popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

jeffilesfe.exe

UPX Downloader Malicious Library PE32 PE File OS Processor Check MZP Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 20, 2023, 5:28 p.m. June 20, 2023, 5:32 p.m.
Size 1.4MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 3221fe4bb3e02d4a03166e83db5fafa2
SHA256 428b05b5e7b7afddd15ea63fde166cf2e30fede6afc3bc2cd40910ee198920e6
CRC32 6A0D042A
ssdeep 24576:AUiyKZ0BdB81j2s7vF2/nmCX6j1xHyT4Kbshp:/IIdi116msnbs
Yara
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check
  • mzp_file_format - MZP(Delphi) file format
  • Malicious_Library_Zero - Malicious_Library
  • Network_Downloader - File Downloader
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
drownways.com
A 149.100.151.190
149.100.151.190
IP Address Status Action
149.100.151.190 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49162 -> 149.100.151.190:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.101:49162 -> 149.100.151.190:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.101:49162 -> 149.100.151.190:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49163 -> 149.100.151.190:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.101:49163 -> 149.100.151.190:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.101:49163 -> 149.100.151.190:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 149.100.151.190:443 -> 192.168.56.101:49162 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 149.100.151.190:443 -> 192.168.56.101:49162 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 149.100.151.190:443 -> 192.168.56.101:49163 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 149.100.151.190:443 -> 192.168.56.101:49163 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.101:49164 -> 149.100.151.190:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.101:49164 -> 149.100.151.190:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 149.100.151.190:443 -> 192.168.56.101:49164 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 149.100.151.190:443 -> 192.168.56.101:49164 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

section CODE
section DATA
section BSS
packer BobSoft Mini Delphi -> BoB / BobSoft
resource name None
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01fa0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73662000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 266240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02310000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 266240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02360000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 212992
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02200000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 241664
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: pwpqpqpqpqpqqpqpqpqpqpqpqpqpqpqp
parameters:
filepath: pwpqpqpqpqpqqpqpqpqpqpqpqpqpqpqp
0 0
Bkav W32.AIDetectMalware
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.67623094
McAfee Artemis!3221FE4BB3E0
Sangfor Trojan.Win32.Agent.Vrdb
Cyren W32/ABRisk.LMLT-3671
Symantec ML.Attribute.HighConfidence
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky HEUR:Trojan-Banker.Win32.ChePro.gen
BitDefender Trojan.GenericKD.67623094
Avast Win32:CrypterX-gen [Trj]
Emsisoft Trojan.GenericKD.67623094 (B)
McAfee-GW-Edition BehavesLike.Win32.ObfuscatedPoly.th
Trapmine malicious.moderate.ml.score
FireEye Generic.mg.3221fe4bb3e02d4a
Sophos ML/PE-A
Ikarus Win32.Outbreak
Antiy-AVL Trojan[Banker]/Win32.ChePro
ZoneAlarm HEUR:Trojan-Banker.Win32.ChePro.gen
GData Win32.Trojan.Kryptik.UN2RK2
Google Detected
MAX malware (ai score=81)
Rising Trojan.Generic@AI.100 (RDML:OuaPURDFRt+A1cfUKvW4aA)
SentinelOne Static AI - Suspicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/PossibleThreat
AVG Win32:CrypterX-gen [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_90% (W)