Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 31, 2023, 4:34 p.m.	March 31, 2023, 4:34 p.m.

Size	13.1MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`684b2bdbe523cd89846944b6814f4de3`
SHA256	`d235538772b86e3ef1e4cd2f00d4b7931c8bc622d29aad39b7e3a6a465a1c669`
CRC32	`DF57E5AA`
ssdeep	`196608:UaX543YpgKiG1mrZHSEWQiPhIjNLvPfpTCJJlcvtFvsvqc+hrBYv:UaQGQZH72pIjNLv3xCJkRNYv`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library Generic_Malware_Zero - Generic Malware Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) PE_Header_Zero - PE File Signature Antivirus - Contains references to security software

RedHat.exe "C:\Users\test22\AppData\Local\Temp\RedHat.exe"
2552

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
91.107.196.27	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 31, 2023, 4:34 p.m.	computer_name: TEST22-PC	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.rdata0
section	.rdata1
section	.rdata2

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, POST method with no useragent header, Connection to IP address

suspicious_request

POST http://91.107.196.27/75e7ead3c17835de.php

Performs some HTTP requests (1 event)

request

POST http://91.107.196.27/75e7ead3c17835de.php

Sends data using the HTTP POST Method (1 event)

request

POST http://91.107.196.27/75e7ead3c17835de.php

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory March 31, 2023, 4:34 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01430000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 31, 2023, 4:34 p.m.	process_identifier: 2552 region_size: 2260992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory March 31, 2023, 4:34 p.m.	process_identifier: 2552 region_size: 2260992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 31, 2023, 4:34 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 57344 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c01000 process_handle: 0xffffffff	1	0

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section

{u'size_of_data': u'0x0004d800', u'virtual_address': u'0x00141000', u'entropy': 6.827706751050602, u'name': u'.rdata', u'virtual_size': u'0x0004d7ec'}

entropy

6.82770675105

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001c00', u'virtual_address': u'0x001ef000', u'entropy': 7.027211128496423, u'name': u'.idata', u'virtual_size': u'0x00001a14'}

entropy

7.0272111285

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x005ade00', u'virtual_address': u'0x001f3000', u'entropy': 7.932452029241685, u'name': u'.rdata0', u'virtual_size': u'0x005adc3e'}

entropy

7.93245202924

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00573800', u'virtual_address': u'0x007a2000', u'entropy': 7.940787160375407, u'name': u'.rdata2', u'virtual_size': u'0x00573800'}

entropy

7.94078716038

description

A section with a high entropy has been found

entropy

0.876112482238

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

91.107.196.27

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Lionic	Trojan.Win32.Stealerc.4!c
MicroWorld-eScan	Trojan.GenericKD.66096642
FireEye	Trojan.GenericKD.66096642
McAfee	Artemis!684B2BDBE523
Malwarebytes	Spyware.Vidar
VIPRE	Trojan.GenericKD.66096642
Sangfor	Infostealer.Win32.Agent.V6eu
K7AntiVirus	Trojan ( 005a17631 )
BitDefender	Trojan.GenericKD.66096642
K7GW	Trojan ( 005a17631 )
CrowdStrike	win/malicious_confidence_70% (W)
BitDefenderTheta	Gen:NN.ZexaF.36344.@Z1@a0qDvRai
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Generik.JNSZUPP
Paloalto	generic.ml
Kaspersky	Trojan-PSW.Win32.Stealerc.gq
Alibaba	TrojanPSW:Win32/Stealerc.3131803b
Tencent	Win32.Trojan-QQPass.QQRob.Simw
Sophos	Mal/Generic-S
DrWeb	Trojan.Siggen20.17967
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.66096642 (B)
Ikarus	Trojan-Spy.Win32.StealC
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Redcap.eutkv
Antiy-AVL	Trojan[PSW]/Win32.Stealerc
Microsoft	Trojan:Win32/Casdet!rfn
Gridinsoft	Trojan.Heur!.00212031
Xcitium	Malware@#1jubevf7nilr2
Arcabit	Trojan.Generic.D3F08E02
ZoneAlarm	Trojan-PSW.Win32.Stealerc.gq
GData	Win32.Trojan-Stealer.StealC.4HT4ZZ
Cynet	Malicious (score: 99)
VBA32	BScope.Backdoor.Agent
ALYac	Trojan.GenericKD.66096642
MAX	malware (ai score=80)
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0CCP23
Rising	Trojan.Undefined!8.1327C (TFE:5:KlBGkNsNMRQ)
Fortinet	W32/PossibleThreat
AVG	Win32:Evo-gen [Trj]
Avast	Win32:Evo-gen [Trj]

RedHat.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All