Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 27, 2023, 10:20 a.m.	March 27, 2023, 10:29 a.m.

Size	2.3MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`93b9f5bf918b7e5de262a85214aa8fea`
SHA256	`64b0d4ff01dc13572b748c0caa19d797aa6841994a90e5643d23dd5c692c0f17`
CRC32	`4095B437`
ssdeep	`24576:6122eyR3deGLPN5MaifsiDeMlJvtaBZ8X45FlkhkaSQ8I7IC+jLq38OHD:0h0GLPN5Ma3ebMZ8X45FO6Q8S+jLq3j`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) PE_Header_Zero - PE File Signature

update.exe "C:\Users\test22\AppData\Local\Temp\update.exe"
1532

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
121.254.136.27	Active	Moloch
91.107.196.27	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 27, 2023, 10:20 a.m.	computer_name: TEST22-PC	1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, POST method with no useragent header, Connection to IP address

suspicious_request

POST http://91.107.196.27/75e7ead3c17835de.php

Performs some HTTP requests (1 event)

request

POST http://91.107.196.27/75e7ead3c17835de.php

Sends data using the HTTP POST Method (1 event)

request

POST http://91.107.196.27/75e7ead3c17835de.php

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory March 27, 2023, 10:20 a.m.	process_identifier: 1532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 27, 2023, 10:20 a.m.	process_identifier: 1532 region_size: 2260992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory March 27, 2023, 10:20 a.m.	process_identifier: 1532 region_size: 2260992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 27, 2023, 10:20 a.m.	process_identifier: 1532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 57344 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02251000 process_handle: 0xffffffff	1	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0004d800', u'virtual_address': u'0x00141000', u'entropy': 6.840630925390014, u'name': u'.rdata', u'virtual_size': u'0x0004d7fc'}

entropy

6.84063092539

description

A section with a high entropy has been found

Communicates with host for which no DNS query was performed (2 events)

host	121.254.136.27
host	91.107.196.27

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Lionic	Trojan.Win32.Stealerc.4!c
MicroWorld-eScan	Trojan.GenericKD.65947860
FireEye	Trojan.GenericKD.65947860
CAT-QuickHeal	Trojanpws.Stealerc
ALYac	Trojan.GenericKD.65947860
Malwarebytes	RiskWare.Agent
K7AntiVirus	Trojan ( 005a154b1 )
Alibaba	TrojanPSW:Win32/Stealerc.696f7301
K7GW	Trojan ( 005a154b1 )
Arcabit	Trojan.Generic.D3EE48D4
Cyren	W32/ABRisk.IHWE-4797
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/GenKryptik.GHXH
Cynet	Malicious (score: 99)
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.Win32.Stealerc.gen
BitDefender	Trojan.GenericKD.65947860
Avast	Win32:PWSX-gen [Trj]
Tencent	Win32.Trojan.FalseSign.Qgil
DrWeb	Trojan.PWS.Siggen3.28783
VIPRE	Trojan.GenericKD.65947860
TrendMicro	TrojanSpy.Win32.STEALC.YXDCUZ
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.65947860 (B)
Webroot	W32.Trojan.Gen
Avira	TR/AD.Stealc.xapjy
Antiy-AVL	Trojan/Win32.Woreflint
Xcitium	Malware@#3o1ol80jzf06c
Microsoft	Trojan:Win32/Casdet!rfn
GData	Trojan.GenericKD.65947860
Google	Detected
McAfee	Artemis!93B9F5BF918B
MAX	malware (ai score=85)
VBA32	BScope.TrojanSpy.LClipper
TrendMicro-HouseCall	TrojanSpy.Win32.STEALC.YXDCUZ
Rising	Stealer.Stealerc!8.17BE0 (TFE:5:x1FyXGvCI3U)
Ikarus	Trojan.Win32.Krypt
Fortinet	W32/PossibleThreat
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/Chgt.AD

update.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All