Client_zffz.exe| Category | Machine | Started | Completed |
|---|---|---|---|
| FILE | s1_win7_x6403_us | Dec. 15, 2022, 5:40 p.m. | Dec. 15, 2022, 5:46 p.m. |
-
Client_zffz.exe "C:\Users\test22\AppData\Local\Temp\Client_zffz.exe"
2040
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| No hosts contacted. | ||
| IP Address | Status | Action |
|---|---|---|
| 210.34.80.129 | Active | Moloch |
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49165 -> 210.34.80.129:80 | 2008350 | ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile | Potential Corporate Privacy Violation |
| TCP 192.168.56.103:49165 -> 210.34.80.129:80 | 2008350 | ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile | Potential Corporate Privacy Violation |
| TCP 192.168.56.103:49165 -> 210.34.80.129:80 | 2008350 | ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile | Potential Corporate Privacy Violation |
Suricata TLS
No Suricata TLS
| packer | UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser |
| suspicious_features | Connection to IP address | suspicious_request | GET http://210.34.80.129/wbwj/fjafusoft/setup_zffz.txt | ||||||
| suspicious_features | Connection to IP address | suspicious_request | GET http://210.34.80.129/wbwj/fjafusoft/mobel_zffz/Setup_Mobel.txt | ||||||
| suspicious_features | Connection to IP address | suspicious_request | GET http://210.34.80.129/wbwj/fjafusoft/mobel_zffz/zypgmb_zffz.txt | ||||||
| request | GET http://210.34.80.129/wbwj/fjafusoft/setup_zffz.txt |
| request | GET http://210.34.80.129/wbwj/fjafusoft/mobel_zffz/Setup_Mobel.txt |
| request | GET http://210.34.80.129/wbwj/fjafusoft/mobel_zffz/zypgmb_zffz.txt |
| description | Client_zffz.exe tried to sleep 130 seconds, actually delayed analysis time by 130 seconds | |||
| file | C:\Users\test22\AppData\Local\Temp\rar.exe |
| file | C:\Users\test22\AppData\Local\Temp\rar.exe |
| Elastic | malicious (moderate confidence) |
| CrowdStrike | win/malicious_confidence_60% (W) |
| TrendMicro-HouseCall | TROJ_GEN.R002H06K721 |
| McAfee-GW-Edition | BehavesLike.Win32.Spyware.jc |
| AhnLab-V3 | Malware/Gen.Generic.C3572474 |
| McAfee | RDN/Generic.grp |
| APEX | Malicious |
| MaxSecure | Worm.Win32.AutoIt.QN |
| section | {u'size_of_data': u'0x0003f400', u'virtual_address': u'0x0006c000', u'entropy': 7.926569849329228, u'name': u'UPX1', u'virtual_size': u'0x00040000'} | entropy | 7.92656984933 | description | A section with a high entropy has been found | |||||||||
| entropy | 0.947565543071 | description | Overall entropy of this PE file is high | |||||||||||
| section | UPX0 | description | Section name indicates UPX | ||||||
| section | UPX1 | description | Section name indicates UPX | ||||||
| host | 210.34.80.129 | |||