Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 27, 2023, 10:46 a.m.	March 27, 2023, 10:48 a.m.

Size	13.5MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`581176025eb809b5120fd584cb9dc237`
SHA256	`e1a13b501f98bc44503f719cf0905a070b5ce1a42f66d2cb530df8f172274cdc`
CRC32	`F969A5BF`
ssdeep	`393216:bflAEh22VkgTB56Hmuny6SN9XbSgD0t5JheFWofA:LlZHVvUG2HUbSjnKA`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) PE_Header_Zero - PE File Signature

Lamb.pif.exe "C:\Users\test22\AppData\Local\Temp\Lamb.pif.exe"
1960

Name	Response	Post-Analysis Lookup
clients2.googleusercontent.com	A 142.251.220.1 CNAME googlehosted.l.googleusercontent.com	172.217.25.161
accounts.google.com	A 172.217.31.13	142.250.207.109
fonts.gstatic.com	A 142.250.66.67	172.217.25.163
apis.google.com	A 142.250.199.78 CNAME plus.l.google.com	172.217.25.174
www.google.com	A 142.250.66.36	172.217.25.164
_googlecast._tcp.local
apps.identrust.com	A 121.254.136.27 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.57	23.43.165.66
fonts.googleapis.com	A 172.217.24.74	142.250.76.138
cdn.stubdownloader.services.mozilla.com	A 34.120.48.173 CNAME cdn-proxy-prod.stubattribution.prod.cloudops.mozgcp.net	34.120.48.173
clientservices.googleapis.com	A 172.217.24.227	142.250.207.99
www.gstatic.com	A 142.250.207.67	172.217.25.163

IP Address	Status	Action
121.254.136.27	Active	Moloch
142.250.199.78	Active	Moloch
142.250.204.67	Active	Moloch
142.250.207.67	Active	Moloch
142.250.207.78	Active	Moloch
142.250.66.36	Active	Moloch
142.250.66.67	Active	Moloch
142.251.220.1	Active	Moloch
164.124.101.2	Active	Moloch
172.217.24.227	Active	Moloch
172.217.24.74	Active	Moloch
172.217.31.13	Active	Moloch
34.120.48.173	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49171 172.217.24.74:443	None	None	None
TLS 1.3 192.168.56.103:49165 172.217.31.13:443	None	None	None
TLS 1.3 192.168.56.103:49164 172.217.24.227:443	None	None	None
TLS 1.3 192.168.56.103:49162 142.250.66.36:443	None	None	None
TLS 1.3 192.168.56.103:49167 34.120.48.173:443	None	None	None
TLS 1.3 192.168.56.103:49166 172.217.24.227:443	None	None	None
TLS 1.3 192.168.56.103:49177 142.250.199.78:443	None	None	None
TLS 1.3 192.168.56.103:49172 142.250.207.67:443	None	None	None
TLS 1.3 192.168.56.103:49176 142.250.66.67:443	None	None	None
TLS 1.3 192.168.56.103:49179 142.250.204.67:443	None	None	None
TLS 1.3 192.168.56.103:49180 142.251.220.1:443	None	None	None
TLS 1.3 192.168.56.103:49163 142.250.66.36:443	None	None	None
TLS 1.3 192.168.56.103:49173 142.250.207.67:443	None	None	None
TLS 1.3 192.168.56.103:49181 172.217.31.14:443	None	None	None
UNDETERMINED 192.168.56.103:49174 142.250.207.67:443	None	None	None

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 27, 2023, 10:46 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (12 events)

section	=MYCLtLD
section	8uSxWUy5
section	UgMTkb-g
section	$hpj638x
section	b#+@I;)e
section	KAf`a_(X
section	LS0&wof1
section	F>?*mUav
section	tlhmKye`
section	cGghv*c8
section	t>e:DuJP
section	Fm"luw6f

Performs some HTTP requests (3 events)

request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://clients2.google.com/time/1/current?cup2key=4:3305170296&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
request	GET http://www.gstatic.com/generate_204

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory March 27, 2023, 10:46 a.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x014cd000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 27, 2023, 10:46 a.m.	process_identifier: 1960 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory March 27, 2023, 10:46 a.m.	process_identifier: 1960 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section

{u'size_of_data': u'0x000ad400', u'virtual_address': u'0x00141000', u'entropy': 7.64620417503406, u'name': u'UgMTkb-g', u'virtual_size': u'0x000ad2ac'}

entropy

7.64620417503

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001c00', u'virtual_address': u'0x0024f000', u'entropy': 7.018512721230526, u'name': u'KAf`a_(X', u'virtual_size': u'0x00001a14'}

entropy

7.01851272123

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x005a8600', u'virtual_address': u'0x00253000', u'entropy': 7.936042109646909, u'name': u'tlhmKye`', u'virtual_size': u'0x005a84a9'}

entropy

7.93604210965

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0056da00', u'virtual_address': u'0x007fd000', u'entropy': 7.944125803372303, u'name': u't>e:DuJP', u'virtual_size': u'0x0056d970'}

entropy

7.94412580337

description

A section with a high entropy has been found

entropy

0.871911738108

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (2 events)

host	142.250.204.67
host	142.250.207.78

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Lionic	Trojan.Win32.Strab.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.66098180
McAfee	Artemis!581176025EB8
Sangfor	Trojan.Win32.Agent.Vkkk
K7AntiVirus	Trojan ( 005a17621 )
Alibaba	Trojan:Win32/Strab.818151b6
K7GW	Trojan ( 005a17621 )
CrowdStrike	win/malicious_confidence_70% (W)
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Generik.MSQCKTL
Avast	Win32:Evo-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	Trojan.Win32.Strab.bct
BitDefender	Trojan.GenericKD.66098180
Tencent	Win32.Trojan.FalseSign.Nsmw
VIPRE	Trojan.GenericKD.66098180
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.GenericKD.66098180
Emsisoft	Trojan.GenericKD.66098180 (B)
GData	Trojan.GenericKD.66098180
Webroot	W32.Trojan.Gen
Avira	TR/Redcap.pepza
MAX	malware (ai score=86)
Antiy-AVL	Trojan/Win32.Wacatac
Gridinsoft	Trojan.Heur!.00212031
Xcitium	Malware@#tymsne84ancj
Arcabit	Trojan.Generic.D3F09404
Microsoft	Trojan:Win32/Wacatac.B!ml
ALYac	Trojan.GenericKD.66098180
VBA32	BScope.Backdoor.Agent
TrendMicro-HouseCall	TROJ_GEN.R03BH0CCQ23
Rising	Trojan.Undefined!8.1327C (TFE:5:KlBGkNsNMRQ)
Fortinet	W32/PossibleThreat
BitDefenderTheta	Gen:NN.ZexaCO.36344.@Z2@aKcgWanG
AVG	Win32:Evo-gen [Trj]

Lamb.pif.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All