Summary | ZeroBOX

Downloader.exe

PE32 PE File
Category Machine Started Completed
FILE s1_win7_x6403_us March 23, 2023, 1:01 p.m. March 23, 2023, 1:16 p.m.
Size 16.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 75d45ac139ac9630ef44d1952e574633
SHA256 1ca7368f52844d39bf76fc1b84ab483f2e1ad0e8ef9969fd369c977cbcf2673e
CRC32 A295FD77
ssdeep 96:kIVg6r1wCCbBarsanJtRHJeZW+RElJ869X/QNsgBSEnrtDINyncI+vL/mg56NM69:LVZZrDRgAKErnEnrtDINynT+vCgcNX9
Yara
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
193.42.33.216 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49161 -> 193.42.33.216:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.103:49161 -> 193.42.33.216:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 193.42.33.216:80 -> 192.168.56.103:49161 2022050 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 A Network Trojan was detected
TCP 193.42.33.216:80 -> 192.168.56.103:49161 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 193.42.33.216:80 -> 192.168.56.103:49161 2022051 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 A Network Trojan was detected
TCP 193.42.33.216:80 -> 192.168.56.103:49161 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 193.42.33.216:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 193.42.33.216:80 -> 192.168.56.103:49163 2022050 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 A Network Trojan was detected
TCP 193.42.33.216:80 -> 192.168.56.103:49163 2014819 ET INFO Packed Executable Download Misc activity
TCP 193.42.33.216:80 -> 192.168.56.103:49163 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 193.42.33.216:80 -> 192.168.56.103:49163 2022051 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 A Network Trojan was detected
TCP 193.42.33.216:80 -> 192.168.56.103:49163 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic

Suricata TLS

No Suricata TLS

resource name SETTINGS
suspicious_features Connection to IP address suspicious_request GET http://193.42.33.216/myp.exe
suspicious_features Connection to IP address suspicious_request GET http://193.42.33.216/clip.exe
request GET http://193.42.33.216/myp.exe
request GET http://193.42.33.216/clip.exe
file C:\Users\test22\AppData\Local\Temp\Meteorite.exe
file C:\Users\test22\AppData\Local\Temp\clip.exe
file C:\Users\test22\AppData\Local\Temp\myp.exe
file C:\Users\test22\AppData\Local\Temp\Meteorite.exe
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x00370000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

recv

buffer: HTTP/1.1 200 OK Date: Thu, 23 Mar 2023 04:14:25 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Wed, 22 Mar 2023 04:46:08 GMT ETag: "2bc00-5f775d6a62400" Accept-Ranges: bytes Content-Length: 179200 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÍç›à 0¤’µ à@  @…@µOà$ $µ  H.textè  ¤ `.rsrc$à¨@@.reloc ¸@B
received: 1024
socket: 792
1 1024 0

recv

buffer: HTTP/1.1 200 OK Date: Thu, 23 Mar 2023 04:14:26 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Wed, 22 Mar 2023 01:30:10 GMT ETag: "42ee00-5f77319d14c80" Accept-Ranges: bytes Content-Length: 4386304 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ‹@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÜr—à ðBà9ÀÖ|ð9à|@ð|@à|ˆˆà| UPX0à9€àUPX1ðBð9êB@àUPX2à|ìB@À4.02UPX!  R¨ñ±]sÅÍ´|¤æB’x&#»äb/ù‹$Ã̋ .äB.,4ÿ'äB<ÿ Go buildÿÿÿÿ ID: "mUx3GRUj46F_sgohCkbB/VK8PkÿÿÿÿBruvTfHcqh7IhMh/vGsiOP92GwNG5NU0ûÿÿÿ_GQQ/2b495TNIUwJ4kZ3t3rPd" ÿßÿŸÛd‹ ‹‰;av ƒìè#_ûÿ‹D$ ‰ú ‰
received: 1024
socket: 1000
1 1024 0
host 193.42.33.216
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Meteorite reg_value C:\Users\test22\AppData\Local\Temp\Meteorite.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Meteorite reg_value C:\Users\test22\AppData\Local\Temp\Meteorite.exe
Lionic Trojan.Win32.Agent.Y!c
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Midie.111126
CAT-QuickHeal Trojan.AgentMF.S19993834
McAfee Downloader-FBWZ!75D45AC139AC
Cylance unsafe
Sangfor Suspicious.Win32.Save.vb
CrowdStrike win/malicious_confidence_100% (W)
Alibaba TrojanDownloader:Win32/VBObfuse.8a930485
K7GW Riskware ( 0040eff71 )
K7AntiVirus Riskware ( 0040eff71 )
Arcabit Trojan.Midie.D1B216
Cyren W32/VBTrojan.Downloader.1D!Maxi
Symantec Trojan Horse
tehtris Generic.Malware
ESET-NOD32 a variant of Win32/TrojanDownloader.VB.RLW
Cynet Malicious (score: 99)
APEX Malicious
Paloalto generic.ml
ClamAV Win.Malware.Aizczvpi-7667171-0
Kaspersky Trojan.Win32.Agent.xabduu
BitDefender Gen:Variant.Midie.111126
NANO-Antivirus Trojan.Win32.VB.fxwldb
SUPERAntiSpyware Trojan.Agent/Gen-Downloader
Avast Win32:Evo-gen [Trj]
Tencent Win32.Trojan.Agent.Xmhl
TACHYON Trojan/W32.VB-Agent.16384.ID
DrWeb Trojan.DownLoader30.17344
VIPRE Gen:Variant.Midie.111126
TrendMicro TrojanSpy.Win32.REDLINE.YXDCVZ
McAfee-GW-Edition Downloader-FBWZ!75D45AC139AC
FireEye Generic.mg.75d45ac139ac9630
Emsisoft Gen:Variant.Midie.111126 (B)
SentinelOne Static AI - Suspicious PE
Jiangmin TrojanDownloader.Generic.bdxz
Webroot W32.Trojan.Gen
Avira TR/VB.Downloader.Gen
Antiy-AVL Trojan/Win32.Wacatac
Gridinsoft Trojan.Win32.Agent.dd!n
Xcitium Malware@#zmqidmwkoy54
Microsoft Trojan:Win32/VBObfuse.BIV!MTB
ViRobot Trojan.Win.Z.Midie.16384.A
ZoneAlarm Trojan.Win32.Agent.xabduu
GData Gen:Variant.Midie.111126
Google Detected
AhnLab-V3 Trojan/Win32.RL_Vobfus.R326912
VBA32 Malware-Cryptor.VB.gen.1
ALYac Gen:Variant.Midie.111126
MAX malware (ai score=84)
Malwarebytes Trojan.Downloader