Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 27, 2023, 10:20 a.m.	March 27, 2023, 10:31 a.m.

Size	7.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`67e524e151efc62a8f5d3bbf8531e70a`
SHA256	`141a6add7aa22399d765e3a91acf11cc7770902183d9e39734aa3e4ca854c362`
CRC32	`79284B9E`
ssdeep	`24:eFGStrJ9u0/64QnZdEBQAV8aKq9K9qnjeNDJSqUmZEWdXCIGDpmB:is0BEEBQpE99SDoqUjWZCSB`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature

payload.exe "C:\Users\test22\AppData\Local\Temp\payload.exe"
632
- cmd.exe cmd
  2512

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.137.207.151	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.scob

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 27, 2023, 10:20 a.m.	stacktrace: EnterCriticalSection+0x1e ExitThread-0x19 kernel32+0xaa404 @ 0x7706a404 payload+0x41cc @ 0x1400041cc 0x7fffffd9000 0x12fda8 payload+0x400a @ 0x14000400a payload+0x41cc @ 0x1400041cc exception.instruction_r: 4e 54 44 4c 4c 2e 52 74 6c 45 78 69 74 55 73 65 exception.symbol: EnterCriticalSection+0x1e ExitThread-0x19 kernel32+0xaa404 exception.instruction: push rsp exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 697348 exception.address: 0x7706a404 registers.r14: 1245000 registers.r15: 0 registers.rcx: 0 registers.rsi: 1244864 registers.r10: 5368725964 registers.rbx: 1453503984 registers.rsp: 1244768 registers.r11: 582 registers.r8: 1244584 registers.r9: 5368725514 registers.rdx: 8796092862464 registers.r12: 1244576 registers.rbp: 5368725514 registers.rdi: 88 registers.rax: 1996923908 registers.r13: 1244584	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

45.137.207.151

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

45.137.207.151:4444

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Lionic	Trojan.Win32.Shelma.W!c
DrWeb	BackDoor.Shell.244
MicroWorld-eScan	Trojan.Metasploit.A
CAT-QuickHeal	HackTool.Metasploit.S9212471
McAfee	Trojan-FJIN!67E524E151EF
Malwarebytes	Trojan.MalPack
VIPRE	Trojan.Metasploit.A
Sangfor	HackTool.Win32.Reverse64_Bin_v2_5_through_v4_x.uwccg
K7AntiVirus	Trojan ( 004fae881 )
Alibaba	Trojan:Win64/Shelma.21f17ed5
K7GW	Trojan ( 004fae881 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Metasploit.A
VirIT	Trojan.Win32.Generic.BZPS
Cyren	W64/S-c4a4ef26!Eldorado
Symantec	Packed.Generic.539
Elastic	Windows.Trojan.Metasploit
ESET-NOD32	a variant of Win64/Rozena.M
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Trojan.MSShellcode-6
Kaspersky	Trojan.Win64.Shelma.b
BitDefender	Trojan.Metasploit.A
SUPERAntiSpyware	Trojan.Agent/Gen-MalPack
Avast	Win64:ShellCode-B [Trj]
Tencent	Hacktool.Win64.Rozena.a
Sophos	ATK/Meter-A
TrendMicro	TROJ64_SWRORT.SM1
McAfee-GW-Edition	BehavesLike.Win64.Infected.zz
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.67e524e151efc62a
Emsisoft	Trojan.Metasploit.A (B)
SentinelOne	Static AI - Suspicious PE
Jiangmin	Trojan/Agent.iigj
Avira	BDS/ShellCodeF.641
Antiy-AVL	GrayWare/Win32.Rozena.j
Gridinsoft	Trojan.Win64.ShellCode.sd!s1
Microsoft	Trojan:Win64/Meterpreter.E
ViRobot	Trojan.Win.Z.Rozena.7168.ATN
ZoneAlarm	Trojan.Win64.Shelma.b
GData	Win64.Trojan.Rozena.A
Google	Detected
ALYac	Trojan.Metasploit.A
MAX	malware (ai score=87)
Cylance	unsafe
Zoner	Probably Heur.ExeHeaderL
TrendMicro-HouseCall	TROJ64_SWRORT.SM1
Rising	Trojan.Kryptik!1.A2F4 (CLASSIC)
Ikarus	Trojan.Win64.Meterpreter

payload.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All