Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 17, 2023, 5:31 p.m.	March 17, 2023, 5:57 p.m.

Size	539.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`04694e5e78d0a3dcab0bfea22aa90cfe`
SHA256	`88262a78ce91985653afffc74d9938050e56113840efbc67ee98eb9483fe1f22`
CRC32	`F67F6B0E`
ssdeep	`12288:UdXvDWopdu11GNJGUOXOoDscvVqILhtgpiEg/ojnSFRsQOoS9cwMd:gv6oLM2GvXOoHdqIdsg/ojn4sQ9S9c1`
Yara	IsPE64 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature

Name	Response	Post-Analysis Lookup
textbin.net	A 148.72.177.212	148.72.177.212

IP Address	Status	Action
148.72.177.212	Active	Moloch
164.124.101.2	Active	Moloch

Flow	SID	Signature	Category
TCP 148.72.177.212:443 -> 192.168.56.101:49161	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49161 -> 148.72.177.212:443	2037786	ET INFO Pastebin-style Service (textbin .net in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49161 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49161 -> 148.72.177.212:443	2037786	ET INFO Pastebin-style Service (textbin .net in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49161 -> 148.72.177.212:443	2037786	ET INFO Pastebin-style Service (textbin .net in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49161 -> 148.72.177.212:443	2037786	ET INFO Pastebin-style Service (textbin .net in TLS SNI)	Potentially Bad Traffic

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
__exception__ March 17, 2023, 5:24 p.m.	stacktrace: hdu3+0xa7136 @ 0x13fab7136 hdu3+0xb6364 @ 0x13fac6364 hdu3+0xb5fc5 @ 0x13fac5fc5 hdu3+0xb5f0f @ 0x13fac5f0f hdu3+0xb5ee4 @ 0x13fac5ee4 hdu3+0xc9715 @ 0x13fad9715 hdu3+0xc9983 @ 0x13fad9983 hdu3+0x44a7 @ 0x13fa144a7 hdu3+0x1373 @ 0x13fa11373 hdu3+0x4971 @ 0x13fa14971 hdu3+0xc8998 @ 0x13fad8998 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: cd 29 0f 0b cc cc cc cc cc cc 41 56 56 57 53 48 exception.symbol: hdu3+0xa7136 exception.instruction: int 0x29 exception.module: HDU3.exe exception.exception_code: 0xc0000005 exception.offset: 684342 exception.address: 0x13fab7136 registers.r14: 0 registers.r15: 0 registers.rcx: 7 registers.rsi: 0 registers.r10: 3221225728 registers.rbx: 0 registers.rsp: 2293392 registers.r11: 3531064 registers.r8: 5363872272 registers.r9: 78 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 17 registers.r13: 0	1	0	0

section

{u'size_of_data': u'0x00086400', u'virtual_address': u'0x000d9000', u'entropy': 7.99886172049686, u'name': u'UPX1', u'virtual_size': u'0x00087000'}

entropy

7.9988617205

description

A section with a high entropy has been found

entropy

0.99721448468

description

Overall entropy of this PE file is high

MicroWorld-eScan	Trojan.GenericKD.65926958
FireEye	Generic.mg.04694e5e78d0a3dc
CAT-QuickHeal	Trojan.GenericRI.S29850418
Malwarebytes	Malware.AI.4287928828
Sangfor	Downloader.Win64.Agent.V0q6
CrowdStrike	win/malicious_confidence_70% (D)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	Win64/TrojanDownloader.Agent.XW
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	Trojan-Downloader.Win32.ZippyLoader.eya
BitDefender	Trojan.GenericKD.65926958
ViRobot	Trojan.Win.Z.Dapato.552448
Emsisoft	Trojan.GenericKD.65926958 (B)
TrendMicro	TROJ_GEN.R002C0DCE23
McAfee-GW-Edition	BehavesLike.Win64.BadFile.hc
Trapmine	malicious.moderate.ml.score
Jiangmin	TrojanDropper.Dapato.adrr
Avira	TR/Dldr.Agent.tkfbf
MAX	malware (ai score=89)
Antiy-AVL	Trojan/Win32.Sabsik
Gridinsoft	Ransom.Win64.Sabsik.sa
Microsoft	Trojan:Win32/Dapato.EM!MTB
GData	Win64.Trojan.Agent.GHXZ6U
AhnLab-V3	Trojan/Win.Generic.C5303216
McAfee	Artemis!04694E5E78D0
TrendMicro-HouseCall	TROJ_GEN.R002C0DCE23
Rising	Downloader.Agent!8.B23 (TFE:5:3iivrlo7YP)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W64/Agent.XW!tr.dldr

HDU3.exe