Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 18, 2023, 9:32 a.m.	May 18, 2023, 9:36 a.m.

Size	330.8KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`c0ff2a9d710fc2f524d781dbf2d89e21`
SHA256	`bcc8671116930bf6f9819cbd6fcebf1a5612ed32bb417eaff633ed11ad301059`
CRC32	`1CE42B88`
ssdeep	`6144:ciSbJLNNhLuEF0uVcT4jKTOybaOPo0jkAf6V5Ap+6:cH1hLuEFZ+T4jI1baOPo0oD5A`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

Firefox.exe "C:\Users\test22\AppData\Local\Temp\Firefox.exe"
2004

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.47.40.36	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (27 events)

Time & API	Arguments	Status	Return
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: S console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: m console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: H console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: m console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: h console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: D console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: v console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 18, 2023, 9:32 a.m.	buffer: s console_handle: 0x00000007	1	1

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2004 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0018f000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00025c00', u'virtual_address': u'0x0002b000', u'entropy': 7.158474392048604, u'name': u'.data', u'virtual_size': u'0x00027b08'}

entropy

7.15847439205

description

A section with a high entropy has been found

entropy

0.474842767296

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

185.47.40.36

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Bkav	W32.AIDetectMalware
MicroWorld-eScan	Gen:Variant.Ser.Babar.4438
FireEye	Generic.mg.c0ff2a9d710fc2f5
ALYac	Gen:Variant.Ser.Babar.4438
Cylance	unsafe
Sangfor	Trojan.Win32.Agent.Vsnj
Alibaba	Trojan:Win32/Kryptik.8e3db7fd
Arcabit	Trojan.Ser.Babar.D1156
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Kryptik.HTLQ
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Ser.Babar.4438
Avast	FileRepMalware [Misc]
Emsisoft	Gen:Variant.Ser.Babar.4438 (B)
VIPRE	Gen:Variant.Ser.Babar.4438
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.high.ml.score
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Crypt
Microsoft	Trojan:Win32/Woreflint.A!cl
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Ser.Babar.4438
McAfee	Artemis!C0FF2A9D710F
MAX	malware (ai score=80)
Panda	Trj/Chgt.AD
Rising	Trojan.Generic@AI.94 (RDML:cQk1Ont4jEFKFW8JDd7fNg)
AVG	FileRepMalware [Misc]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_90% (W)

Firefox.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All