162111075
TrendMicro-HouseCall	TROJ_GEN.R002C0PAH22
Rising	Downloader.Agent!1.D93C (CLOUD)
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Agent.FWC!tr.ransom
AVG	Win32:DropperX-gen [Drp]
Panda	Trj/GdSda.A
MaxSecure	Trojan.Malware.300983.susgen

Service.bmp

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All