Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 14, 2023, 9:31 a.m.	June 14, 2023, 9:39 a.m.

Size	141.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e30b956aebb229faaab4457ef95ffb91`
SHA256	`9d5bf672e7bbf92805e5c3ef96099e96634b8fdfba90a29cd73cb2c8c3e1d4bd`
CRC32	`2AC81BD9`
ssdeep	`3072:2k4aHUBOO36YplMqBB3ZcPxlG+bBsDHqYzHKG0qIwj:2dx3wqz3ZcDeDKYzqG01wj`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library Network_Downloader - File Downloader Ave_Maria_Zero - Remote Access Trojan that is also called WARZONE RAT Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Antivirus - Contains references to security software IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

tr.exe "C:\Users\test22\AppData\Local\Temp\tr.exe"
2540
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
backup1212.ddns.net	A 103.179.142.136	103.179.142.136
testing1212.ddns.net	A 58.65.223.25	58.65.223.25

IP Address	Status	Action
103.179.142.136	Active	Moloch
164.124.101.2	Active	Moloch
58.65.223.25	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 14, 2023, 9:31 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

WM_DSP

Connects to a Dynamic DNS Domain (2 events)

domain	testing1212.ddns.net
domain	backup1212.ddns.net

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 14, 2023, 9:25 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000046e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Foreign language identified in PE resource (1 event)

name

WM_DSP

language

LANG_ENGLISH

filetype

PE32 executable (GUI) Intel 80386, for MS Windows

sublanguage

SUBLANG_ARABIC_QATAR

offset

0x00156070

size

0x00002c00

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\tr.exe:Zone.Identifier

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.AIDetectMalware
MicroWorld-eScan	DeepScan:Generic.Malware.SFlg.194148F5
FireEye	Generic.mg.e30b956aebb229fa
McAfee	PWS-FDNF!E30B956AEBB2
Malwarebytes	Generic.Malware.AI.DDS
Zillya	Trojan.Agent.Win32.3406532
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0054d10e1 )
K7GW	Trojan ( 0054d10e1 )
Cybereason	malicious.aebb22
Arcabit	DeepScan:Generic.Malware.SFlg.194148F5
VirIT	Trojan.Win32.Genus.QJS
Cyren	W32/Antiav.INDT-0919
Symantec	Infostealer
Elastic	Windows.Trojan.AveMaria
ESET-NOD32	a variant of Win32/Warzone.A
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Downloader.Powershell-9856919-0
Kaspersky	Trojan.Win32.Agentb.jiad
BitDefender	DeepScan:Generic.Malware.SFlg.194148F5
NANO-Antivirus	Trojan.Win32.AntiAV.fljpfv
Avast	Win32:Malware-gen
Tencent	Malware.Win32.Gencirc.10bebf78
Emsisoft	DeepScan:Generic.Malware.SFlg.194148F5 (B)
F-Secure	Trojan.TR/Redcap.ghjpt
DrWeb	Trojan.Uacbypass.28
VIPRE	DeepScan:Generic.Malware.SFlg.194148F5
TrendMicro	TrojanSpy.Win32.MOCRT.SM
McAfee-GW-Edition	BehavesLike.Win32.Downloader.ch
Trapmine	malicious.high.ml.score
Sophos	Mal/EncPk-MP
Ikarus	Trojan.Win32.Warzone
Avira	TR/Redcap.ghjpt
Antiy-AVL	Trojan[APT]/Win32.Confucius
Microsoft	Trojan:Win32/Guildma.psyA!MTB
ZoneAlarm	Trojan.Win32.Agentb.jiad
GData	Win32.Trojan.PSE.38UUO1
Google	Detected
AhnLab-V3	Trojan/Win32.AveMaria.R263895
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.36250.iyW@ayAdNKci
ALYac	DeepScan:Generic.Malware.SFlg.194148F5
MAX	malware (ai score=82)
VBA32	BScope.TrojanSpy.AveMaria
Cylance	unsafe
Panda	Trj/Genetic.gen
Zoner	Trojan.Win32.74962
TrendMicro-HouseCall	TrojanSpy.Win32.MOCRT.SM
Rising	Trojan.Guildma!8.115A7 (TFE:4:Y5Zf9EMgZjH)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (7 events)

dead_host	192.168.56.101:49170
dead_host	192.168.56.101:49167
dead_host	103.179.142.136:5200
dead_host	58.65.223.25:5200
dead_host	192.168.56.101:49174
dead_host	192.168.56.101:49172
dead_host	192.168.56.101:49163

tr.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All